From mboxrd@z Thu Jan 1 00:00:00 1970 From: Jeff Moyer Subject: Re: [patch] fs: aio fix rcu lookup Date: Mon, 17 Jan 2011 14:07:41 -0500 Message-ID: References: Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: QUOTED-PRINTABLE Cc: Andrew Morton , linux-fsdevel , linux-kernel@vger.kernel.org To: Nick Piggin Return-path: In-Reply-To: (Nick Piggin's message of "Sat, 15 Jan 2011 02:00:25 +1100") Sender: linux-kernel-owner@vger.kernel.org List-Id: linux-fsdevel.vger.kernel.org Nick Piggin writes: > On Sat, Jan 15, 2011 at 1:52 AM, Jeff Moyer wrote= : >> Nick Piggin writes: >> >>> Hi, >>> >>> While hunting down a bug in NFS's AIO, I believe I found this >>> buggy code... >>> >>> fs: aio fix rcu ioctx lookup >>> >>> aio-dio-invalidate-failure GPFs in aio_put_req from io_submit. >>> >>> lookup_ioctx doesn't implement the rcu lookup pattern properly. >>> rcu_read_lock does not prevent refcount going to zero, so we >>> might take a refcount on a zero count ioctx. >> >> So, does this patch fix the problem? =C2=A0You didn't actually say..= =2E. > > No, it seemd to be an NFS AIO problem, although it was a > slightly older kernel so I'll re test after -rc1 if I haven't heard > back about it. OK. > Do you agree with the theoretical problem? I didn't try to > write a racer to break it yet. Inserting a delay before the > get_ioctx might do the trick. I'm not convinced, no. The last reference to the kioctx is always the process, released in the exit_aio path, or via sys_io_destroy. In both cases, we cancel all aios, then wait for them all to complete before dropping the final reference to the context. So, while I agree that what you wrote is better, I remain unconvinced o= f it solving a real-world problem. Feel free to push it in as a cleanup, though. Cheers, Jeff