Revision 86b62a2cb4fc09037bbce2959d2992962396fd7f authored by Al Viro on 07 March 2012, 05:16:35 UTC, committed by Linus Torvalds on 10 March 2012, 02:59:59 UTC
Have ioctx_alloc() return an extra reference, so that caller would drop it on success and not bother with re-grabbing it on failure exit. The current code is obviously broken - io_destroy() from another thread that managed to guess the address io_setup() would've returned would free ioctx right under us; gets especially interesting if aio_context_t * we pass to io_setup() points to PROT_READ mapping, so put_user() fails and we end up doing io_destroy() on kioctx another thread has just got freed... Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Acked-by: Benjamin LaHaise <bcrl@kvack.org> Reviewed-by: Jeff Moyer <jmoyer@redhat.com> Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
1 parent 86e0600
File | Mode | Size |
---|---|---|
apparmor | ||
integrity | ||
keys | ||
selinux | ||
smack | ||
tomoyo | ||
Kconfig | -rw-r--r-- | 7.9 KB |
Makefile | -rw-r--r-- | 941 bytes |
capability.c | -rw-r--r-- | 23.2 KB |
commoncap.c | -rw-r--r-- | 27.1 KB |
device_cgroup.c | -rw-r--r-- | 11.5 KB |
inode.c | -rw-r--r-- | 6.7 KB |
lsm_audit.c | -rw-r--r-- | 9.0 KB |
min_addr.c | -rw-r--r-- | 1.3 KB |
security.c | -rw-r--r-- | 33.1 KB |
![swh spinner](/static/img/swh-spinner.gif)
Computing file changes ...