Commit ac3cb72a authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge tag 'io_uring-6.10-20240614' of git://git.kernel.dk/linux 

Pull io_uring fixes from Jens Axboe:
 "Two fixes from Pavel headed to stable:

   - Ensure that the task state is correct before attempting to grab a
     mutex

   - Split cancel sequence flag into a separate variable, as it can get
     set by someone not owning the request (but holding the ctx lock)"

* tag 'io_uring-6.10-20240614' of git://git.kernel.dk/linux:
  io_uring: fix cancellation overwriting req->flags
  io_uring/rsrc: don't lock while !TASK_RUNNING
parents 0b320c86 f4a1254f

include/linux/io_uring_types.h

+2 −1
Original line number Diff line number Diff line
@@ -648,7 +648,7 @@ struct io_kiocb { 
	struct io_rsrc_node		*rsrc_node;



	atomic_t			refs;

	atomic_t			poll_refs;

	bool				cancel_seq_set;

	struct io_task_work		io_task_work;

	/* for polled requests, i.e. IORING_OP_POLL_ADD and async armed poll */

	struct hlist_node		hash_node;
@@ -657,6 +657,7 @@ struct io_kiocb { 
	/* opcode allocated if it needs to store data for async defer */

	void				*async_data;

	/* linked requests, IFF REQ_F_HARDLINK or REQ_F_LINK are set */

	atomic_t			poll_refs;

	struct io_kiocb			*link;

	/* custom credentials, valid IFF REQ_F_CREDS is set */

	const struct cred		*creds;

io_uring/cancel.h

+2 −2
Original line number Diff line number Diff line
@@ -27,10 +27,10 @@ bool io_cancel_req_match(struct io_kiocb *req, struct io_cancel_data *cd); 


static inline bool io_cancel_match_sequence(struct io_kiocb *req, int sequence)

{

	if ((req->flags & REQ_F_CANCEL_SEQ) && sequence == req->work.cancel_seq)

	if (req->cancel_seq_set && sequence == req->work.cancel_seq)

		return true;



	req->flags |= REQ_F_CANCEL_SEQ;

	req->cancel_seq_set = true;

	req->work.cancel_seq = sequence;

	return false;

}

io_uring/io_uring.c

+1 −0
Original line number Diff line number Diff line
@@ -2058,6 +2058,7 @@ static int io_init_req(struct io_ring_ctx *ctx, struct io_kiocb *req, 
	req->file = NULL;

	req->rsrc_node = NULL;

	req->task = current;

	req->cancel_seq_set = false;



	if (unlikely(opcode >= IORING_OP_LAST)) {

		req->opcode = 0;

io_uring/rsrc.c

+1 −0
Original line number Diff line number Diff line
@@ -249,6 +249,7 @@ __cold static int io_rsrc_ref_quiesce(struct io_rsrc_data *data, 


		ret = io_run_task_work_sig(ctx);

		if (ret < 0) {

			__set_current_state(TASK_RUNNING);

			mutex_lock(&ctx->uring_lock);

			if (list_empty(&ctx->rsrc_ref_list))

				ret = 0;