While task_work_add() in io_workqueue_create() is true,
then duplicate code is executed:
-> clear_bit_unlock(0, &worker->create_state);
-> io_worker_release(worker);
-> atomic_dec(&acct->nr_running);
-> io_worker_ref_put(wq);
-> return false;
-> clear_bit_unlock(0, &worker->create_state); // back to io_workqueue_create()
-> io_worker_release(worker);
-> kfree(worker);
The io_worker_release() and clear_bit_unlock() are executed twice.
Fixes: 3146cba99aa2 ("io-wq: make worker creation resilient against signals")
Signed-off-by: Bixuan Cui <[email protected]>
---
fs/io-wq.c | 9 ++++-----
1 file changed, 4 insertions(+), 5 deletions(-)
diff --git a/fs/io-wq.c b/fs/io-wq.c
index 6c55362c1f99..95d0eaed7c00 100644
--- a/fs/io-wq.c
+++ b/fs/io-wq.c
@@ -329,8 +329,10 @@ static bool io_queue_worker_create(struct io_worker *worker,
init_task_work(&worker->create_work, func);
worker->create_index = acct->index;
- if (!task_work_add(wq->task, &worker->create_work, TWA_SIGNAL))
+ if (!task_work_add(wq->task, &worker->create_work, TWA_SIGNAL)) {
+ clear_bit_unlock(0, &worker->create_state);
return true;
+ }
clear_bit_unlock(0, &worker->create_state);
fail_release:
io_worker_release(worker);
@@ -723,11 +725,8 @@ static void io_workqueue_create(struct work_struct *work)
struct io_worker *worker = container_of(work, struct io_worker, work);
struct io_wqe_acct *acct = io_wqe_get_acct(worker);
- if (!io_queue_worker_create(worker, acct, create_worker_cont)) {
- clear_bit_unlock(0, &worker->create_state);
- io_worker_release(worker);
+ if (!io_queue_worker_create(worker, acct, create_worker_cont))
kfree(worker);
- }
}
static bool create_io_worker(struct io_wq *wq, struct io_wqe *wqe, int index)
--
2.17.1
在 2021/9/11 下午4:58, Bixuan Cui 写道:
> While task_work_add() in io_workqueue_create() is true,
> then duplicate code is executed:
>
> -> clear_bit_unlock(0, &worker->create_state);
> -> io_worker_release(worker);
> -> atomic_dec(&acct->nr_running);
> -> io_worker_ref_put(wq);
> -> return false;
>
> -> clear_bit_unlock(0, &worker->create_state); // back to io_workqueue_create()
> -> io_worker_release(worker);
> -> kfree(worker);
>
> The io_worker_release() and clear_bit_unlock() are executed twice.
>
> Fixes: 3146cba99aa2 ("io-wq: make worker creation resilient against signals")
> Signed-off-by: Bixuan Cui <[email protected]>
> ---
> fs/io-wq.c | 9 ++++-----
> 1 file changed, 4 insertions(+), 5 deletions(-)
>
> diff --git a/fs/io-wq.c b/fs/io-wq.c
> index 6c55362c1f99..95d0eaed7c00 100644
> --- a/fs/io-wq.c
> +++ b/fs/io-wq.c
> @@ -329,8 +329,10 @@ static bool io_queue_worker_create(struct io_worker *worker,
>
> init_task_work(&worker->create_work, func);
> worker->create_index = acct->index;
> - if (!task_work_add(wq->task, &worker->create_work, TWA_SIGNAL))
> + if (!task_work_add(wq->task, &worker->create_work, TWA_SIGNAL)) {
> + clear_bit_unlock(0, &worker->create_state);
> return true;
> + }
> clear_bit_unlock(0, &worker->create_state);
> fail_release:
> io_worker_release(worker);
> @@ -723,11 +725,8 @@ static void io_workqueue_create(struct work_struct *work)
> struct io_worker *worker = container_of(work, struct io_worker, work);
> struct io_wqe_acct *acct = io_wqe_get_acct(worker);
>
> - if (!io_queue_worker_create(worker, acct, create_worker_cont)) {
> - clear_bit_unlock(0, &worker->create_state);
> - io_worker_release(worker);
> + if (!io_queue_worker_create(worker, acct, create_worker_cont))
> kfree(worker);
> - }
> }
>
> static bool create_io_worker(struct io_wq *wq, struct io_wqe *wqe, int index)
>
AFAIK, this looks reasonable for me.
On 9/12/21 9:36 AM, Hao Xu wrote:
> 在 2021/9/11 下午4:58, Bixuan Cui 写道:
>> While task_work_add() in io_workqueue_create() is true,
>> then duplicate code is executed:
>>
>> -> clear_bit_unlock(0, &worker->create_state);
>> -> io_worker_release(worker);
>> -> atomic_dec(&acct->nr_running);
>> -> io_worker_ref_put(wq);
>> -> return false;
>>
>> -> clear_bit_unlock(0, &worker->create_state); // back to io_workqueue_create()
>> -> io_worker_release(worker);
>> -> kfree(worker);
>>
>> The io_worker_release() and clear_bit_unlock() are executed twice.
>>
>> Fixes: 3146cba99aa2 ("io-wq: make worker creation resilient against signals")
>> Signed-off-by: Bixuan Cui <[email protected]>
>> ---
>> fs/io-wq.c | 9 ++++-----
>> 1 file changed, 4 insertions(+), 5 deletions(-)
>>
>> diff --git a/fs/io-wq.c b/fs/io-wq.c
>> index 6c55362c1f99..95d0eaed7c00 100644
>> --- a/fs/io-wq.c
>> +++ b/fs/io-wq.c
>> @@ -329,8 +329,10 @@ static bool io_queue_worker_create(struct io_worker *worker,
>>
>> init_task_work(&worker->create_work, func);
>> worker->create_index = acct->index;
>> - if (!task_work_add(wq->task, &worker->create_work, TWA_SIGNAL))
>> + if (!task_work_add(wq->task, &worker->create_work, TWA_SIGNAL)) {
>> + clear_bit_unlock(0, &worker->create_state);
>> return true;
>> + }
>> clear_bit_unlock(0, &worker->create_state);
>> fail_release:
>> io_worker_release(worker);
>> @@ -723,11 +725,8 @@ static void io_workqueue_create(struct work_struct *work)
>> struct io_worker *worker = container_of(work, struct io_worker, work);
>> struct io_wqe_acct *acct = io_wqe_get_acct(worker);
>>
>> - if (!io_queue_worker_create(worker, acct, create_worker_cont)) {
>> - clear_bit_unlock(0, &worker->create_state);
>> - io_worker_release(worker);
>> + if (!io_queue_worker_create(worker, acct, create_worker_cont))
>> kfree(worker);
>> - }
>> }
>>
>> static bool create_io_worker(struct io_wq *wq, struct io_wqe *wqe, int index)
>>
> AFAIK, this looks reasonable for me.
I took that as a reviewed-by, let me know if that isn't correct.
--
Jens Axboe