aio: lookup_ioctx can return the wrong value when looking up a bogus context

The libaio test harness turned up a problem whereby lookup_ioctx on a
bogus io context was returning the 1 valid io context from the list
(harness/cases/3.p).

Because of that, an extra put_iocontext was done, and when the process
exited, it hit a BUG_ON in the put_iocontext macro called from exit_aio
(since we expect a users count of 1 and instead get 0).

The problem was introduced by "aio: make the lookup_ioctx() lockless"
(commit abf137dd7712132ee56d5b3143c2ff61a72a5faa).

Thanks to Zach for pointing out that hlist_for_each_entry_rcu will not
return with a NULL tpos at the end of the loop, even if the entry was
not found.

Signed-off-by: Jeff Moyer <jmoyer@redhat.com>
Acked-by: Zach Brown <zach.brown@oracle.com>
Acked-by: Jens Axboe <jens.axboe@oracle.com>
Cc: Benjamin LaHaise <bcrl@kvack.org>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

1 files changed, 3 insertions, 2 deletions

diff --git a/fs/aio.c b/fs/aio.c
index 4a9d4d641fb..76da1253795 100644
--- a/fs/aio.c
+++ b/fs/aio.c
@@ -587,7 +587,7 @@ int aio_put_req(struct kiocb *req)
 static struct kioctx *lookup_ioctx(unsigned long ctx_id)
 {
         struct mm_struct *mm = current->mm;
-        struct kioctx *ctx = NULL;
+        struct kioctx *ctx, *ret = NULL;
         struct hlist_node *n;
 
         rcu_read_lock();
@@ -595,12 +595,13 @@ static struct kioctx *lookup_ioctx(unsigned long ctx_id)
         hlist_for_each_entry_rcu(ctx, n, &mm->ioctx_list, list) {
                 if (ctx->user_id == ctx_id && !ctx->dead) {
                         get_ioctx(ctx);
+                        ret = ctx;
                         break;
                 }
         }
 
         rcu_read_unlock();
-        return ctx;
+        return ret;
 }
 
 /*