Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit fb2d4483 authored by Benjamin LaHaise's avatar Benjamin LaHaise
Browse files

aio: report error from io_destroy() when threads race in io_destroy() 



As reported by Anatol Pomozov, io_destroy() fails to report an error when
it loses the race to destroy a given ioctx.  Since there is a difference in
behaviour between the thread that wins the race (which blocks on outstanding
io requests) versus lthe thread that loses (which returns immediately), wire
up a return code from kill_ioctx() to the io_destroy() syscall.

Signed-off-by: default avatarBenjamin LaHaise <bcrl@kvack.org>
Cc: Anatol Pomozov <anatol.pomozov@gmail.com>
parent d52a8f9e

fs/aio.c

+9 −7
Original line number Diff line number Diff line
@@ -727,7 +727,7 @@ static struct kioctx *ioctx_alloc(unsigned nr_events) 
 *	when the processes owning a context have all exited to encourage

 *	the rapid destruction of the kioctx.

 */

static void kill_ioctx(struct mm_struct *mm, struct kioctx *ctx,

static int kill_ioctx(struct mm_struct *mm, struct kioctx *ctx,

		struct completion *requests_done)

{

	if (!atomic_xchg(&ctx->dead, 1)) {
@@ -759,10 +759,10 @@ static void kill_ioctx(struct mm_struct *mm, struct kioctx *ctx, 


		ctx->requests_done = requests_done;

		percpu_ref_kill(&ctx->users);

	} else {

		if (requests_done)

			complete(requests_done);

		return 0;

	}



	return -EINVAL;

}



/* wait_on_sync_kiocb:
@@ -1219,21 +1219,23 @@ SYSCALL_DEFINE1(io_destroy, aio_context_t, ctx) 
	if (likely(NULL != ioctx)) {

		struct completion requests_done =

			COMPLETION_INITIALIZER_ONSTACK(requests_done);

		int ret;



		/* Pass requests_done to kill_ioctx() where it can be set

		 * in a thread-safe way. If we try to set it here then we have

		 * a race condition if two io_destroy() called simultaneously.

		 */

		kill_ioctx(current->mm, ioctx, &requests_done);

		ret = kill_ioctx(current->mm, ioctx, &requests_done);

		percpu_ref_put(&ioctx->users);



		/* Wait until all IO for the context are done. Otherwise kernel

		 * keep using user-space buffers even if user thinks the context

		 * is destroyed.

		 */

		if (!ret)

			wait_for_completion(&requests_done);



		return 0;

		return ret;

	}

	pr_debug("EINVAL: io_destroy: invalid context id\n");

	return -EINVAL;