commit 69e4747ee9727d660b88d7e1efe0f4afcb35db1b
Author: Gleb Natapov <gleb>
Date:   Sun Jan 8 17:07:28 2012 +0200

    Unused iocbs in a batch should not be accounted as active.
    
    Since commit 080d676de095 ("aio: allocate kiocbs in batches") iocbs are
    allocated in a batch during processing of first iocbs.  All iocbs in a
    batch are automatically added to ctx->active_reqs list and accounted in
    ctx->reqs_active.
    
    If one (not the last one) of iocbs submitted by an user fails, further
    iocbs are not processed, but they are still present in ctx->active_reqs
    and accounted in ctx->reqs_active.  This causes process to stuck in a D
    state in wait_for_all_aios() on exit since ctx->reqs_active will never
    go down to zero.  Furthermore since kiocb_batch_free() frees iocb
    without removing it from active_reqs list the list become corrupted
    which may cause oops.
    
    Fix this by removing iocb from ctx->active_reqs and updating
    ctx->reqs_active in kiocb_batch_free().
    
    Signed-off-by: Gleb Natapov <gleb>
    Reviewed-by: Jeff Moyer <jmoyer>
    Cc: stable   # 3.2
    Signed-off-by: Linus Torvalds <torvalds>

Statement:
Not vulnerable. This issue did not affected the Linux kernel as shipped with Red Hat Enterprise Linux 4, 5, 6, and Red Hat Enterprise MRG as they did not backport the upstream commit 080d676d that introduced this issue.