From: Jerzy Szczepkowski <js189202@zodiac.mimuw.edu.pl>

There is a bug in sys_io_setup().

If ioctx_alloc() succeeds and put_user() fails io_destroy() is called. 
io_destroy() assumes that ioctx->users >= 2 (if context is alive) and calls
put_ioctx twice, while in this sequence ioctx->users == 1.

Signed-off-by: Andrew Morton <akpm@osdl.org>
---

 25-akpm/fs/aio.c |    1 +
 1 files changed, 1 insertion(+)

diff -puN fs/aio.c~sys_io_setup-fix fs/aio.c
--- 25/fs/aio.c~sys_io_setup-fix	2004-06-03 00:44:19.948808656 -0700
+++ 25-akpm/fs/aio.c	2004-06-03 00:44:19.958807136 -0700
@@ -954,6 +954,7 @@ asmlinkage long sys_io_setup(unsigned nr
 		ret = put_user(ioctx->user_id, ctxp);
 		if (!ret)
 			return 0;
+	 	get_ioctx(ioctx);
 		io_destroy(ioctx);
 	}
 
_