+11
−1
Loading
io_uring/tw: serialize ctx->retry_llist with ->uring_lock
The DEFER_TASKRUN local task work paths all run under ctx->uring_lock, which serializes them with each other and with the rest of the ring's hot paths. io_move_task_work_from_local() is the exception - it's called from io_ring_exit_work() on a kworker without holding the lock and from the iopoll cancelation side right after dropping it. ->work_llist is fine with this, as it's only ever updated via the expected paths. But the ->retry_llist is updated while runing, and hence it could potentially race between normal task_work running and the task-has-exited shutdown path. Simply grab ->uring_lock while moving the local work to the fallback list for exit purposes, which nicely serializes it across both the normal additions and the exit prune path. Cc: stable@vger.kernel.org Fixes: f46b9cdb ("io_uring: limit local tw done") Reported-by:Robert Femmer <robert.femmer@x41-dsec.de> Reported-by:
Christian Reitter <invd@inhq.net> Reported-by:
Michael Rodler <michael.rodler@x41-dsec.de> Signed-off-by:
Jens Axboe <axboe@kernel.dk>