[PATCH 2.6.0-test6-mm1] aio ref count in io_submit_one

From: Daniel McNeil
Date: Tue Sep 30 2003 - 18:24:35 EST

Next message: Peter Chubb: "Radeon framebuffer problems i 2.6.0-test6"
Previous message: Tom Rini: "Re: 2.6.0-test5 - stuck keys on iBook"
In reply to: Suparna Bhattacharya: "Re: slab corruption on AIO 2.6.0-test5-mm4"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Andrew and Suparna,

Here is a patch to hold an extra reference count on the AIO request iocb
while it is being submitted and then drop it ref before returning.
This prevents the race I was seeing with AIO O_DIRECT tests on ext3
where the aio_complete() was freeing the iocb while it was still
be referenced by the AIO submit code path. I've run this on my
2-proc box with CONFIG_DEBUG_PAGEALLOC on and I no longer hit
the oops. The other option is to change the AIO code to never
reference the iocb after it has been submitted, but that seems more
error prone. This patch is a very small change. I am surprised we have
not seen this race before.

Thoughts?

Daniel

--- linux-2.6.0-test6-mm1/fs/aio.c 2003-09-30 14:47:51.000000000 -0700
+++ linux-2.6.0-test6-mm1.aio/fs/aio.c 2003-09-30 16:03:08.702783397 -0700
@@ -1490,7 +1490,14 @@ int io_submit_one(struct kioctx *ctx, st
goto out_put_req;

spin_lock_irq(&ctx->ctx_lock);
+ /*
+ * Hold an extra reference while submitting the i/o.
+ * This prevents races between the aio code path referencing the
+ * req (after submitting it) and aio_complete() freeing the req.
+ */
+ req->ki_users++; /* grab extra reference */
ret = aio_run_iocb(req);
+ (void)__aio_put_req(ctx, req); /* drop the extra reference */
spin_unlock_irq(&ctx->ctx_lock);

if (-EIOCBRETRY == ret)

Next message: Peter Chubb: "Radeon framebuffer problems i 2.6.0-test6"
Previous message: Tom Rini: "Re: 2.6.0-test5 - stuck keys on iBook"
In reply to: Suparna Bhattacharya: "Re: slab corruption on AIO 2.6.0-test5-mm4"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]