Re: [PATCH resubmit 2/3] AIO: Fix reference counting in io_cancel and aio_cancel_all

[ÐÐÑÐÐÐ ÐÐÐÐÑÑÐÐÐÐ]

On Tuesday 16 March 2010 17:46:10 Jeff Moyer wrote:
> Sergey Temerkhanov <temerkhanov@xxxxxxxxxxx> writes:
> > io_cancel() and aio_cancel_all() have inconsistent reference counting
> > (ki_users field of struct kiocb) which leads to unkillable processes upon
> > io_cancel() or io_destroy() syscalls. This patch fixes the undesired
> > behavior.
> 
> Hi, Sergey,
> 
> Thanks for the patch.  Would you mind resubmitting it to make it a bit
> easier to review?  The way you've done things, it is difficult to tell
> if you just moved the aio_cancel_all function or if you moved it and
> made changes.  Please have the patch that moves it separated out from
> other changes, or at least mention in the changelog that the function
> was unchanged.  Next, if you could tell what sorts of testing you've
> performed, that would be great.  Finally, it would be a good idea to CC
> linux-aio@xxxxxxxxx on aio patches.
> 
> Thanks!
> Jeff
> 

This patch fixes reference counting in io_cancel() and aio_cancel_all()

Regards, Sergey Temerkhanov, Cifronic ZAO
diff -r 74c172a99cdb fs/aio.c
--- a/fs/aio.c	Tue Mar 16 18:55:59 2010 +0300
+++ b/fs/aio.c	Tue Mar 16 19:08:49 2010 +0300
@@ -1035,7 +1035,9 @@
 			spin_unlock_irq(&ctx->ctx_lock);
 			cancel(iocb, &res);
 			spin_lock_irq(&ctx->ctx_lock);
+			__aio_put_req(req);
 		}
+		__aio_put_req(req);
 	}
 	spin_unlock_irq(&ctx->ctx_lock);
 }
@@ -1789,9 +1791,11 @@
 			if (copy_to_user(result, &tmp, sizeof(tmp)))
 				ret = -EFAULT;
 		}
+		aio_put_req(req);
 	} else
 		ret = -EINVAL;
 
+	aio_put_req(req);
 	put_ioctx(ctx);
 
 	return ret;