Commit 973d2c13 authored by Pavel Begunkov's avatar Pavel Begunkov Committed by Yang Yingliang
Browse files

io_uring: return back safer resurrect 



mainline inclusion
from mainline-v5.13-rc1
commit f70865db
category: bugfix
bugzilla: 185739
CVE: NA

-----------------------------------------------

Revert of revert of "io_uring: wait potential ->release() on resurrect",
which adds a helper for resurrect not racing completion reinit, as was
removed because of a strange bug with no clear root or link to the
patch.

Was improved, instead of rcu_synchronize(), just wait_for_completion()
because we're at 0 refs and it will happen very shortly. Specifically
use non-interruptible version to ignore all pending signals that may
have ended prior interruptible wait.

This reverts commit cb5e1b81.

Signed-off-by: default avatarPavel Begunkov <asml.silence@gmail.com>
Link: https://lore.kernel.org/r/7a080c20f686d026efade810b116b72f88abaff9.1618101759.git.asml.silence@gmail.com


Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>

conflicts:
fs/io_uring.c

Signed-off-by: default avatarYe Bin <yebin10@huawei.com>
Reviewed-by: default avatarZhang Yi <yi.zhang@huawei.com>
Signed-off-by: default avatarYang Yingliang <yangyingliang@huawei.com>
parent 97e7efbb

fs/io_uring.c

+14 −4
Original line number Diff line number Diff line
@@ -8669,6 +8669,18 @@ static bool io_register_op_must_quiesce(int op) 
	}

}



static void io_refs_resurrect(struct percpu_ref *ref, struct completion *compl)

{

	bool got = percpu_ref_tryget(ref);



	/* already at zero, wait for ->release() */

	if (!got)

		wait_for_completion(compl);

	percpu_ref_resurrect(ref);

	if (got)

		percpu_ref_put(ref);

}



static int __io_uring_register(struct io_ring_ctx *ctx, unsigned opcode,

			       void __user *arg, unsigned nr_args)

	__releases(ctx->uring_lock)
@@ -8699,9 +8711,8 @@ static int __io_uring_register(struct io_ring_ctx *ctx, unsigned opcode, 
		ret = wait_for_completion_interruptible(&ctx->ref_comp);

		mutex_lock(&ctx->uring_lock);

		if (ret) {

			percpu_ref_resurrect(&ctx->refs);

			ret = -EINTR;

			goto out;

			io_refs_resurrect(&ctx->refs, &ctx->ref_comp);

			return ret;

		}

	}
@@ -8772,7 +8783,6 @@ static int __io_uring_register(struct io_ring_ctx *ctx, unsigned opcode, 
	if (io_register_op_must_quiesce(opcode)) {

		/* bring the ctx back to life */

		percpu_ref_reinit(&ctx->refs);

out:

		reinit_completion(&ctx->ref_comp);

	}

	return ret;