Merge git://git.kvack.org/~bcrl/aio-fixes

Pull aio fixes from Ben LaHaise: "These fix a kernel memory disclosure issue (arbitrary kmap() & copy_to_user()) revealed in CVE-2014-0206 by changes that were introduced in v3.10" * git://git.kvack.org/~bcrl/aio-fixes: aio: fix kernel memory disclosure in io_getevents() introduced in v3.10 aio: fix aio request leak when events are reaped by userspace
2014-06-24 14:00:13 -07:00 · 2014-06-24 14:00:13 -07:00 · 10b5b5361a
--- a/fs/aio.c
+++ b/fs/aio.c
@ -1021,6 +1021,7 @@ void aio_complete(struct kiocb *iocb, long res, long res2)

 	/* everything turned out well, dispose of the aiocb. */
 	kiocb_free(iocb);
+	put_reqs_available(ctx, 1);

 	/*
 	 * We have to order our ring_info tail store above and test
@ -1062,6 +1063,9 @@ static long aio_read_events_ring(struct kioctx *ctx,
 	if (head == tail)
 		goto out;

+	head %= ctx->nr_events;
+	tail %= ctx->nr_events;
+
 	while (ret < nr) {
 		long avail;
 		struct io_event *ev;
@ -1100,8 +1104,6 @@ static long aio_read_events_ring(struct kioctx *ctx,
 	flush_dcache_page(ctx->ring_pages[0]);

 	pr_debug("%li  h%u t%u\n", ret, head, tail);
-
-	put_reqs_available(ctx, ret);
 out:
 	mutex_unlock(&ctx->ring_lock);