aboutsummaryrefslogtreecommitdiffstats
path: root/include
diff options
context:
space:
mode:
authorZach Brown <zach.brown@oracle.com>2005-09-30 14:58:55 -0400
committerLinus Torvalds <torvalds@g5.osdl.org>2005-09-30 15:41:17 -0400
commit897f15fb587fd2772b9e7ff6ec0265057f3c3975 (patch)
treed975ce5f131b8f42915cf264122cd265661651e0 /include
parent998765e5588b197737d457e16f72832d8036190f (diff)
[PATCH] aio: remove unlocked task_list test and resulting race
Only one of the run or kick path is supposed to put an iocb on the run list. If both of them do it than one of them can end up referencing a freed iocb. The kick path could delete the task_list item from the wait queue before getting the ctx_lock and putting the iocb on the run list. The run path was testing the task_list item outside the lock so that it could catch ki_retry methods that return -EIOCBRETRY *without* putting the iocb on a wait queue and promising to call kick_iocb. This unlocked check could then race with the kick path to cause both to try and put the iocb on the run list. The patch stops the run path from testing task_list by requring that any ki_retry that returns -EIOCBRETRY *must* guarantee that kick_iocb() will be called in the future. aio_p{read,write}, the only in-tree -EIOCBRETRY users, are updated. Signed-off-by: Zach Brown <zach.brown@oracle.com> Signed-off-by: Benjamin LaHaise <bcrl@linux.intel.com> Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
Diffstat (limited to 'include')
-rw-r--r--include/linux/aio.h34
1 files changed, 34 insertions, 0 deletions
diff --git a/include/linux/aio.h b/include/linux/aio.h
index a4d5af907f90..60def658b246 100644
--- a/include/linux/aio.h
+++ b/include/linux/aio.h
@@ -43,6 +43,40 @@ struct kioctx;
43#define kiocbIsKicked(iocb) test_bit(KIF_KICKED, &(iocb)->ki_flags) 43#define kiocbIsKicked(iocb) test_bit(KIF_KICKED, &(iocb)->ki_flags)
44#define kiocbIsCancelled(iocb) test_bit(KIF_CANCELLED, &(iocb)->ki_flags) 44#define kiocbIsCancelled(iocb) test_bit(KIF_CANCELLED, &(iocb)->ki_flags)
45 45
46/* is there a better place to document function pointer methods? */
47/**
48 * ki_retry - iocb forward progress callback
49 * @kiocb: The kiocb struct to advance by performing an operation.
50 *
51 * This callback is called when the AIO core wants a given AIO operation
52 * to make forward progress. The kiocb argument describes the operation
53 * that is to be performed. As the operation proceeds, perhaps partially,
54 * ki_retry is expected to update the kiocb with progress made. Typically
55 * ki_retry is set in the AIO core and it itself calls file_operations
56 * helpers.
57 *
58 * ki_retry's return value determines when the AIO operation is completed
59 * and an event is generated in the AIO event ring. Except the special
60 * return values described below, the value that is returned from ki_retry
61 * is transferred directly into the completion ring as the operation's
62 * resulting status. Once this has happened ki_retry *MUST NOT* reference
63 * the kiocb pointer again.
64 *
65 * If ki_retry returns -EIOCBQUEUED it has made a promise that aio_complete()
66 * will be called on the kiocb pointer in the future. The AIO core will
67 * not ask the method again -- ki_retry must ensure forward progress.
68 * aio_complete() must be called once and only once in the future, multiple
69 * calls may result in undefined behaviour.
70 *
71 * If ki_retry returns -EIOCBRETRY it has made a promise that kick_iocb()
72 * will be called on the kiocb pointer in the future. This may happen
73 * through generic helpers that associate kiocb->ki_wait with a wait
74 * queue head that ki_retry uses via current->io_wait. It can also happen
75 * with custom tracking and manual calls to kick_iocb(), though that is
76 * discouraged. In either case, kick_iocb() must be called once and only
77 * once. ki_retry must ensure forward progress, the AIO core will wait
78 * indefinitely for kick_iocb() to be called.
79 */
46struct kiocb { 80struct kiocb {
47 struct list_head ki_run_list; 81 struct list_head ki_run_list;
48 long ki_flags; 82 long ki_flags;