The patch titled aio: lookup_ioctx can return the wrong value when looking up a bogus context has been removed from the -mm tree. Its filename was aio-lookup_ioctx-can-return-the-wrong-value-when-looking-up-a-bogus-context.patch This patch was dropped because it was merged into mainline or a subsystem tree The current -mm tree may be found at http://userweb.kernel.org/~akpm/mmotm/ ------------------------------------------------------ Subject: aio: lookup_ioctx can return the wrong value when looking up a bogus context From: Jeff Moyer <jmoyer@xxxxxxxxxx> The libaio test harness turned up a problem whereby lookup_ioctx on a bogus io context was returning the 1 valid io context from the list (harness/cases/3.p). Because of that, an extra put_iocontext was done, and when the process exited, it hit a BUG_ON in the put_iocontext macro called from exit_aio (since we expect a users count of 1 and instead get 0). The problem was introduced by: commit abf137dd7712132ee56d5b3143c2ff61a72a5faa aio: make the lookup_ioctx() lockless Thanks to Zach for pointing out that hlist_for_each_entry_rcu will not return with a NULL tpos at the end of the loop, even if the entry was not found. Signed-off-by: Jeff Moyer <jmoyer@xxxxxxxxxx> Acked-by: Zach Brown <zach.brown@xxxxxxxxxx> Acked-by: Jens Axboe <jens.axboe@xxxxxxxxxx> Cc: Benjamin LaHaise <bcrl@xxxxxxxxx> Cc: <stable@xxxxxxxxxx> Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx> --- fs/aio.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff -puN fs/aio.c~aio-lookup_ioctx-can-return-the-wrong-value-when-looking-up-a-bogus-context fs/aio.c --- a/fs/aio.c~aio-lookup_ioctx-can-return-the-wrong-value-when-looking-up-a-bogus-context +++ a/fs/aio.c @@ -587,7 +587,7 @@ int aio_put_req(struct kiocb *req) static struct kioctx *lookup_ioctx(unsigned long ctx_id) { struct mm_struct *mm = current->mm; - struct kioctx *ctx = NULL; + struct kioctx *ctx, *ret = NULL; struct hlist_node *n; rcu_read_lock(); @@ -595,12 +595,13 @@ static struct kioctx *lookup_ioctx(unsig hlist_for_each_entry_rcu(ctx, n, &mm->ioctx_list, list) { if (ctx->user_id == ctx_id && !ctx->dead) { get_ioctx(ctx); + ret = ctx; break; } } rcu_read_unlock(); - return ctx; + return ret; } /* _ Patches currently in -mm which might be from jmoyer@xxxxxxxxxx are autofs4-cleanup-expire-code-duplication.patch -- To unsubscribe from this list: send the line "unsubscribe mm-commits" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html