fuse: fix leak of fuse_io_priv

exit_aio() is sometimes stuck in wait_for_completion() after aio is issued
with direct IO and the task receives a signal.

The reason is failure to call ->ki_complete() due to a leaked reference to
fuse_io_priv.  This happens in fuse_async_req_send() if
fuse_simple_background() returns an error (e.g. -EINTR).

In this case the error value is propagated via io->err, so return success
to not confuse callers.

This issue is tracked as a virtio-fs issue:
https://gitlab.com/virtio-fs/qemu/issues/14

Reported-by: Masayoshi Mizuma <[email protected]>
Fixes: 45ac96ed7c36 ("fuse: convert direct_io to simple api")
Cc: <[email protected]> # v5.4
Signed-off-by: Miklos Szeredi <[email protected]>

diff --git a/fs/fuse/file.c b/fs/fuse/file.c
index 795d0f24d8b424319803891c739865c9d8782470..a63d779eac10409b6e44a00c70ed7bf8d6acb832 100644 (file)
--- a/fs/fuse/file.c
+++ b/fs/fuse/file.c
@@ -713,8 +713,10 @@ static ssize_t fuse_async_req_send(struct fuse_conn *fc,
 
        ia->ap.args.end = fuse_aio_complete_req;
        err = fuse_simple_background(fc, &ia->ap.args, GFP_KERNEL);
+       if (err)
+               fuse_aio_complete_req(fc, &ia->ap.args, err);
 
-       return err ?: num_bytes;
+       return num_bytes;
 }
 
 static ssize_t fuse_send_read(struct fuse_io_args *ia, loff_t pos, size_t count,