Commit ce765372 authored by Matthew Wilcox (Oracle)'s avatar Matthew Wilcox (Oracle) Committed by Jens Axboe
Browse files

io_uring: Fix use of XArray in __io_uring_files_cancel 



We have to drop the lock during each iteration, so there's no advantage
to using the advanced API.  Convert this to a standard xa_for_each() loop.

Reported-by: default avatar <syzbot+27c12725d8ff0bfe1a13@syzkaller.appspotmail.com>
Signed-off-by: default avatarMatthew Wilcox (Oracle) <willy@infradead.org>
Signed-off-by: default avatarJens Axboe <axboe@kernel.dk>
parent ed6930c9

fs/io_uring.c

+5 −14
Original line number Diff line number Diff line
@@ -8665,28 +8665,19 @@ static void io_uring_attempt_task_drop(struct file *file, bool exiting) 
void __io_uring_files_cancel(struct files_struct *files)

{

	struct io_uring_task *tctx = current->io_uring;

	XA_STATE(xas, &tctx->xa, 0);

	struct file *file;

	unsigned long index;



	/* make sure overflow events are dropped */

	tctx->in_idle = true;



	do {

		struct io_ring_ctx *ctx;

		struct file *file;



		xas_lock(&xas);

		file = xas_next_entry(&xas, ULONG_MAX);

		xas_unlock(&xas);



		if (!file)

			break;



		ctx = file->private_data;

	xa_for_each(&tctx->xa, index, file) {

		struct io_ring_ctx *ctx = file->private_data;



		io_uring_cancel_task_requests(ctx, files);

		if (files)

			io_uring_del_task_file(file);

	} while (1);

	}

}



static inline bool io_uring_task_idle(struct io_uring_task *tctx)