Commit 06d751b4 authored by Daniel McNeil's avatar Daniel McNeil Committed by Linus Torvalds

[PATCH] Fix AIO reference counts

This makes the AIO submit path holds an extra reference until just
before returning.  This fixes the referencing a free kiocb. 

Without this patch the kernel will oops if the AIO completes early.
parent eba29972
...@@ -376,6 +376,11 @@ void __put_ioctx(struct kioctx *ctx) ...@@ -376,6 +376,11 @@ void __put_ioctx(struct kioctx *ctx)
* Allocate a slot for an aio request. Increments the users count * Allocate a slot for an aio request. Increments the users count
* of the kioctx so that the kioctx stays around until all requests are * of the kioctx so that the kioctx stays around until all requests are
* complete. Returns NULL if no requests are free. * complete. Returns NULL if no requests are free.
*
* Returns with kiocb->users set to 2. The io submit code path holds
* an extra reference while submitting the i/o.
* This prevents races between the aio code path referencing the
* req (after submitting it) and aio_complete() freeing the req.
*/ */
static struct kiocb *FASTCALL(__aio_get_req(struct kioctx *ctx)); static struct kiocb *FASTCALL(__aio_get_req(struct kioctx *ctx));
static struct kiocb *__aio_get_req(struct kioctx *ctx) static struct kiocb *__aio_get_req(struct kioctx *ctx)
...@@ -389,7 +394,7 @@ static struct kiocb *__aio_get_req(struct kioctx *ctx) ...@@ -389,7 +394,7 @@ static struct kiocb *__aio_get_req(struct kioctx *ctx)
return NULL; return NULL;
req->ki_flags = 1 << KIF_LOCKED; req->ki_flags = 1 << KIF_LOCKED;
req->ki_users = 1; req->ki_users = 2;
req->ki_key = 0; req->ki_key = 0;
req->ki_ctx = ctx; req->ki_ctx = ctx;
req->ki_cancel = NULL; req->ki_cancel = NULL;
...@@ -1009,7 +1014,7 @@ int io_submit_one(struct kioctx *ctx, struct iocb __user *user_iocb, ...@@ -1009,7 +1014,7 @@ int io_submit_one(struct kioctx *ctx, struct iocb __user *user_iocb,
if (unlikely(!file)) if (unlikely(!file))
return -EBADF; return -EBADF;
req = aio_get_req(ctx); req = aio_get_req(ctx); /* returns with 2 references to req */
if (unlikely(!req)) { if (unlikely(!req)) {
fput(file); fput(file);
return -EAGAIN; return -EAGAIN;
...@@ -1069,13 +1074,15 @@ int io_submit_one(struct kioctx *ctx, struct iocb __user *user_iocb, ...@@ -1069,13 +1074,15 @@ int io_submit_one(struct kioctx *ctx, struct iocb __user *user_iocb,
ret = -EINVAL; ret = -EINVAL;
} }
aio_put_req(req); /* drop extra ref to req */
if (likely(-EIOCBQUEUED == ret)) if (likely(-EIOCBQUEUED == ret))
return 0; return 0;
aio_complete(req, ret, 0); aio_complete(req, ret, 0); /* will drop i/o ref to req */
return 0; return 0;
out_put_req: out_put_req:
aio_put_req(req); aio_put_req(req); /* drop extra ref to req */
aio_put_req(req); /* drop i/o ref to req */
return ret; return ret;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment