Commit f1ebdeff authored by Miklos Szeredi's avatar Miklos Szeredi

fuse: fix leak of fuse_io_priv

exit_aio() is sometimes stuck in wait_for_completion() after aio is issued
with direct IO and the task receives a signal.

The reason is failure to call ->ki_complete() due to a leaked reference to
fuse_io_priv.  This happens in fuse_async_req_send() if
fuse_simple_background() returns an error (e.g. -EINTR).

In this case the error value is propagated via io->err, so return success
to not confuse callers.

This issue is tracked as a virtio-fs issue:
https://gitlab.com/virtio-fs/qemu/issues/14Reported-by: default avatarMasayoshi Mizuma <m.mizuma@jp.fujitsu.com>
Fixes: 45ac96ed ("fuse: convert direct_io to simple api")
Cc: <stable@vger.kernel.org> # v5.4
Signed-off-by: default avatarMiklos Szeredi <mszeredi@redhat.com>
parent 724c15a4
...@@ -713,8 +713,10 @@ static ssize_t fuse_async_req_send(struct fuse_conn *fc, ...@@ -713,8 +713,10 @@ static ssize_t fuse_async_req_send(struct fuse_conn *fc,
ia->ap.args.end = fuse_aio_complete_req; ia->ap.args.end = fuse_aio_complete_req;
err = fuse_simple_background(fc, &ia->ap.args, GFP_KERNEL); err = fuse_simple_background(fc, &ia->ap.args, GFP_KERNEL);
if (err)
fuse_aio_complete_req(fc, &ia->ap.args, err);
return err ?: num_bytes; return num_bytes;
} }
static ssize_t fuse_send_read(struct fuse_io_args *ia, loff_t pos, size_t count, static ssize_t fuse_send_read(struct fuse_io_args *ia, loff_t pos, size_t count,
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment