ublk: move ublk_mark_io_ready() out of __ublk_fetch()

ublk_batch_prep_io() calls __ublk_fetch() while holding io->lock
spinlock. When the last IO makes the device ready, ublk_mark_io_ready()
tries to acquire ub->cancel_mutex which can sleep, causing a
sleeping-while-atomic bug.

Fix by moving ublk_mark_io_ready() out of __ublk_fetch() and into the
callers (ublk_fetch and ublk_batch_prep_io) after the spinlock is
released.

Reported-by: Jens Axboe <axboe@kernel.dk>
Fixes: b256795b3606 ("ublk: handle UBLK_U_IO_PREP_IO_CMDS")
Signed-off-by: Ming Lei <ming.lei@redhat.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>

diff --git a/drivers/block/ublk_drv.c b/drivers/block/ublk_drv.c
index 1e374ecbf0f1afb5c167c562b0c2def342001fbe..31279a8238b886ecd2ddb0904d55629ddb594d90 100644 (file)
--- a/drivers/block/ublk_drv.c
+++ b/drivers/block/ublk_drv.c
@@ -3064,7 +3064,6 @@ static int __ublk_fetch(struct io_uring_cmd *cmd, struct ublk_device *ub,
                WRITE_ONCE(io->task, NULL);
        else
                WRITE_ONCE(io->task, get_task_struct(current));
-       ublk_mark_io_ready(ub, q_id);
 
        return 0;
 }
@@ -3083,6 +3082,8 @@ static int ublk_fetch(struct io_uring_cmd *cmd, struct ublk_device *ub,
        ret = __ublk_fetch(cmd, ub, io, q_id);
        if (!ret)
                ret = ublk_config_io_buf(ub, io, cmd, buf_addr, NULL);
+       if (!ret)
+               ublk_mark_io_ready(ub, q_id);
        mutex_unlock(&ub->mutex);
        return ret;
 }
@@ -3484,6 +3485,9 @@ static int ublk_batch_prep_io(struct ublk_queue *ubq,
                io->buf = buf;
        ublk_io_unlock(io);
 
+       if (!ret)
+               ublk_mark_io_ready(data->ub, ubq->q_id);
+
        return ret;
 }