From: Jens Axboe <axboe@kernel.dk>
Date: Mon, 14 Sep 2020 14:20:12 +0000 (-0600)
Subject: io_uring: drop 'ctx' ref on task work cancelation
X-Git-Url: http://git.maquefel.me/?a=commitdiff_plain;h=87ceb6a6b81eca000911403446d4c6043b4e4f82;p=linux.git

io_uring: drop 'ctx' ref on task work cancelation

If task_work ends up being marked for cancelation, we go through a
cancelation helper instead of the queue path. In converting task_work to
always hold a ctx reference, this path was missed. Make sure that
io_req_task_cancel() puts the reference that is being held against the
ctx.

Fixes: 6d816e088c35 ("io_uring: hold 'ctx' reference around task_work queue + execute")
Signed-off-by: Jens Axboe <axboe@kernel.dk>
---

diff --git a/fs/io_uring.c b/fs/io_uring.c
index be9d628e7854c..01756a131be6a 100644
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -1787,8 +1787,10 @@ static void __io_req_task_cancel(struct io_kiocb *req, int error)
 static void io_req_task_cancel(struct callback_head *cb)
 {
 	struct io_kiocb *req = container_of(cb, struct io_kiocb, task_work);
+	struct io_ring_ctx *ctx = req->ctx;
 
 	__io_req_task_cancel(req, -ECANCELED);
+	percpu_ref_put(&ctx->refs);
 }
 
 static void __io_req_task_submit(struct io_kiocb *req)