[PATCH] bug in sys_io_setup

From: Jerzy Szczepkowski <js189202@zodiac.mimuw.edu.pl> There is a bug in sys_io_setup(). If ioctx_alloc() succeeds and put_user() fails io_destroy() is called. io_destroy() assumes that ioctx->users >= 2 (if context is alive) and calls put_ioctx twice, while in this sequence ioctx->users == 1. Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>

[PATCH] bug in sys_io_setup
From: Jerzy Szczepkowski <js189202@zodiac.mimuw.edu.pl> There is a bug in sys_io_setup(). If ioctx_alloc() succeeds and put_user() fails io_destroy() is called. io_destroy() assumes that ioctx->users >= 2 (if context is alive) and calls put_ioctx twice, while in this sequence ioctx->users == 1. Signed-off-by: Andrew Morton <akpm@osdl.org> Signed-off-by: Linus Torvalds <torvalds@osdl.org>
2ba1bdcc · Andrew Morton · Linus Torvalds · 306ad72c · 2ba1bdcc
Commit 2ba1bdcc authored Jun 02, 2004 by Andrew Morton Committed by Linus Torvalds Jun 02, 2004
Hide whitespace changes
Inline Side-by-side

Showing with 1 addition and 0 deletions

fs/aio.c fs/aio.c +1 -0

No files found.
--- a/fs/aio.c
+++ b/fs/aio.c
@@ -954,6 +954,7 @@ asmlinkage long sys_io_setup(unsigned nr_events, aio_context_t __user *ctxp)
 		ret = put_user(ioctx->user_id, ctxp);
 		if (!ret)
 			return 0;
+	 	get_ioctx(ioctx);
 		io_destroy(ioctx);
 	}