aio: fix use-after-free in aio_migratepage - linux - Linux Kernel (branches are rebased on master from time to time)

diff options

author	Benjamin LaHaise <bcrl@kvack.org>	2013-09-26 20:34:51 -0400
committer	Benjamin LaHaise <bcrl@kvack.org>	2013-09-26 20:34:51 -0400
commit	5e9ae2e5da0beb93f8557fc92a8f4fbc05ea448f (patch)
tree	ea2f75c681f4891152e22eb43f45c1c2489e0375 /fs/jffs2/build.c
parent	4b97280675f45c1650ee4e388bd711ecbb18c4b4 (diff)
download	linux-5e9ae2e5da0beb93f8557fc92a8f4fbc05ea448f.tar.bz2

aio: fix use-after-free in aio_migratepage

Dmitry Vyukov managed to trigger a case where aio_migratepage can cause a use-after-free during teardown of the aio ring buffer's mapping. This turns out to be caused by access to the ioctx's ring_pages via the migratepage operation which was not being protected by any locks during ioctx freeing. Use the address_space's private_lock to protect use and updates of the mapping's private_data, and make ioctx teardown unlink the ioctx from the address space. Reported-by: Dmitry Vyukov <dvyukov@google.com> Tested-by: Dmitry Vyukov <dvyukov@google.com> Signed-off-by: Benjamin LaHaise <bcrl@kvack.org>

Diffstat (limited to 'fs/jffs2/build.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: