io_uring: fix put_kbuf without proper locking (8197b053) · Commits · EulixOS / Software / Kernel

fs/io_uring.c

+12 −1

Original line number	Diff line number	Diff line
		@@ -1338,6 +1338,8 @@ static unsigned int __io_put_kbuf(struct io_kiocb req, struct list_head list)

		static inline unsigned int io_put_kbuf_comp(struct io_kiocb *req)
		{
		lockdep_assert_held(&req->ctx->completion_lock);

		if (likely(!(req->flags & REQ_F_BUFFER_SELECTED)))
		return 0;
		return __io_put_kbuf(req, &req->ctx->io_buffers_comp);
		@@ -2123,6 +2125,12 @@ static void __io_req_complete_post(struct io_kiocb *req, s32 res,
		}
		}
		io_req_put_rsrc(req, ctx);
		/*
		* Selected buffer deallocation in io_clean_op() assumes that
		* we don't hold ->completion_lock. Clean them here to avoid
		* deadlocks.
		*/
		io_put_kbuf_comp(req);
		io_dismantle_req(req);
		io_put_task(req->task, 1);
		wq_list_add_head(&req->comp_list, &ctx->locked_free_list);
		@@ -7126,8 +7134,11 @@ static __cold void io_drain_req(struct io_kiocb *req)

		static void io_clean_op(struct io_kiocb *req)
		{
		if (req->flags & REQ_F_BUFFER_SELECTED)
		if (req->flags & REQ_F_BUFFER_SELECTED) {
		spin_lock(&req->ctx->completion_lock);
		io_put_kbuf_comp(req);
		spin_unlock(&req->ctx->completion_lock);
		}

		if (req->flags & REQ_F_NEED_CLEANUP) {
		switch (req->opcode) {