Commit 7137c6bd455234bcb7560fd829e6ee49cae5fed6

Authored by Jan Kara
Committed by Linus Torvalds
1 parent 3bd9a5d734

aio: fix race between io_destroy() and io_submit()

A race can occur when io_submit() races with io_destroy():

 CPU1						CPU2
io_submit()
  do_io_submit()
    ...
    ctx = lookup_ioctx(ctx_id);
						io_destroy()
    Now do_io_submit() holds the last reference to ctx.
    ...
    queue new AIO
    put_ioctx(ctx) - frees ctx with active AIOs

We solve this issue by checking whether ctx is being destroyed in AIO
submission path after adding new AIO to ctx.  Then we are guaranteed that
either io_destroy() waits for new AIO or we see that ctx is being
destroyed and bail out.

Cc: Nick Piggin <npiggin@kernel.dk>
Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

Showing 1 changed file with 17 additions and 0 deletions Side-by-side Diff

... ... @@ -1642,6 +1642,23 @@
1642 1642 goto out_put_req;
1643 1643  
1644 1644 spin_lock_irq(&ctx->ctx_lock);
  1645 + /*
  1646 + * We could have raced with io_destroy() and are currently holding a
  1647 + * reference to ctx which should be destroyed. We cannot submit IO
  1648 + * since ctx gets freed as soon as io_submit() puts its reference. The
  1649 + * check here is reliable: io_destroy() sets ctx->dead before waiting
  1650 + * for outstanding IO and the barrier between these two is realized by
  1651 + * unlock of mm->ioctx_lock and lock of ctx->ctx_lock. Analogously we
  1652 + * increment ctx->reqs_active before checking for ctx->dead and the
  1653 + * barrier is realized by unlock and lock of ctx->ctx_lock. Thus if we
  1654 + * don't see ctx->dead set here, io_destroy() waits for our IO to
  1655 + * finish.
  1656 + */
  1657 + if (ctx->dead) {
  1658 + spin_unlock_irq(&ctx->ctx_lock);
  1659 + ret = -EINVAL;
  1660 + goto out_put_req;
  1661 + }
1645 1662 aio_run_iocb(req);
1646 1663 if (!list_empty(&ctx->run_list)) {
1647 1664 /* drain the run list */