aio: fix use-after-free in aio_migratepage - linux - Mirror of https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/

diff options

author	Benjamin LaHaise <bcrl@kvack.org>	2013-09-26 20:34:51 -0400
committer	Benjamin LaHaise <bcrl@kvack.org>	2013-09-26 20:34:51 -0400
commit	5e9ae2e5da0beb93f8557fc92a8f4fbc05ea448f (patch)
tree	ea2f75c681f4891152e22eb43f45c1c2489e0375 /tools/perf/util/scripting-engines/trace-event-python.c
parent	Merge tag 'stable/for-linus-3.12-rc2-tag' of git://git.kernel.org/pub/scm/lin... (diff)
download	linux-5e9ae2e5da0beb93f8557fc92a8f4fbc05ea448f.tar.gz linux-5e9ae2e5da0beb93f8557fc92a8f4fbc05ea448f.zip

aio: fix use-after-free in aio_migratepage

Dmitry Vyukov managed to trigger a case where aio_migratepage can cause a use-after-free during teardown of the aio ring buffer's mapping. This turns out to be caused by access to the ioctx's ring_pages via the migratepage operation which was not being protected by any locks during ioctx freeing. Use the address_space's private_lock to protect use and updates of the mapping's private_data, and make ioctx teardown unlink the ioctx from the address space. Reported-by: Dmitry Vyukov <dvyukov@google.com> Tested-by: Dmitry Vyukov <dvyukov@google.com> Signed-off-by: Benjamin LaHaise <bcrl@kvack.org>

Diffstat (limited to 'tools/perf/util/scripting-engines/trace-event-python.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: