diff options
author | Al Viro <viro@ZenIV.linux.org.uk> | 2012-03-08 12:51:19 -0500 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2012-03-09 21:59:59 -0500 |
commit | c7b285550544c22bc005ec20978472c9ac7138c6 (patch) | |
tree | 2115cba489066af001312bf93d9f07321e25bf12 | |
parent | 86b62a2cb4fc09037bbce2959d2992962396fd7f (diff) |
aio: fix the "too late munmap()" race
Current code has put_ioctx() called asynchronously from aio_fput_routine();
that's done *after* we have killed the request that used to pin ioctx,
so there's nothing to stop io_destroy() waiting in wait_for_all_aios()
from progressing. As the result, we can end up with async call of
put_ioctx() being the last one and possibly happening during exit_mmap()
or elf_core_dump(), neither of which expects stray munmap() being done
to them...
We do need to prevent _freeing_ ioctx until aio_fput_routine() is done
with that, but that's all we care about - neither io_destroy() nor
exit_aio() will progress past wait_for_all_aios() until aio_fput_routine()
does really_put_req(), so the ioctx teardown won't be done until then
and we don't care about the contents of ioctx past that point.
Since actual freeing of these suckers is RCU-delayed, we don't need to
bump ioctx refcount when request goes into list for async removal.
All we need is rcu_read_lock held just over the ->ctx_lock-protected
area in aio_fput_routine().
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
Acked-by: Benjamin LaHaise <bcrl@kvack.org>
Cc: stable@vger.kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
-rw-r--r-- | fs/aio.c | 14 |
1 files changed, 6 insertions, 8 deletions
@@ -228,12 +228,6 @@ static void __put_ioctx(struct kioctx *ctx) | |||
228 | call_rcu(&ctx->rcu_head, ctx_rcu_free); | 228 | call_rcu(&ctx->rcu_head, ctx_rcu_free); |
229 | } | 229 | } |
230 | 230 | ||
231 | static inline void get_ioctx(struct kioctx *kioctx) | ||
232 | { | ||
233 | BUG_ON(atomic_read(&kioctx->users) <= 0); | ||
234 | atomic_inc(&kioctx->users); | ||
235 | } | ||
236 | |||
237 | static inline int try_get_ioctx(struct kioctx *kioctx) | 231 | static inline int try_get_ioctx(struct kioctx *kioctx) |
238 | { | 232 | { |
239 | return atomic_inc_not_zero(&kioctx->users); | 233 | return atomic_inc_not_zero(&kioctx->users); |
@@ -609,11 +603,16 @@ static void aio_fput_routine(struct work_struct *data) | |||
609 | fput(req->ki_filp); | 603 | fput(req->ki_filp); |
610 | 604 | ||
611 | /* Link the iocb into the context's free list */ | 605 | /* Link the iocb into the context's free list */ |
606 | rcu_read_lock(); | ||
612 | spin_lock_irq(&ctx->ctx_lock); | 607 | spin_lock_irq(&ctx->ctx_lock); |
613 | really_put_req(ctx, req); | 608 | really_put_req(ctx, req); |
609 | /* | ||
610 | * at that point ctx might've been killed, but actual | ||
611 | * freeing is RCU'd | ||
612 | */ | ||
614 | spin_unlock_irq(&ctx->ctx_lock); | 613 | spin_unlock_irq(&ctx->ctx_lock); |
614 | rcu_read_unlock(); | ||
615 | 615 | ||
616 | put_ioctx(ctx); | ||
617 | spin_lock_irq(&fput_lock); | 616 | spin_lock_irq(&fput_lock); |
618 | } | 617 | } |
619 | spin_unlock_irq(&fput_lock); | 618 | spin_unlock_irq(&fput_lock); |
@@ -644,7 +643,6 @@ static int __aio_put_req(struct kioctx *ctx, struct kiocb *req) | |||
644 | * this function will be executed w/out any aio kthread wakeup. | 643 | * this function will be executed w/out any aio kthread wakeup. |
645 | */ | 644 | */ |
646 | if (unlikely(!fput_atomic(req->ki_filp))) { | 645 | if (unlikely(!fput_atomic(req->ki_filp))) { |
647 | get_ioctx(ctx); | ||
648 | spin_lock(&fput_lock); | 646 | spin_lock(&fput_lock); |
649 | list_add(&req->ki_list, &fput_head); | 647 | list_add(&req->ki_list, &fput_head); |
650 | spin_unlock(&fput_lock); | 648 | spin_unlock(&fput_lock); |