diff options
author | Al Viro <viro@ZenIV.linux.org.uk> | 2012-03-08 17:51:19 +0000 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2012-03-09 18:59:59 -0800 |
commit | c7b285550544c22bc005ec20978472c9ac7138c6 (patch) | |
tree | 2115cba489066af001312bf93d9f07321e25bf12 /fs/inode.c | |
parent | 86b62a2cb4fc09037bbce2959d2992962396fd7f (diff) | |
download | op-kernel-dev-c7b285550544c22bc005ec20978472c9ac7138c6.zip op-kernel-dev-c7b285550544c22bc005ec20978472c9ac7138c6.tar.gz |
aio: fix the "too late munmap()" race
Current code has put_ioctx() called asynchronously from aio_fput_routine();
that's done *after* we have killed the request that used to pin ioctx,
so there's nothing to stop io_destroy() waiting in wait_for_all_aios()
from progressing. As the result, we can end up with async call of
put_ioctx() being the last one and possibly happening during exit_mmap()
or elf_core_dump(), neither of which expects stray munmap() being done
to them...
We do need to prevent _freeing_ ioctx until aio_fput_routine() is done
with that, but that's all we care about - neither io_destroy() nor
exit_aio() will progress past wait_for_all_aios() until aio_fput_routine()
does really_put_req(), so the ioctx teardown won't be done until then
and we don't care about the contents of ioctx past that point.
Since actual freeing of these suckers is RCU-delayed, we don't need to
bump ioctx refcount when request goes into list for async removal.
All we need is rcu_read_lock held just over the ->ctx_lock-protected
area in aio_fput_routine().
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
Acked-by: Benjamin LaHaise <bcrl@kvack.org>
Cc: stable@vger.kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'fs/inode.c')
0 files changed, 0 insertions, 0 deletions