Commit 65c24491b4fef017c64e39ec64384fde5e05e0a0
Committed by
Linus Torvalds
1 parent
87c3a86e1c
Exists in
master
and in
20 other branches
aio: lookup_ioctx can return the wrong value when looking up a bogus context
The libaio test harness turned up a problem whereby lookup_ioctx on a bogus io context was returning the 1 valid io context from the list (harness/cases/3.p). Because of that, an extra put_iocontext was done, and when the process exited, it hit a BUG_ON in the put_iocontext macro called from exit_aio (since we expect a users count of 1 and instead get 0). The problem was introduced by "aio: make the lookup_ioctx() lockless" (commit abf137dd7712132ee56d5b3143c2ff61a72a5faa). Thanks to Zach for pointing out that hlist_for_each_entry_rcu will not return with a NULL tpos at the end of the loop, even if the entry was not found. Signed-off-by: Jeff Moyer <jmoyer@redhat.com> Acked-by: Zach Brown <zach.brown@oracle.com> Acked-by: Jens Axboe <jens.axboe@oracle.com> Cc: Benjamin LaHaise <bcrl@kvack.org> Cc: <stable@kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Showing 1 changed file with 3 additions and 2 deletions Side-by-side Diff
fs/aio.c
... | ... | @@ -587,7 +587,7 @@ |
587 | 587 | static struct kioctx *lookup_ioctx(unsigned long ctx_id) |
588 | 588 | { |
589 | 589 | struct mm_struct *mm = current->mm; |
590 | - struct kioctx *ctx = NULL; | |
590 | + struct kioctx *ctx, *ret = NULL; | |
591 | 591 | struct hlist_node *n; |
592 | 592 | |
593 | 593 | rcu_read_lock(); |
594 | 594 | |
... | ... | @@ -595,12 +595,13 @@ |
595 | 595 | hlist_for_each_entry_rcu(ctx, n, &mm->ioctx_list, list) { |
596 | 596 | if (ctx->user_id == ctx_id && !ctx->dead) { |
597 | 597 | get_ioctx(ctx); |
598 | + ret = ctx; | |
598 | 599 | break; |
599 | 600 | } |
600 | 601 | } |
601 | 602 | |
602 | 603 | rcu_read_unlock(); |
603 | - return ctx; | |
604 | + return ret; | |
604 | 605 | } |
605 | 606 | |
606 | 607 | /* |