aio: report error from io_destroy() when threads race in io_destroy()
authorBenjamin LaHaise <bcrl@kvack.org>
Tue, 29 Apr 2014 16:45:17 +0000 (12:45 -0400)
committerBenjamin LaHaise <bcrl@kvack.org>
Tue, 29 Apr 2014 16:45:17 +0000 (12:45 -0400)
As reported by Anatol Pomozov, io_destroy() fails to report an error when
it loses the race to destroy a given ioctx.  Since there is a difference in
behaviour between the thread that wins the race (which blocks on outstanding
io requests) versus lthe thread that loses (which returns immediately), wire
up a return code from kill_ioctx() to the io_destroy() syscall.

Signed-off-by: Benjamin LaHaise <bcrl@kvack.org>
Cc: Anatol Pomozov <anatol.pomozov@gmail.com>
fs/aio.c

index 908006e8c7ff2933484d251c0fa5e07b655d6003..044c1c86decc139a71b6e7fc7cdc54242beefbc6 100644 (file)
--- a/fs/aio.c
+++ b/fs/aio.c
@@ -727,7 +727,7 @@ err:
  *     when the processes owning a context have all exited to encourage
  *     the rapid destruction of the kioctx.
  */
-static void kill_ioctx(struct mm_struct *mm, struct kioctx *ctx,
+static int kill_ioctx(struct mm_struct *mm, struct kioctx *ctx,
                struct completion *requests_done)
 {
        if (!atomic_xchg(&ctx->dead, 1)) {
@@ -759,10 +759,10 @@ static void kill_ioctx(struct mm_struct *mm, struct kioctx *ctx,
 
                ctx->requests_done = requests_done;
                percpu_ref_kill(&ctx->users);
-       } else {
-               if (requests_done)
-                       complete(requests_done);
+               return 0;
        }
+
+       return -EINVAL;
 }
 
 /* wait_on_sync_kiocb:
@@ -1219,21 +1219,23 @@ SYSCALL_DEFINE1(io_destroy, aio_context_t, ctx)
        if (likely(NULL != ioctx)) {
                struct completion requests_done =
                        COMPLETION_INITIALIZER_ONSTACK(requests_done);
+               int ret;
 
                /* Pass requests_done to kill_ioctx() where it can be set
                 * in a thread-safe way. If we try to set it here then we have
                 * a race condition if two io_destroy() called simultaneously.
                 */
-               kill_ioctx(current->mm, ioctx, &requests_done);
+               ret = kill_ioctx(current->mm, ioctx, &requests_done);
                percpu_ref_put(&ioctx->users);
 
                /* Wait until all IO for the context are done. Otherwise kernel
                 * keep using user-space buffers even if user thinks the context
                 * is destroyed.
                 */
-               wait_for_completion(&requests_done);
+               if (!ret)
+                       wait_for_completion(&requests_done);
 
-               return 0;
+               return ret;
        }
        pr_debug("EINVAL: io_destroy: invalid context id\n");
        return -EINVAL;