From: Jens Axboe <axboe@kernel.dk>
Date: Mon, 11 May 2026 16:58:38 +0000 (-0600)
Subject: io_uring: hold uring_lock when walking link chain in io_wq_free_work()
X-Git-Tag: v7.1-rc4~22^2~5
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=20c39819a27646573dfa0ac0d01c38895298a6f6;p=thirdparty%2Fkernel%2Flinux.git

io_uring: hold uring_lock when walking link chain in io_wq_free_work()

io_wq_free_work() calls io_req_find_next() from io-wq worker context,
which reads and clears req->link without holding any lock. This can
potentially race with other paths that mutate the same chain under
ctx->uring_lock.

Take ctx->uring_lock around the io_req_find_next() call. Only requests
with IO_REQ_LINK_FLAGS reach this path, which is not the hot path.

Signed-off-by: Jens Axboe <axboe@kernel.dk>
---

diff --git a/io_uring/io_uring.c b/io_uring/io_uring.c
index 4ed998d60c09c..2ebb0ba37c4f0 100644
--- a/io_uring/io_uring.c
+++ b/io_uring/io_uring.c
@@ -1452,8 +1452,13 @@ struct io_wq_work *io_wq_free_work(struct io_wq_work *work)
 	struct io_kiocb *nxt = NULL;
 
 	if (req_ref_put_and_test_atomic(req)) {
-		if (req->flags & IO_REQ_LINK_FLAGS)
+		if (req->flags & IO_REQ_LINK_FLAGS) {
+			struct io_ring_ctx *ctx = req->ctx;
+
+			mutex_lock(&ctx->uring_lock);
 			nxt = io_req_find_next(req);
+			mutex_unlock(&ctx->uring_lock);
+		}
 		io_free_req(req);
 	}
 	return nxt ? &nxt->work : NULL;