Google Git
Sign in
android / kernel / common / 5e9ae2e5da0beb93f8557fc92a8f4fbc05ea448f
commit5e9ae2e5da0beb93f8557fc92a8f4fbc05ea448f[log] [tgz]
authorBenjamin LaHaise <[email protected]>Thu Sep 26 20:34:51 2013 -0400
committerBenjamin LaHaise <[email protected]>Thu Sep 26 20:34:51 2013 -0400
treeea2f75c681f4891152e22eb43f45c1c2489e0375
parent4b97280675f45c1650ee4e388bd711ecbb18c4b4 [diff]
aio: fix use-after-free in aio_migratepage

Dmitry Vyukov managed to trigger a case where aio_migratepage can cause a
use-after-free during teardown of the aio ring buffer's mapping.  This turns
out to be caused by access to the ioctx's ring_pages via the migratepage
operation which was not being protected by any locks during ioctx freeing.
Use the address_space's private_lock to protect use and updates of the mapping's
private_data, and make ioctx teardown unlink the ioctx from the address space.

Reported-by: Dmitry Vyukov <[email protected]>
Tested-by: Dmitry Vyukov <[email protected]>
Signed-off-by: Benjamin LaHaise <[email protected]>
1 file changed
tree: ea2f75c681f4891152e22eb43f45c1c2489e0375
  1. arch/
  2. block/
  3. crypto/
  4. Documentation/
  5. drivers/
  6. firmware/
  7. fs/
  8. include/
  9. init/
  10. ipc/
  11. kernel/
  12. lib/
  13. mm/
  14. net/
  15. samples/
  16. scripts/
  17. security/
  18. sound/
  19. tools/
  20. usr/
  21. virt/
  22. .gitignore
  23. .mailmap
  24. COPYING
  25. CREDITS
  26. Kbuild
  27. Kconfig
  28. MAINTAINERS
  29. Makefile
  30. README
  31. REPORTING-BUGS