diff options
author | Jeff Moyer <jmoyer@redhat.com> | 2009-03-18 20:04:21 -0400 |
---|---|---|
committer | Linus Torvalds <torvalds@linux-foundation.org> | 2009-03-19 18:57:18 -0400 |
commit | 65c24491b4fef017c64e39ec64384fde5e05e0a0 (patch) | |
tree | 3afa5c9eace50837f3c31238102358cf67b8a1ff /fs/aio.c | |
parent | 87c3a86e1c220121d0ced59d1a71e78ed9abc6dd (diff) |
aio: lookup_ioctx can return the wrong value when looking up a bogus context
The libaio test harness turned up a problem whereby lookup_ioctx on a
bogus io context was returning the 1 valid io context from the list
(harness/cases/3.p).
Because of that, an extra put_iocontext was done, and when the process
exited, it hit a BUG_ON in the put_iocontext macro called from exit_aio
(since we expect a users count of 1 and instead get 0).
The problem was introduced by "aio: make the lookup_ioctx() lockless"
(commit abf137dd7712132ee56d5b3143c2ff61a72a5faa).
Thanks to Zach for pointing out that hlist_for_each_entry_rcu will not
return with a NULL tpos at the end of the loop, even if the entry was
not found.
Signed-off-by: Jeff Moyer <jmoyer@redhat.com>
Acked-by: Zach Brown <zach.brown@oracle.com>
Acked-by: Jens Axboe <jens.axboe@oracle.com>
Cc: Benjamin LaHaise <bcrl@kvack.org>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Diffstat (limited to 'fs/aio.c')
-rw-r--r-- | fs/aio.c | 5 |
1 files changed, 3 insertions, 2 deletions
@@ -587,7 +587,7 @@ int aio_put_req(struct kiocb *req) | |||
587 | static struct kioctx *lookup_ioctx(unsigned long ctx_id) | 587 | static struct kioctx *lookup_ioctx(unsigned long ctx_id) |
588 | { | 588 | { |
589 | struct mm_struct *mm = current->mm; | 589 | struct mm_struct *mm = current->mm; |
590 | struct kioctx *ctx = NULL; | 590 | struct kioctx *ctx, *ret = NULL; |
591 | struct hlist_node *n; | 591 | struct hlist_node *n; |
592 | 592 | ||
593 | rcu_read_lock(); | 593 | rcu_read_lock(); |
@@ -595,12 +595,13 @@ static struct kioctx *lookup_ioctx(unsigned long ctx_id) | |||
595 | hlist_for_each_entry_rcu(ctx, n, &mm->ioctx_list, list) { | 595 | hlist_for_each_entry_rcu(ctx, n, &mm->ioctx_list, list) { |
596 | if (ctx->user_id == ctx_id && !ctx->dead) { | 596 | if (ctx->user_id == ctx_id && !ctx->dead) { |
597 | get_ioctx(ctx); | 597 | get_ioctx(ctx); |
598 | ret = ctx; | ||
598 | break; | 599 | break; |
599 | } | 600 | } |
600 | } | 601 | } |
601 | 602 | ||
602 | rcu_read_unlock(); | 603 | rcu_read_unlock(); |
603 | return ctx; | 604 | return ret; |
604 | } | 605 | } |
605 | 606 | ||
606 | /* | 607 | /* |