Commit cd4ea81b authored Sep 12, 2025 by Max Kellermann Committed by Jens Axboe Sep 15, 2025

io_uring/io-wq: fix `max_workers` breakage and `nr_workers` underflow



Commit 88e6c42e40de ("io_uring/io-wq: add check free worker before
create new worker") reused the variable `do_create` for something
else, abusing it for the free worker check.

This caused the value to effectively always be `true` at the time
`nr_workers < max_workers` was checked, but it should really be
`false`.  This means the `max_workers` setting was ignored, and worse:
if the limit had already been reached, incrementing `nr_workers` was
skipped even though another worker would be created.

When later lots of workers exit, the `nr_workers` field could easily
underflow, making the problem worse because more and more workers
would be created without incrementing `nr_workers`.

The simple solution is to use a different variable for the free worker
check instead of using one variable for two different things.

Cc: stable@vger.kernel.org
Fixes: 88e6c42e40de ("io_uring/io-wq: add check free worker before create new worker")
Signed-off-by: Max Kellermann <max.kellermann@ionos.com>
Reviewed-by: Fengnan Chang <changfengnan@bytedance.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>

parent 98b6fa62

io_uring/io-wq.c

+3 −3

Original line number	Diff line number	Diff line
		@@ -352,16 +352,16 @@ static void create_worker_cb(struct callback_head *cb)
		struct io_wq *wq;

		struct io_wq_acct *acct;
		bool do_create = false;
		bool activated_free_worker, do_create = false;

		worker = container_of(cb, struct io_worker, create_work);
		wq = worker->wq;
		acct = worker->acct;

		rcu_read_lock();
		do_create = !io_acct_activate_free_worker(acct);
		activated_free_worker = io_acct_activate_free_worker(acct);
		rcu_read_unlock();
		if (!do_create)
		if (activated_free_worker)
		goto no_need_create;

		raw_spin_lock(&acct->workers_lock);