aio: Fix a null pointer deref in batch_complete_aio

The batch completion code was trying to be a bit too clever, and skip checking ctx where it couldn't be NULL - but that broke if a kiocb had been cancelled. Move the check to kioctx_ring_unlock(). Signed-off-by: Kent Overstreet <koverstreet@google.com> Reported-by: Valdis Kletnieks <Valdis.Kletnieks@vt.edu> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
author: Kent Overstreet <koverstreet@google.com> 2013-03-02 15:25:55 +1100
committer: Stephen Rothwell <sfr@canb.auug.org.au> 2013-03-07 14:27:30 +1100
commit: a252b0f599715794fbee7e163abc2745065a20fc (patch)
tree: 4b16d029539460f1ca60a71d7c66d85c455a2f71 /fs
parent: f0e26ee490d741c9eb30d80917fc6ef87e52f49d (diff)
1 files changed, 4 insertions, 2 deletions
diff --git a/fs/aio.c b/fs/aio.c
index f183a8529f2a..2fc65e712aaa 100644
--- a/fs/aio.c
+++ b/fs/aio.c
@@ -680,6 +680,9 @@ static inline void kioctx_ring_unlock(struct kioctx *ctx, unsigned tail)
 {
 	struct aio_ring *ring;
 
+	if (!ctx)
+		return;
+
 	smp_wmb();
 	/* make event visible before updating tail */
 
@@ -757,8 +760,7 @@ void batch_complete_aio(struct batch_complete *batch)
 		}
 
 		if (unlikely(req->ki_ctx != ctx)) {
-			if (ctx)
-				kioctx_ring_unlock(ctx, tail);
+			kioctx_ring_unlock(ctx, tail);
 
 			ctx = req->ki_ctx;
 			tail = kioctx_ring_lock(ctx);
author	Kent Overstreet <koverstreet@google.com>	2013-03-02 15:25:55 +1100
committer	Stephen Rothwell <sfr@canb.auug.org.au>	2013-03-07 14:27:30 +1100
commit	a252b0f599715794fbee7e163abc2745065a20fc (patch)
tree	4b16d029539460f1ca60a71d7c66d85c455a2f71 /fs
parent	f0e26ee490d741c9eb30d80917fc6ef87e52f49d (diff)