aio: lookup_ioctx can return the wrong value when looking up a bogus context

The libaio test harness turned up a problem whereby lookup_ioctx on a bogus io context was returning the 1 valid io context from the list (harness/cases/3.p). Because of that, an extra put_iocontext was done, and when the process exited, it hit a BUG_ON in the put_iocontext macro called from exit_aio (since we expect a users count of 1 and instead get 0). The problem was introduced by "aio: make the lookup_ioctx() lockless" (commit abf137dd7712132ee56d5b3143c2ff61a72a5faa). Thanks to Zach for pointing out that hlist_for_each_entry_rcu will not return with a NULL tpos at the end of the loop, even if the entry was not found. Signed-off-by: Jeff Moyer <jmoyer@redhat.com> Acked-by: Zach Brown <zach.brown@oracle.com> Acked-by: Jens Axboe <jens.axboe@oracle.com> Cc: Benjamin LaHaise <bcrl@kvack.org> Cc: <stable@kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

aio: lookup_ioctx can return the wrong value when looking up a bogus context
The libaio test harness turned up a problem whereby lookup_ioctx on a bogus io context was returning the 1 valid io context from the list (harness/cases/3.p). Because of that, an extra put_iocontext was done, and when the process exited, it hit a BUG_ON in the put_iocontext macro called from exit_aio (since we expect a users count of 1 and instead get 0). The problem was introduced by "aio: make the lookup_ioctx() lockless" (commit abf137dd7712132ee56d5b3143c2ff61a72a5faa). Thanks to Zach for pointing out that hlist_for_each_entry_rcu will not return with a NULL tpos at the end of the loop, even if the entry was not found. Signed-off-by: Jeff Moyer <jmoyer@redhat.com> Acked-by: Zach Brown <zach.brown@oracle.com> Acked-by: Jens Axboe <jens.axboe@oracle.com> Cc: Benjamin LaHaise <bcrl@kvack.org> Cc: <stable@kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Jeff Moyer · Linus Torvalds
1 parent 87c3a86e1c
Showing 1 changed file with 3 additions and 2 deletions Side-by-side Diff
fs/aio.c
@@ -587,7 +587,7 @@
 static struct kioctx *lookup_ioctx(unsigned long ctx_id)
 {
 	struct mm_struct *mm = current->mm;
-	struct kioctx *ctx = NULL;
+	struct kioctx *ctx, *ret = NULL;
 	struct hlist_node *n;
  
 	rcu_read_lock();
  
@@ -595,12 +595,13 @@
 	hlist_for_each_entry_rcu(ctx, n, &mm->ioctx_list, list) {
 		if (ctx->user_id == ctx_id && !ctx->dead) {
 			get_ioctx(ctx);
+			ret = ctx;
 			break;
 		}
 	}
  
 	rcu_read_unlock();
-	return ctx;
+	return ret;
 }
  
 /*
...	...	@@ -587,7 +587,7 @@
587	587	static struct kioctx *lookup_ioctx(unsigned long ctx_id)
588	588	{
589	589	struct mm_struct *mm = current->mm;
590		- struct kioctx *ctx = NULL;
	590	+ struct kioctx ctx, ret = NULL;
591	591	struct hlist_node *n;
592	592
593	593	rcu_read_lock();
594	594
...	...	@@ -595,12 +595,13 @@
595	595	hlist_for_each_entry_rcu(ctx, n, &mm->ioctx_list, list) {
596	596	if (ctx->user_id == ctx_id && !ctx->dead) {
597	597	get_ioctx(ctx);
	598	+ ret = ctx;
598	599	break;
599	600	}
600	601	}
601	602
602	603	rcu_read_unlock();
603		- return ctx;
	604	+ return ret;
604	605	}
605	606
606	607	/*