io_uring: account io_uring internal files as REQ_F_INFLIGHT

We need to actively cancel anything that introduces a potential circular
loop, where io_uring holds a reference to itself. If the file in question
is an io_uring file, then add the request to the inflight list.

Cc: stable@vger.kernel.org # 5.9+
Signed-off-by: Jens Axboe <axboe@kernel.dk>
This commit is contained in:
Jens Axboe 2021-01-23 15:49:31 -07:00
Родитель 9d5c819068
Коммит 02a13674fa
1 изменённых файлов: 26 добавлений и 10 удалений

Просмотреть файл

@ -1075,8 +1075,11 @@ static bool io_match_task(struct io_kiocb *head,
return true; return true;
io_for_each_link(req, head) { io_for_each_link(req, head) {
if ((req->flags & REQ_F_WORK_INITIALIZED) && if (!(req->flags & REQ_F_WORK_INITIALIZED))
(req->work.flags & IO_WQ_WORK_FILES) && continue;
if (req->file && req->file->f_op == &io_uring_fops)
return true;
if ((req->work.flags & IO_WQ_WORK_FILES) &&
req->work.identity->files == files) req->work.identity->files == files)
return true; return true;
} }
@ -1505,11 +1508,14 @@ static bool io_grab_identity(struct io_kiocb *req)
return false; return false;
atomic_inc(&id->files->count); atomic_inc(&id->files->count);
get_nsproxy(id->nsproxy); get_nsproxy(id->nsproxy);
req->flags |= REQ_F_INFLIGHT;
spin_lock_irq(&ctx->inflight_lock); if (!(req->flags & REQ_F_INFLIGHT)) {
list_add(&req->inflight_entry, &ctx->inflight_list); req->flags |= REQ_F_INFLIGHT;
spin_unlock_irq(&ctx->inflight_lock);
spin_lock_irq(&ctx->inflight_lock);
list_add(&req->inflight_entry, &ctx->inflight_list);
spin_unlock_irq(&ctx->inflight_lock);
}
req->work.flags |= IO_WQ_WORK_FILES; req->work.flags |= IO_WQ_WORK_FILES;
} }
if (!(req->work.flags & IO_WQ_WORK_MM) && if (!(req->work.flags & IO_WQ_WORK_MM) &&
@ -6164,8 +6170,10 @@ static void io_req_drop_files(struct io_kiocb *req)
struct io_uring_task *tctx = req->task->io_uring; struct io_uring_task *tctx = req->task->io_uring;
unsigned long flags; unsigned long flags;
put_files_struct(req->work.identity->files); if (req->work.flags & IO_WQ_WORK_FILES) {
put_nsproxy(req->work.identity->nsproxy); put_files_struct(req->work.identity->files);
put_nsproxy(req->work.identity->nsproxy);
}
spin_lock_irqsave(&ctx->inflight_lock, flags); spin_lock_irqsave(&ctx->inflight_lock, flags);
list_del(&req->inflight_entry); list_del(&req->inflight_entry);
spin_unlock_irqrestore(&ctx->inflight_lock, flags); spin_unlock_irqrestore(&ctx->inflight_lock, flags);
@ -6450,6 +6458,15 @@ static struct file *io_file_get(struct io_submit_state *state,
file = __io_file_get(state, fd); file = __io_file_get(state, fd);
} }
if (file && file->f_op == &io_uring_fops) {
io_req_init_async(req);
req->flags |= REQ_F_INFLIGHT;
spin_lock_irq(&ctx->inflight_lock);
list_add(&req->inflight_entry, &ctx->inflight_list);
spin_unlock_irq(&ctx->inflight_lock);
}
return file; return file;
} }
@ -8860,8 +8877,7 @@ static void io_uring_cancel_files(struct io_ring_ctx *ctx,
spin_lock_irq(&ctx->inflight_lock); spin_lock_irq(&ctx->inflight_lock);
list_for_each_entry(req, &ctx->inflight_list, inflight_entry) { list_for_each_entry(req, &ctx->inflight_list, inflight_entry) {
if (req->task != task || if (!io_match_task(req, task, files))
req->work.identity->files != files)
continue; continue;
found = true; found = true;
break; break;