Max Kellermann max.kellermann@ionos.com 于2025年9月12日周五 08:06写道:
Commit 88e6c42e40de ("io_uring/io-wq: add check free worker before create new worker") reused the variable `do_create` for something else, abusing it for the free worker check.
This caused the value to effectively always be `true` at the time `nr_workers < max_workers` was checked, but it should really be `false`. This means the `max_workers` setting was ignored, and worse: if the limit had already been reached, incrementing `nr_workers` was skipped even though another worker would be created.
When later lots of workers exit, the `nr_workers` field could easily underflow, making the problem worse because more and more workers would be created without incrementing `nr_workers`.
Thanks, my mistake. Reviewed-by: Fengnan Chang changfengnan@bytedance.com
The simple solution is to use a different variable for the free worker check instead of using one variable for two different things.
Cc: stable@vger.kernel.org Fixes: 88e6c42e40de ("io_uring/io-wq: add check free worker before create new worker") Signed-off-by: Max Kellermann max.kellermann@ionos.com
io_uring/io-wq.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/io_uring/io-wq.c b/io_uring/io-wq.c index 17dfaa0395c4..1d03b2fc4b25 100644 --- a/io_uring/io-wq.c +++ b/io_uring/io-wq.c @@ -352,16 +352,16 @@ static void create_worker_cb(struct callback_head *cb) struct io_wq *wq;
struct io_wq_acct *acct;
bool do_create = false;
bool activated_free_worker, do_create = false; worker = container_of(cb, struct io_worker, create_work); wq = worker->wq; acct = worker->acct; rcu_read_lock();
do_create = !io_acct_activate_free_worker(acct);
activated_free_worker = io_acct_activate_free_worker(acct); rcu_read_unlock();
if (!do_create)
if (activated_free_worker) goto no_need_create; raw_spin_lock(&acct->workers_lock);-- 2.47.3