Skip to content

Commit 99b3280

Browse files
isilenceaxboe
isilence
authored and
axboe
committed
io_uring: fix overflowed cancel w/ linked ->files
Current io_match_files() check in io_cqring_overflow_flush() is useless because requests drop ->files before going to the overflow list, however linked to it request do not, and we don't check them. Signed-off-by: Pavel Begunkov <asml.silence@gmail.com> Signed-off-by: Jens Axboe <axboe@kernel.dk>
1 parent cb8a8ae commit 99b3280

1 file changed

Lines changed: 21 additions & 22 deletions

File tree

fs/io_uring.c

Lines changed: 21 additions & 22 deletions
Original file line numberDiff line numberDiff line change
@@ -1593,14 +1593,29 @@ static void io_cqring_mark_overflow(struct io_ring_ctx *ctx)
15931593
}
15941594
}
15951595

1596-
static inline bool io_match_files(struct io_kiocb *req,
1597-
struct files_struct *files)
1596+
static inline bool __io_match_files(struct io_kiocb *req,
1597+
struct files_struct *files)
15981598
{
1599+
return ((req->flags & REQ_F_WORK_INITIALIZED) &&
1600+
(req->work.flags & IO_WQ_WORK_FILES)) &&
1601+
req->work.identity->files == files;
1602+
}
1603+
1604+
static bool io_match_files(struct io_kiocb *req,
1605+
struct files_struct *files)
1606+
{
1607+
struct io_kiocb *link;
1608+
15991609
if (!files)
16001610
return true;
1601-
if ((req->flags & REQ_F_WORK_INITIALIZED) &&
1602-
(req->work.flags & IO_WQ_WORK_FILES))
1603-
return req->work.identity->files == files;
1611+
if (__io_match_files(req, files))
1612+
return true;
1613+
if (req->flags & REQ_F_LINK_HEAD) {
1614+
list_for_each_entry(link, &req->link_list, link_list) {
1615+
if (__io_match_files(link, files))
1616+
return true;
1617+
}
1618+
}
16041619
return false;
16051620
}
16061621

@@ -8406,22 +8421,6 @@ static bool io_match_link(struct io_kiocb *preq, struct io_kiocb *req)
84068421
return false;
84078422
}
84088423

8409-
static bool io_match_link_files(struct io_kiocb *req,
8410-
struct files_struct *files)
8411-
{
8412-
struct io_kiocb *link;
8413-
8414-
if (io_match_files(req, files))
8415-
return true;
8416-
if (req->flags & REQ_F_LINK_HEAD) {
8417-
list_for_each_entry(link, &req->link_list, link_list) {
8418-
if (io_match_files(link, files))
8419-
return true;
8420-
}
8421-
}
8422-
return false;
8423-
}
8424-
84258424
/*
84268425
* We're looking to cancel 'req' because it's holding on to our files, but
84278426
* 'req' could be a link to another request. See if it is, and cancel that
@@ -8504,7 +8503,7 @@ static void io_cancel_defer_files(struct io_ring_ctx *ctx,
85048503

85058504
spin_lock_irq(&ctx->completion_lock);
85068505
list_for_each_entry_reverse(de, &ctx->defer_list, list) {
8507-
if (io_match_link_files(de->req, files)) {
8506+
if (io_match_files(de->req, files)) {
85088507
list_cut_position(&list, &ctx->defer_list, &de->list);
85098508
break;
85108509
}

0 commit comments

Comments
 (0)