io_uring: hold uring_lock across io_kill_timeouts() in cancel path

io_uring_try_cancel_requests() dropped ctx->uring_lock before calling
io_kill_timeouts(), which walks each timeout's link chain via
io_match_task() to test REQ_F_INFLIGHT. With chain mutation now
serialized by ctx->uring_lock, that walk needs the lock too.

Signed-off-by: Jens Axboe <axboe@kernel.dk>

diff --git a/io_uring/cancel.c b/io_uring/cancel.c
index 5e5eb9cfc7cd6f1197a75312399cb3611d3044e2..4aa3103ba9c39c388074d3fcc4e2afeec732101e 100644 (file)
--- a/io_uring/cancel.c
+++ b/io_uring/cancel.c
@@ -561,8 +561,8 @@ __cold bool io_uring_try_cancel_requests(struct io_ring_ctx *ctx,
        ret |= io_waitid_remove_all(ctx, tctx, cancel_all);
        ret |= io_futex_remove_all(ctx, tctx, cancel_all);
        ret |= io_uring_try_cancel_uring_cmd(ctx, tctx, cancel_all);
-       mutex_unlock(&ctx->uring_lock);
        ret |= io_kill_timeouts(ctx, tctx, cancel_all);
+       mutex_unlock(&ctx->uring_lock);
        if (tctx)
                ret |= io_run_task_work() > 0;
        else