From: Pavel Begunkov asml.silence@gmail.com
commit 48bdd849e967f1c573d2b2bc24308e24a83f39c2 upstream.
If io_get_req() fails, it drops a ref. Then, awhile keeping @submitted unmodified, io_submit_sqes() breaks the loop and puts @nr - @submitted refs. For each submitted req a ref is dropped in io_put_req() and friends. So, for @nr taken refs there will be (@nr - @submitted + @submitted + 1) dropped.
Remove ctx refcounting from io_get_req(), that at the same time makes it clearer.
Fixes: 2b85edfc0c90 ("io_uring: batch getting pcpu references") Cc: stable@vger.kernel.org # v5.6 Signed-off-by: Pavel Begunkov asml.silence@gmail.com Signed-off-by: Jens Axboe axboe@kernel.dk Signed-off-by: Greg Kroah-Hartman gregkh@linuxfoundation.org
--- fs/io_uring.c | 1 - 1 file changed, 1 deletion(-)
--- a/fs/io_uring.c +++ b/fs/io_uring.c @@ -1242,7 +1242,6 @@ fallback: req = io_get_fallback_req(ctx); if (req) goto got_it; - percpu_ref_put(&ctx->refs); return NULL; }