aio: fix rcu ioctx lookup

aio-dio-invalidate-failure GPFs in aio_put_req from io_submit. lookup_ioctx doesn't implement the rcu lookup pattern properly. rcu_read_lock does not prevent refcount going to zero, so we might take a refcount on a zero count ioctx. Fix the bug by atomically testing for zero refcount before incrementing. [jack@suse.cz: added comment into the code] Reviewed-by: Jeff Moyer <jmoyer@redhat.com> Signed-off-by: Nick Piggin <npiggin@kernel.dk> Signed-off-by: Jan Kara <jack@suse.cz> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
author: Nick Piggin <npiggin@gmail.com> 2011-02-25 17:44:26 -0500
committer: Linus Torvalds <torvalds@linux-foundation.org> 2011-02-25 18:07:37 -0500
commit: 3bd9a5d734c7cc7533b27abf451416c7f50095a7 (patch)
tree: 357fc4ec95d7163cb96891151df51f6d7d130d0a /fs/aio.c
parent: 29723fccc837d20039078f7a571e8d457eb0d6c6 (diff)
1 files changed, 24 insertions, 11 deletions
diff --git a/fs/aio.c b/fs/aio.c
index fc557a3be0a9..b4dd668fbccc 100644
--- a/fs/aio.c
+++ b/fs/aio.c
@@ -239,15 +239,23 @@ static void __put_ioctx(struct kioctx *ctx)
        call_rcu(&ctx->rcu_head, ctx_rcu_free);
 }
-#define get_ioctx(kioctx) do {                                          \
+static inline void get_ioctx(struct kioctx *kioctx)
-        BUG_ON(atomic_read(&(kioctx)->users) <= 0);                     \
+{
-        atomic_inc(&(kioctx)->users);                                   \
+        BUG_ON(atomic_read(&kioctx->users) <= 0);
-} while (0)
+        atomic_inc(&kioctx->users);
-#define put_ioctx(kioctx) do {                                          \
+}
-        BUG_ON(atomic_read(&(kioctx)->users) <= 0);                     \
-        if (unlikely(atomic_dec_and_test(&(kioctx)->users)))            \
+static inline int try_get_ioctx(struct kioctx *kioctx)
-                __put_ioctx(kioctx);                                    \
+{
-} while (0)
+        return atomic_inc_not_zero(&kioctx->users);
+}
+static inline void put_ioctx(struct kioctx *kioctx)
+{
+        BUG_ON(atomic_read(&kioctx->users) <= 0);
+        if (unlikely(atomic_dec_and_test(&kioctx->users)))
+                __put_ioctx(kioctx);
+}
 /* ioctx_alloc
 *      Allocates and initializes an ioctx.  Returns an ERR_PTR if it failed.
@@ -601,8 +609,13 @@ static struct kioctx *lookup_ioctx(unsigned long ctx_id)
        rcu_read_lock();
        hlist_for_each_entry_rcu(ctx, n, &mm->ioctx_list, list) {
-                if (ctx->user_id == ctx_id && !ctx->dead) {
+                /*
-                        get_ioctx(ctx);
+                 * RCU protects us against accessing freed memory but
+                 * we have to be careful not to get a reference when the
+                 * reference count already dropped to 0 (ctx->dead test
+                 * is unreliable because of races).
+                 */
+                if (ctx->user_id == ctx_id && !ctx->dead && try_get_ioctx(ctx)){
                        ret = ctx;
                        break;
                }
author	Nick Piggin <npiggin@gmail.com>	2011-02-25 17:44:26 -0500
committer	Linus Torvalds <torvalds@linux-foundation.org>	2011-02-25 18:07:37 -0500
commit	3bd9a5d734c7cc7533b27abf451416c7f50095a7 (patch)
tree	357fc4ec95d7163cb96891151df51f6d7d130d0a /fs/aio.c
parent	29723fccc837d20039078f7a571e8d457eb0d6c6 (diff)

diff --git a/fs/aio.c b/fs/aio.c index fc557a3be0a9..b4dd668fbccc 100644 --- a/fs/aio.c +++ b/fs/aio.c
@@ -239,15 +239,23 @@ static void __put_ioctx(struct kioctx *ctx)
239	call_rcu(&ctx->rcu_head, ctx_rcu_free);	239	call_rcu(&ctx->rcu_head, ctx_rcu_free);
240	}	240	}
241		241
242	#define get_ioctx(kioctx) do { \	242	static inline void get_ioctx(struct kioctx *kioctx)
243	BUG_ON(atomic_read(&(kioctx)->users) <= 0); \	243	{
244	atomic_inc(&(kioctx)->users); \	244	BUG_ON(atomic_read(&kioctx->users) <= 0);
245	} while (0)	245	atomic_inc(&kioctx->users);
246	#define put_ioctx(kioctx) do { \	246	}
247	BUG_ON(atomic_read(&(kioctx)->users) <= 0); \	247
248	if (unlikely(atomic_dec_and_test(&(kioctx)->users))) \	248	static inline int try_get_ioctx(struct kioctx *kioctx)
249	__put_ioctx(kioctx); \	249	{
250	} while (0)	250	return atomic_inc_not_zero(&kioctx->users);
		251	}
		252
		253	static inline void put_ioctx(struct kioctx *kioctx)
		254	{
		255	BUG_ON(atomic_read(&kioctx->users) <= 0);
		256	if (unlikely(atomic_dec_and_test(&kioctx->users)))
		257	__put_ioctx(kioctx);
		258	}
251		259
252	/* ioctx_alloc	260	/* ioctx_alloc
253	* Allocates and initializes an ioctx. Returns an ERR_PTR if it failed.	261	* Allocates and initializes an ioctx. Returns an ERR_PTR if it failed.
@@ -601,8 +609,13 @@ static struct kioctx *lookup_ioctx(unsigned long ctx_id)
601	rcu_read_lock();	609	rcu_read_lock();
602		610
603	hlist_for_each_entry_rcu(ctx, n, &mm->ioctx_list, list) {	611	hlist_for_each_entry_rcu(ctx, n, &mm->ioctx_list, list) {
604	if (ctx->user_id == ctx_id && !ctx->dead) {	612	/*
605	get_ioctx(ctx);	613	* RCU protects us against accessing freed memory but
		614	* we have to be careful not to get a reference when the
		615	* reference count already dropped to 0 (ctx->dead test
		616	* is unreliable because of races).
		617	*/
		618	if (ctx->user_id == ctx_id && !ctx->dead && try_get_ioctx(ctx)){
606	ret = ctx;	619	ret = ctx;
607	break;	620	break;
608	}	621	}