io_uring: prune request from overflow list on flush
Carter reported an issue where he could produce a stall on ring exit, when we're cleaning up requests that match the given file table. For this particular test case, a combination of a few things caused the issue: - The cq ring was overflown - The request being canceled was in the overflow list The combination of the above means that the cq overflow list holds a reference to the request. The request is canceled correctly, but since the overflow list holds a reference to it, the final put won't happen. Since the final put doesn't happen, the request remains in the inflight. Hence we never finish the cancelation flush. Fix this by removing requests from the overflow list if we're canceling them. Cc: stable@vger.kernel.org # 5.5 Reported-by: Carter Li 李通洲 <carter.li@eoitek.com> Signed-off-by: Jens Axboe <axboe@kernel.dk>
This commit is contained in:
Jens Axboe
parent
7563439adf
commit
2ca10259b4
|
|
@ -481,6 +481,7 @@ enum {
|
|||
REQ_F_TIMEOUT_NOSEQ_BIT,
|
||||
REQ_F_COMP_LOCKED_BIT,
|
||||
REQ_F_NEED_CLEANUP_BIT,
|
||||
REQ_F_OVERFLOW_BIT,
|
||||
};
|
||||
|
||||
enum {
|
||||
|
|
@ -521,6 +522,8 @@ enum {
|
|||
REQ_F_COMP_LOCKED = BIT(REQ_F_COMP_LOCKED_BIT),
|
||||
/* needs cleanup */
|
||||
REQ_F_NEED_CLEANUP = BIT(REQ_F_NEED_CLEANUP_BIT),
|
||||
/* in overflow list */
|
||||
REQ_F_OVERFLOW = BIT(REQ_F_OVERFLOW_BIT),
|
||||
};
|
||||
|
||||
/*
|
||||
|
|
@ -1103,6 +1106,7 @@ static bool io_cqring_overflow_flush(struct io_ring_ctx *ctx, bool force)
|
|||
req = list_first_entry(&ctx->cq_overflow_list, struct io_kiocb,
|
||||
list);
|
||||
list_move(&req->list, &list);
|
||||
req->flags &= ~REQ_F_OVERFLOW;
|
||||
if (cqe) {
|
||||
WRITE_ONCE(cqe->user_data, req->user_data);
|
||||
WRITE_ONCE(cqe->res, req->result);
|
||||
|
|
@ -1155,6 +1159,7 @@ static void io_cqring_fill_event(struct io_kiocb *req, long res)
|
|||
set_bit(0, &ctx->sq_check_overflow);
|
||||
set_bit(0, &ctx->cq_check_overflow);
|
||||
}
|
||||
req->flags |= REQ_F_OVERFLOW;
|
||||
refcount_inc(&req->refs);
|
||||
req->result = res;
|
||||
list_add_tail(&req->list, &ctx->cq_overflow_list);
|
||||
|
|
@ -6463,6 +6468,29 @@ static void io_uring_cancel_files(struct io_ring_ctx *ctx,
|
|||
if (!cancel_req)
|
||||
break;
|
||||
|
||||
if (cancel_req->flags & REQ_F_OVERFLOW) {
|
||||
spin_lock_irq(&ctx->completion_lock);
|
||||
list_del(&cancel_req->list);
|
||||
cancel_req->flags &= ~REQ_F_OVERFLOW;
|
||||
if (list_empty(&ctx->cq_overflow_list)) {
|
||||
clear_bit(0, &ctx->sq_check_overflow);
|
||||
clear_bit(0, &ctx->cq_check_overflow);
|
||||
}
|
||||
spin_unlock_irq(&ctx->completion_lock);
|
||||
|
||||
WRITE_ONCE(ctx->rings->cq_overflow,
|
||||
atomic_inc_return(&ctx->cached_cq_overflow));
|
||||
|
||||
/*
|
||||
* Put inflight ref and overflow ref. If that's
|
||||
* all we had, then we're done with this request.
|
||||
*/
|
||||
if (refcount_sub_and_test(2, &cancel_req->refs)) {
|
||||
io_put_req(cancel_req);
|
||||
continue;
|
||||
}
|
||||
}
|
||||
|
||||
io_wq_cancel_work(ctx->io_wq, &cancel_req->work);
|
||||
io_put_req(cancel_req);
|
||||
schedule();
|
||||
|
|
|
|||
Loading…
Reference in New Issue