From: Jens Axboe axboe@kernel.dk
mainline inclusion from mainline-5.6-rc1 commit c150368b496837cb207712e78f903ccfd7633b93 category: feature bugzilla: https://bugzilla.openeuler.org/show_bug.cgi?id=27 CVE: NA ---------------------------
If an application attempts to register a set with unbounded requests pending, we can be stuck here forever if they don't complete. We can make this wait interruptible, and just abort if we get signaled.
Signed-off-by: Jens Axboe axboe@kernel.dk Signed-off-by: yangerkun yangerkun@huawei.com Reviewed-by: zhangyi (F) yi.zhang@huawei.com Signed-off-by: Cheng Jian cj.chengjian@huawei.com --- fs/io_uring.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-)
diff --git a/fs/io_uring.c b/fs/io_uring.c index 9da48b9f5fd8..ca84a708b6b8 100644 --- a/fs/io_uring.c +++ b/fs/io_uring.c @@ -6512,8 +6512,13 @@ static int __io_uring_register(struct io_ring_ctx *ctx, unsigned opcode, * after we've killed the percpu ref. */ mutex_unlock(&ctx->uring_lock); - wait_for_completion(&ctx->completions[0]); + ret = wait_for_completion_interruptible(&ctx->completions[0]); mutex_lock(&ctx->uring_lock); + if (ret) { + percpu_ref_resurrect(&ctx->refs); + ret = -EINTR; + goto out; + } }
switch (opcode) { @@ -6559,8 +6564,9 @@ static int __io_uring_register(struct io_ring_ctx *ctx, unsigned opcode, if (opcode != IORING_UNREGISTER_FILES && opcode != IORING_REGISTER_FILES_UPDATE) { /* bring the ctx back to life */ - reinit_completion(&ctx->completions[0]); percpu_ref_reinit(&ctx->refs); +out: + reinit_completion(&ctx->completions[0]); } return ret; }