Commit 3cc7fdb9 authored by Pavel Begunkov's avatar Pavel Begunkov Committed by Jens Axboe

io_uring: fix not released cached task refs

tctx_task_work() may get run after io_uring cancellation and so there
will be no one to put cached in tctx task refs that may have been added
back by tw handlers using inline completion infra, Call
io_uring_drop_tctx_refs() at the end of the main tw handler to release
them.

Cc: stable@vger.kernel.org # 5.15+
Reported-by: default avatarLukas Bulwahn <lukas.bulwahn@gmail.com>
Fixes: e98e49b2 ("io_uring: extend task put optimisations")
Signed-off-by: default avatarPavel Begunkov <asml.silence@gmail.com>
Link: https://lore.kernel.org/r/69f226b35fbdb996ab799a8bbc1c06bf634ccec1.1641688805.git.asml.silence@gmail.comSigned-off-by: default avatarJens Axboe <axboe@kernel.dk>
parent c0235652
...@@ -1827,6 +1827,18 @@ static inline void io_get_task_refs(int nr) ...@@ -1827,6 +1827,18 @@ static inline void io_get_task_refs(int nr)
io_task_refs_refill(tctx); io_task_refs_refill(tctx);
} }
static __cold void io_uring_drop_tctx_refs(struct task_struct *task)
{
struct io_uring_task *tctx = task->io_uring;
unsigned int refs = tctx->cached_refs;
if (refs) {
tctx->cached_refs = 0;
percpu_counter_sub(&tctx->inflight, refs);
put_task_struct_many(task, refs);
}
}
static bool io_cqring_event_overflow(struct io_ring_ctx *ctx, u64 user_data, static bool io_cqring_event_overflow(struct io_ring_ctx *ctx, u64 user_data,
s32 res, u32 cflags) s32 res, u32 cflags)
{ {
...@@ -2319,6 +2331,10 @@ static void tctx_task_work(struct callback_head *cb) ...@@ -2319,6 +2331,10 @@ static void tctx_task_work(struct callback_head *cb)
} }
ctx_flush_and_put(ctx, &uring_locked); ctx_flush_and_put(ctx, &uring_locked);
/* relaxed read is enough as only the task itself sets ->in_idle */
if (unlikely(atomic_read(&tctx->in_idle)))
io_uring_drop_tctx_refs(current);
} }
static void io_req_task_work_add(struct io_kiocb *req, bool priority) static void io_req_task_work_add(struct io_kiocb *req, bool priority)
...@@ -9803,18 +9819,6 @@ static s64 tctx_inflight(struct io_uring_task *tctx, bool tracked) ...@@ -9803,18 +9819,6 @@ static s64 tctx_inflight(struct io_uring_task *tctx, bool tracked)
return percpu_counter_sum(&tctx->inflight); return percpu_counter_sum(&tctx->inflight);
} }
static __cold void io_uring_drop_tctx_refs(struct task_struct *task)
{
struct io_uring_task *tctx = task->io_uring;
unsigned int refs = tctx->cached_refs;
if (refs) {
tctx->cached_refs = 0;
percpu_counter_sub(&tctx->inflight, refs);
put_task_struct_many(task, refs);
}
}
/* /*
* Find any io_uring ctx that this task has registered or done IO on, and cancel * Find any io_uring ctx that this task has registered or done IO on, and cancel
* requests. @sqd should be not-null IIF it's an SQPOLL thread cancellation. * requests. @sqd should be not-null IIF it's an SQPOLL thread cancellation.
...@@ -9870,10 +9874,14 @@ static __cold void io_uring_cancel_generic(bool cancel_all, ...@@ -9870,10 +9874,14 @@ static __cold void io_uring_cancel_generic(bool cancel_all,
schedule(); schedule();
finish_wait(&tctx->wait, &wait); finish_wait(&tctx->wait, &wait);
} while (1); } while (1);
atomic_dec(&tctx->in_idle);
io_uring_clean_tctx(tctx); io_uring_clean_tctx(tctx);
if (cancel_all) { if (cancel_all) {
/*
* We shouldn't run task_works after cancel, so just leave
* ->in_idle set for normal exit.
*/
atomic_dec(&tctx->in_idle);
/* for exec all current's requests should be gone, kill tctx */ /* for exec all current's requests should be gone, kill tctx */
__io_uring_free(current); __io_uring_free(current);
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment