Skip to content

Commit b53119f

Browse files
torvaldsAl Viro
torvalds
authored and
Al Viro
committed
pin iocb through aio.
aio_poll() is not the only case that needs file pinned; worse, while aio_read()/aio_write() can live without pinning iocb itself, the proof is rather brittle and can easily break on later changes. Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
1 parent 9e98c67 commit b53119f

File tree

1 file changed

+21
-16
lines changed

1 file changed

+21
-16
lines changed

fs/aio.c

Lines changed: 21 additions & 16 deletions
Original file line numberDiff line numberDiff line change
@@ -1022,6 +1022,9 @@ static bool get_reqs_available(struct kioctx *ctx)
10221022
/* aio_get_req
10231023
* Allocate a slot for an aio request.
10241024
* Returns NULL if no requests are free.
1025+
*
1026+
* The refcount is initialized to 2 - one for the async op completion,
1027+
* one for the synchronous code that does this.
10251028
*/
10261029
static inline struct aio_kiocb *aio_get_req(struct kioctx *ctx)
10271030
{
@@ -1034,7 +1037,7 @@ static inline struct aio_kiocb *aio_get_req(struct kioctx *ctx)
10341037
percpu_ref_get(&ctx->reqs);
10351038
req->ki_ctx = ctx;
10361039
INIT_LIST_HEAD(&req->ki_list);
1037-
refcount_set(&req->ki_refcnt, 0);
1040+
refcount_set(&req->ki_refcnt, 2);
10381041
req->ki_eventfd = NULL;
10391042
return req;
10401043
}
@@ -1067,15 +1070,18 @@ static struct kioctx *lookup_ioctx(unsigned long ctx_id)
10671070
return ret;
10681071
}
10691072

1073+
static inline void iocb_destroy(struct aio_kiocb *iocb)
1074+
{
1075+
if (iocb->ki_filp)
1076+
fput(iocb->ki_filp);
1077+
percpu_ref_put(&iocb->ki_ctx->reqs);
1078+
kmem_cache_free(kiocb_cachep, iocb);
1079+
}
1080+
10701081
static inline void iocb_put(struct aio_kiocb *iocb)
10711082
{
1072-
if (refcount_read(&iocb->ki_refcnt) == 0 ||
1073-
refcount_dec_and_test(&iocb->ki_refcnt)) {
1074-
if (iocb->ki_filp)
1075-
fput(iocb->ki_filp);
1076-
percpu_ref_put(&iocb->ki_ctx->reqs);
1077-
kmem_cache_free(kiocb_cachep, iocb);
1078-
}
1083+
if (refcount_dec_and_test(&iocb->ki_refcnt))
1084+
iocb_destroy(iocb);
10791085
}
10801086

10811087
static void aio_fill_event(struct io_event *ev, struct aio_kiocb *iocb,
@@ -1749,9 +1755,6 @@ static ssize_t aio_poll(struct aio_kiocb *aiocb, const struct iocb *iocb)
17491755
INIT_LIST_HEAD(&req->wait.entry);
17501756
init_waitqueue_func_entry(&req->wait, aio_poll_wake);
17511757

1752-
/* one for removal from waitqueue, one for this function */
1753-
refcount_set(&aiocb->ki_refcnt, 2);
1754-
17551758
mask = vfs_poll(req->file, &apt.pt) & req->events;
17561759
if (unlikely(!req->head)) {
17571760
/* we did not manage to set up a waitqueue, done */
@@ -1782,7 +1785,6 @@ static ssize_t aio_poll(struct aio_kiocb *aiocb, const struct iocb *iocb)
17821785

17831786
if (mask)
17841787
aio_poll_complete(aiocb, mask);
1785-
iocb_put(aiocb);
17861788
return 0;
17871789
}
17881790

@@ -1873,18 +1875,21 @@ static int __io_submit_one(struct kioctx *ctx, const struct iocb *iocb,
18731875
break;
18741876
}
18751877

1878+
/* Done with the synchronous reference */
1879+
iocb_put(req);
1880+
18761881
/*
18771882
* If ret is 0, we'd either done aio_complete() ourselves or have
18781883
* arranged for that to be done asynchronously. Anything non-zero
18791884
* means that we need to destroy req ourselves.
18801885
*/
1881-
if (ret)
1882-
goto out_put_req;
1883-
return 0;
1886+
if (!ret)
1887+
return 0;
1888+
18841889
out_put_req:
18851890
if (req->ki_eventfd)
18861891
eventfd_ctx_put(req->ki_eventfd);
1887-
iocb_put(req);
1892+
iocb_destroy(req);
18881893
out_put_reqs_available:
18891894
put_reqs_available(ctx, 1);
18901895
return ret;

0 commit comments

Comments
 (0)