queue-6.6/io_uring-kbuf-protect-io_buffer_list-teardown-with-a-reference.patch

   1 From 6b69c4ab4f685327d9e10caf0d84217ba23a8c4b Mon Sep 17 00:00:00 2001
   2 From: Jens Axboe <axboe@kernel.dk>
   3 Date: Fri, 15 Mar 2024 16:12:51 -0600
   4 Subject: io_uring/kbuf: protect io_buffer_list teardown with a reference
   5
   6 From: Jens Axboe <axboe@kernel.dk>
   7
   8 commit 6b69c4ab4f685327d9e10caf0d84217ba23a8c4b upstream.
   9
  10 No functional changes in this patch, just in preparation for being able
  11 to keep the buffer list alive outside of the ctx->uring_lock.
  12
  13 Cc: stable@vger.kernel.org # v6.4+
  14 Signed-off-by: Jens Axboe <axboe@kernel.dk>
  15 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
  16 ---
  17  io_uring/kbuf.c |   15 +++++++++++----
  18  io_uring/kbuf.h |    2 ++
  19  2 files changed, 13 insertions(+), 4 deletions(-)
  20
  21 --- a/io_uring/kbuf.c
  22 +++ b/io_uring/kbuf.c
  23 @@ -59,6 +59,7 @@ static int io_buffer_add_list(struct io_
  24          * always under the ->uring_lock, but the RCU lookup from mmap does.
  25          */
  26         bl->bgid = bgid;
  27 +       atomic_set(&bl->refs, 1);
  28         return xa_err(xa_store(&ctx->io_bl_xa, bgid, bl, GFP_KERNEL));
  29  }
  30
  31 @@ -272,6 +273,14 @@ static int __io_remove_buffers(struct io
  32         return i;
  33  }
  34
  35 +static void io_put_bl(struct io_ring_ctx *ctx, struct io_buffer_list *bl)
  36 +{
  37 +       if (atomic_dec_and_test(&bl->refs)) {
  38 +               __io_remove_buffers(ctx, bl, -1U);
  39 +               kfree_rcu(bl, rcu);
  40 +       }
  41 +}
  42 +
  43  void io_destroy_buffers(struct io_ring_ctx *ctx)
  44  {
  45         struct io_buffer_list *bl;
  46 @@ -279,8 +288,7 @@ void io_destroy_buffers(struct io_ring_c
  47
  48         xa_for_each(&ctx->io_bl_xa, index, bl) {
  49                 xa_erase(&ctx->io_bl_xa, bl->bgid);
  50 -               __io_remove_buffers(ctx, bl, -1U);
  51 -               kfree_rcu(bl, rcu);
  52 +               io_put_bl(ctx, bl);
  53         }
  54
  55         while (!list_empty(&ctx->io_buffers_pages)) {
  56 @@ -676,9 +684,8 @@ int io_unregister_pbuf_ring(struct io_ri
  57         if (!bl->is_mapped)
  58                 return -EINVAL;
  59
  60 -       __io_remove_buffers(ctx, bl, -1U);
  61         xa_erase(&ctx->io_bl_xa, bl->bgid);
  62 -       kfree_rcu(bl, rcu);
  63 +       io_put_bl(ctx, bl);
  64         return 0;
  65  }
  66
  67 --- a/io_uring/kbuf.h
  68 +++ b/io_uring/kbuf.h
  69 @@ -25,6 +25,8 @@ struct io_buffer_list {
  70         __u16 head;
  71         __u16 mask;
  72
  73 +       atomic_t refs;
  74 +
  75         /* ring mapped provided buffers */
  76         __u8 is_mapped;
  77         /* ring mapped provided buffers, but mmap'ed by application */