49 lines
1.6 KiB
Diff
49 lines
1.6 KiB
Diff
|
Bugzilla: 1112975
|
||
|
Upstream-status: 3.16 and CC'd to stable
|
||
|
|
||
|
From f8567a3845ac05bb28f3c1b478ef752762bd39ef Mon Sep 17 00:00:00 2001
|
||
|
From: Benjamin LaHaise <bcrl@kvack.org>
|
||
|
Date: Tue, 24 Jun 2014 13:12:55 -0400
|
||
|
Subject: [PATCH] aio: fix aio request leak when events are reaped by userspace
|
||
|
|
||
|
The aio cleanups and optimizations by kmo that were merged into the 3.10
|
||
|
tree added a regression for userspace event reaping. Specifically, the
|
||
|
reference counts are not decremented if the event is reaped in userspace,
|
||
|
leading to the application being unable to submit further aio requests.
|
||
|
This patch applies to 3.12+. A separate backport is required for 3.10/3.11.
|
||
|
This issue was uncovered as part of CVE-2014-0206.
|
||
|
|
||
|
Signed-off-by: Benjamin LaHaise <bcrl@kvack.org>
|
||
|
Cc: stable@vger.kernel.org
|
||
|
Cc: Kent Overstreet <kmo@daterainc.com>
|
||
|
Cc: Mateusz Guzik <mguzik@redhat.com>
|
||
|
Cc: Petr Matousek <pmatouse@redhat.com>
|
||
|
---
|
||
|
fs/aio.c | 3 +--
|
||
|
1 file changed, 1 insertion(+), 2 deletions(-)
|
||
|
|
||
|
diff --git a/fs/aio.c b/fs/aio.c
|
||
|
index 4f078c054b41..6a9c7e489adf 100644
|
||
|
--- a/fs/aio.c
|
||
|
+++ b/fs/aio.c
|
||
|
@@ -1021,6 +1021,7 @@ void aio_complete(struct kiocb *iocb, long res, long res2)
|
||
|
|
||
|
/* everything turned out well, dispose of the aiocb. */
|
||
|
kiocb_free(iocb);
|
||
|
+ put_reqs_available(ctx, 1);
|
||
|
|
||
|
/*
|
||
|
* We have to order our ring_info tail store above and test
|
||
|
@@ -1100,8 +1101,6 @@ static long aio_read_events_ring(struct kioctx *ctx,
|
||
|
flush_dcache_page(ctx->ring_pages[0]);
|
||
|
|
||
|
pr_debug("%li h%u t%u\n", ret, head, tail);
|
||
|
-
|
||
|
- put_reqs_available(ctx, ret);
|
||
|
out:
|
||
|
mutex_unlock(&ctx->ring_lock);
|
||
|
|
||
|
--
|
||
|
1.9.3
|
||
|
|