aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLinus Torvalds <torvalds@linux-foundation.org>2014-05-01 11:54:03 -0400
committerLinus Torvalds <torvalds@linux-foundation.org>2014-05-01 11:54:03 -0400
commit98794f932138c81bfaa609fda21ddd7e97227abd (patch)
tree8d98bdfec881e25d15728cba5873b9f50ca0b5e6
parent8aa9e85adac609588eeec356e5a85059b3b819ba (diff)
parent754320d6e166d3a12cb4810a452bde00afbd4e9a (diff)
Merge git://git.kvack.org/~bcrl/aio-fixes
Pull aio fixes from Ben LaHaise: "The first change from Anatol fixes a regression where io_destroy() no longer waits for outstanding aios to complete. The second corrects a memory leak in an error path for vectored aio operations. Both of these bug fixes should be queued up for stable as well" * git://git.kvack.org/~bcrl/aio-fixes: aio: fix potential leak in aio_run_iocb(). aio: block io_destroy() until all context requests are completed
-rw-r--r--fs/aio.c42
1 files changed, 34 insertions, 8 deletions
diff --git a/fs/aio.c b/fs/aio.c
index 12a3de0ee6da..a0ed6c7d2cd2 100644
--- a/fs/aio.c
+++ b/fs/aio.c
@@ -112,6 +112,11 @@ struct kioctx {
112 112
113 struct work_struct free_work; 113 struct work_struct free_work;
114 114
115 /*
116 * signals when all in-flight requests are done
117 */
118 struct completion *requests_done;
119
115 struct { 120 struct {
116 /* 121 /*
117 * This counts the number of available slots in the ringbuffer, 122 * This counts the number of available slots in the ringbuffer,
@@ -508,6 +513,10 @@ static void free_ioctx_reqs(struct percpu_ref *ref)
508{ 513{
509 struct kioctx *ctx = container_of(ref, struct kioctx, reqs); 514 struct kioctx *ctx = container_of(ref, struct kioctx, reqs);
510 515
516 /* At this point we know that there are no any in-flight requests */
517 if (ctx->requests_done)
518 complete(ctx->requests_done);
519
511 INIT_WORK(&ctx->free_work, free_ioctx); 520 INIT_WORK(&ctx->free_work, free_ioctx);
512 schedule_work(&ctx->free_work); 521 schedule_work(&ctx->free_work);
513} 522}
@@ -718,7 +727,8 @@ err:
718 * when the processes owning a context have all exited to encourage 727 * when the processes owning a context have all exited to encourage
719 * the rapid destruction of the kioctx. 728 * the rapid destruction of the kioctx.
720 */ 729 */
721static void kill_ioctx(struct mm_struct *mm, struct kioctx *ctx) 730static void kill_ioctx(struct mm_struct *mm, struct kioctx *ctx,
731 struct completion *requests_done)
722{ 732{
723 if (!atomic_xchg(&ctx->dead, 1)) { 733 if (!atomic_xchg(&ctx->dead, 1)) {
724 struct kioctx_table *table; 734 struct kioctx_table *table;
@@ -747,7 +757,11 @@ static void kill_ioctx(struct mm_struct *mm, struct kioctx *ctx)
747 if (ctx->mmap_size) 757 if (ctx->mmap_size)
748 vm_munmap(ctx->mmap_base, ctx->mmap_size); 758 vm_munmap(ctx->mmap_base, ctx->mmap_size);
749 759
760 ctx->requests_done = requests_done;
750 percpu_ref_kill(&ctx->users); 761 percpu_ref_kill(&ctx->users);
762 } else {
763 if (requests_done)
764 complete(requests_done);
751 } 765 }
752} 766}
753 767
@@ -809,7 +823,7 @@ void exit_aio(struct mm_struct *mm)
809 */ 823 */
810 ctx->mmap_size = 0; 824 ctx->mmap_size = 0;
811 825
812 kill_ioctx(mm, ctx); 826 kill_ioctx(mm, ctx, NULL);
813 } 827 }
814} 828}
815 829
@@ -1185,7 +1199,7 @@ SYSCALL_DEFINE2(io_setup, unsigned, nr_events, aio_context_t __user *, ctxp)
1185 if (!IS_ERR(ioctx)) { 1199 if (!IS_ERR(ioctx)) {
1186 ret = put_user(ioctx->user_id, ctxp); 1200 ret = put_user(ioctx->user_id, ctxp);
1187 if (ret) 1201 if (ret)
1188 kill_ioctx(current->mm, ioctx); 1202 kill_ioctx(current->mm, ioctx, NULL);
1189 percpu_ref_put(&ioctx->users); 1203 percpu_ref_put(&ioctx->users);
1190 } 1204 }
1191 1205
@@ -1203,8 +1217,22 @@ SYSCALL_DEFINE1(io_destroy, aio_context_t, ctx)
1203{ 1217{
1204 struct kioctx *ioctx = lookup_ioctx(ctx); 1218 struct kioctx *ioctx = lookup_ioctx(ctx);
1205 if (likely(NULL != ioctx)) { 1219 if (likely(NULL != ioctx)) {
1206 kill_ioctx(current->mm, ioctx); 1220 struct completion requests_done =
1221 COMPLETION_INITIALIZER_ONSTACK(requests_done);
1222
1223 /* Pass requests_done to kill_ioctx() where it can be set
1224 * in a thread-safe way. If we try to set it here then we have
1225 * a race condition if two io_destroy() called simultaneously.
1226 */
1227 kill_ioctx(current->mm, ioctx, &requests_done);
1207 percpu_ref_put(&ioctx->users); 1228 percpu_ref_put(&ioctx->users);
1229
1230 /* Wait until all IO for the context are done. Otherwise kernel
1231 * keep using user-space buffers even if user thinks the context
1232 * is destroyed.
1233 */
1234 wait_for_completion(&requests_done);
1235
1208 return 0; 1236 return 0;
1209 } 1237 }
1210 pr_debug("EINVAL: io_destroy: invalid context id\n"); 1238 pr_debug("EINVAL: io_destroy: invalid context id\n");
@@ -1299,10 +1327,8 @@ rw_common:
1299 &iovec, compat) 1327 &iovec, compat)
1300 : aio_setup_single_vector(req, rw, buf, &nr_segs, 1328 : aio_setup_single_vector(req, rw, buf, &nr_segs,
1301 iovec); 1329 iovec);
1302 if (ret) 1330 if (!ret)
1303 return ret; 1331 ret = rw_verify_area(rw, file, &req->ki_pos, req->ki_nbytes);
1304
1305 ret = rw_verify_area(rw, file, &req->ki_pos, req->ki_nbytes);
1306 if (ret < 0) { 1332 if (ret < 0) {
1307 if (iovec != &inline_vec) 1333 if (iovec != &inline_vec)
1308 kfree(iovec); 1334 kfree(iovec);