req->iopoll() is not necessarily called by a task that submitted a request. Because of that, it's dangerous to grab_env() and punt async on -EGAIN, potentially grabbinf another task's mm and corrupting its memory.
Do resubmit from the submitter task context. Signed-off-by: Pavel Begunkov <[email protected]> --- fs/io_uring.c | 12 ++++++++++-- 1 file changed, 10 insertions(+), 2 deletions(-) diff --git a/fs/io_uring.c b/fs/io_uring.c index bb0dfc450db5..595d2bbb31b1 100644 --- a/fs/io_uring.c +++ b/fs/io_uring.c @@ -884,6 +884,8 @@ enum io_mem_account { ACCT_PINNED, }; +static void io_complete_rw_common(struct kiocb *kiocb, long res); +static bool io_rw_reissue(struct io_kiocb *req, long res); static void io_wq_submit_work(struct io_wq_work **workptr); static void io_cqring_fill_event(struct io_kiocb *req, long res); static void io_put_req(struct io_kiocb *req); @@ -1756,8 +1758,11 @@ static void io_iopoll_queue(struct list_head *again) do { req = list_first_entry(again, struct io_kiocb, list); list_del(&req->list); - refcount_inc(&req->refs); - io_queue_async_work(req); + + if (!io_rw_reissue(req, -EAGAIN)) { + io_complete_rw_common(&req->rw.kiocb, -EAGAIN); + io_put_req(req); + } } while (!list_empty(again)); } @@ -1930,6 +1935,8 @@ static int io_iopoll_check(struct io_ring_ctx *ctx, unsigned *nr_events, */ if (!(++iters & 7)) { mutex_unlock(&ctx->uring_lock); + if (current->task_works) + task_work_run(); mutex_lock(&ctx->uring_lock); } @@ -2288,6 +2295,7 @@ static int io_prep_rw(struct io_kiocb *req, const struct io_uring_sqe *sqe, kiocb->ki_complete = io_complete_rw_iopoll; req->result = 0; req->iopoll_completed = 0; + io_get_req_task(req); } else { if (kiocb->ki_flags & IOCB_HIPRI) return -EINVAL; -- 2.24.0
