io_uring: add warn_once for io_uring_flush()

[ Upstream commit 6b5733eb638b7068ab7cb34e663b55a1d1892d85]

files_cancel() should cancel all relevant requests and drop file notes,
so we should never have file notes after that, including on-exit fput
and flush. Add a WARN_ONCE to be sure.

Cc: stable@vger.kernel.org # 5.5+
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/fs/io_uring.c b/fs/io_uring.c
index c4e0c35..70439e9 100644 (file)
--- a/fs/io_uring.c
+++ b/fs/io_uring.c
@@ -8926,17 +8926,23 @@ void __io_uring_task_cancel(void)
 
 static int io_uring_flush(struct file *file, void *data)
 {
-       if (!current->io_uring)
+       struct io_uring_task *tctx = current->io_uring;
+
+       if (!tctx)
                return 0;
 
+       /* we should have cancelled and erased it before PF_EXITING */
+       WARN_ON_ONCE((current->flags & PF_EXITING) &&
+                    xa_load(&tctx->xa, (unsigned long)file));
+
        /*
         * fput() is pending, will be 2 if the only other ref is our potential
         * task file note. If the task is exiting, drop regardless of count.
         */
-       if (fatal_signal_pending(current) || (current->flags & PF_EXITING) ||
-           atomic_long_read(&file->f_count) == 2)
-               io_uring_del_task_file(file);
+       if (atomic_long_read(&file->f_count) != 2)
+               return 0;
 
+       io_uring_del_task_file(file);
        return 0;
 }