Revision 86b62a2cb4fc09037bbce2959d2992962396fd7f authored by Al Viro on 07 March 2012, 05:16:35 UTC, committed by Linus Torvalds on 10 March 2012, 02:59:59 UTC
Have ioctx_alloc() return an extra reference, so that caller would drop it on success and not bother with re-grabbing it on failure exit. The current code is obviously broken - io_destroy() from another thread that managed to guess the address io_setup() would've returned would free ioctx right under us; gets especially interesting if aio_context_t * we pass to io_setup() points to PROT_READ mapping, so put_user() fails and we end up doing io_destroy() on kioctx another thread has just got freed... Signed-off-by: Al Viro <viro@zeniv.linux.org.uk> Acked-by: Benjamin LaHaise <bcrl@kvack.org> Reviewed-by: Jeff Moyer <jmoyer@redhat.com> Cc: stable@vger.kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
1 parent 86e0600
| File | Mode | Size |
|---|---|---|
| apparmor | ||
| integrity | ||
| keys | ||
| selinux | ||
| smack | ||
| tomoyo | ||
| Kconfig | -rw-r--r-- | 7.9 KB |
| Makefile | -rw-r--r-- | 941 bytes |
| capability.c | -rw-r--r-- | 23.2 KB |
| commoncap.c | -rw-r--r-- | 27.1 KB |
| device_cgroup.c | -rw-r--r-- | 11.5 KB |
| inode.c | -rw-r--r-- | 6.7 KB |
| lsm_audit.c | -rw-r--r-- | 9.0 KB |
| min_addr.c | -rw-r--r-- | 1.3 KB |
| security.c | -rw-r--r-- | 33.1 KB |
Computing file changes ...
