LinuxLists.cc - [PATCH 1/1] io_uring: fix refcounting with OOM

2020-01-25 09:02:53

Subject: [PATCH 1/1] io_uring: fix refcounting with OOM

In case of out of memory the second argument of percpu_ref_put_many() in
io_submit_sqes() may evaluate into "nr - (-EAGAIN)", that is clearly
wrong.

Fixes: 2b85edfc0c90 ("io_uring: batch getting pcpu references")
Signed-off-by: Pavel Begunkov <[email protected]>
---
fs/io_uring.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/fs/io_uring.c b/fs/io_uring.c
index a4b496815783..744e8a90b543 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -4912,8 +4912,11 @@ static int io_submit_sqes(struct io_ring_ctx *ctx, unsigned int nr,
break;
}

- if (submitted != nr)
- percpu_ref_put_many(&ctx->refs, nr - submitted);
+ if (unlikely(submitted != nr)) {
+ int ref_used = (submitted == -EAGAIN) ? 0 : submitted;
+
+ percpu_ref_put_many(&ctx->refs, nr - ref_used);
+ }

io_submit_end(ctx);
if (nr > IO_PLUG_THRESHOLD)
--
2.24.0

2020-01-25 16:47:48

by Jens Axboe

[permalink] [raw]

Subject: Re: [PATCH 1/1] io_uring: fix refcounting with OOM

On 1/25/20 1:59 AM, Pavel Begunkov wrote:
> In case of out of memory the second argument of percpu_ref_put_many() in
> io_submit_sqes() may evaluate into "nr - (-EAGAIN)", that is clearly
> wrong.

Can you reorder this one before your series, I haven't had time
to take a look at that yet and I don't think this bug fix should
depend on it.

--
Jens Axboe

2020-01-25 19:32:50

by Pavel Begunkov

[permalink] [raw]

Subject: Re: [PATCH 1/1] io_uring: fix refcounting with OOM

On 25/01/2020 19:46, Jens Axboe wrote:
> On 1/25/20 1:59 AM, Pavel Begunkov wrote:
>> In case of out of memory the second argument of percpu_ref_put_many() in
>> io_submit_sqes() may evaluate into "nr - (-EAGAIN)", that is clearly
>> wrong.
>
> Can you reorder this one before your series, I haven't had time
> to take a look at that yet and I don't think this bug fix should
> depend on it.
>
Sure.

--
Pavel Begunkov

Attachments:

signature.asc (849.00 B)
OpenPGP digital signature

2020-01-25 19:35:56

by Pavel Begunkov

[permalink] [raw]

Subject: [PATCH v2] io_uring: fix refcounting with OOM

In case of out of memory the second argument of percpu_ref_put_many() in
io_submit_sqes() may evaluate into "nr - (-EAGAIN)", that is clearly
wrong.

Fixes: 2b85edfc0c90 ("io_uring: batch getting pcpu references")
Signed-off-by: Pavel Begunkov <[email protected]>
---

v2: rebase

fs/io_uring.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/fs/io_uring.c b/fs/io_uring.c
index 25f29ef81698..e79d6e47dc7b 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -4896,8 +4896,11 @@ static int io_submit_sqes(struct io_ring_ctx *ctx, unsigned int nr,
break;
}

- if (submitted != nr)
- percpu_ref_put_many(&ctx->refs, nr - submitted);
+ if (unlikely(submitted != nr)) {
+ int ref_used = (submitted == -EAGAIN) ? 0 : submitted;
+
+ percpu_ref_put_many(&ctx->refs, nr - ref_used);
+ }
if (link)
io_queue_link_head(link);
if (statep)
--
2.24.0