If io_get_req() fails, it drops a ref. Then, awhile keeping @submitted
unmodified, io_submit_sqes() breaks the loop and puts @nr - @submitted
refs. For each submitted req a ref is dropped in io_put_req() and
friends. So, for @nr taken refs there will be
(@nr - @submitted + @submitted + 1) dropped.
Remove ctx refcounting from io_get_req(), that at the same time makes
it clearer.
Fixes: 2b85edfc0c90 ("io_uring: batch getting pcpu references")
Signed-off-by: Pavel Begunkov <[email protected]>
---
fs/io_uring.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/fs/io_uring.c b/fs/io_uring.c
index 78ae8e8ed5bf..79bd22289d73 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -1342,7 +1342,6 @@ static struct io_kiocb *io_get_req(struct io_ring_ctx *ctx,
req = io_get_fallback_req(ctx);
if (req)
goto got_it;
- percpu_ref_put(&ctx->refs);
return NULL;
}
--
2.24.0
On 06/04/2020 00:08, Pavel Begunkov wrote:
> If io_get_req() fails, it drops a ref. Then, awhile keeping @submitted
> unmodified, io_submit_sqes() breaks the loop and puts @nr - @submitted
> refs. For each submitted req a ref is dropped in io_put_req() and
> friends. So, for @nr taken refs there will be
> (@nr - @submitted + @submitted + 1) dropped.
>
> Remove ctx refcounting from io_get_req(), that at the same time makes
> it clearer.
It seems, nobody hit OOM, so it stayed unnoticed. And neither did I.
It could be a good idea to do fault-injection for testing.
>
> Fixes: 2b85edfc0c90 ("io_uring: batch getting pcpu references")
> Signed-off-by: Pavel Begunkov <[email protected]>
> ---
> fs/io_uring.c | 1 -
> 1 file changed, 1 deletion(-)
>
> diff --git a/fs/io_uring.c b/fs/io_uring.c
> index 78ae8e8ed5bf..79bd22289d73 100644
> --- a/fs/io_uring.c
> +++ b/fs/io_uring.c
> @@ -1342,7 +1342,6 @@ static struct io_kiocb *io_get_req(struct io_ring_ctx *ctx,
> req = io_get_fallback_req(ctx);
> if (req)
> goto got_it;
> - percpu_ref_put(&ctx->refs);
> return NULL;
> }
>
>
--
Pavel Begunkov
On 4/5/20 3:13 PM, Pavel Begunkov wrote:
> On 06/04/2020 00:08, Pavel Begunkov wrote:
>> If io_get_req() fails, it drops a ref. Then, awhile keeping @submitted
>> unmodified, io_submit_sqes() breaks the loop and puts @nr - @submitted
>> refs. For each submitted req a ref is dropped in io_put_req() and
>> friends. So, for @nr taken refs there will be
>> (@nr - @submitted + @submitted + 1) dropped.
>>
>> Remove ctx refcounting from io_get_req(), that at the same time makes
>> it clearer.
>
> It seems, nobody hit OOM, so it stayed unnoticed. And neither did I.
> It could be a good idea to do fault-injection for testing.
Actually think we just hit this, was testing with memcached (as per fixes
posted recently), and a bug on the user side ended up with 196G of slab
and running into OOM off request allocation.
But yes, would be nice to have specific fault injection testing to
avoid finding these in prod testing.
--
Jens Axboe
On 4/5/20 3:08 PM, Pavel Begunkov wrote:
> If io_get_req() fails, it drops a ref. Then, awhile keeping @submitted
> unmodified, io_submit_sqes() breaks the loop and puts @nr - @submitted
> refs. For each submitted req a ref is dropped in io_put_req() and
> friends. So, for @nr taken refs there will be
> (@nr - @submitted + @submitted + 1) dropped.
>
> Remove ctx refcounting from io_get_req(), that at the same time makes
> it clearer.
Applied, but also marked for 5.6 stable.
--
Jens Axboe