From: Benjamin LaHaise Date: Tue, 24 Jun 2014 17:12:55 +0000 (-0400) Subject: aio: fix aio request leak when events are reaped by userspace X-Git-Tag: v5.15~17709^2~1 X-Git-Url: https://git.proxmox.com/?a=commitdiff_plain;h=f8567a3845ac05bb28f3c1b478ef752762bd39ef;p=mirror_ubuntu-kernels.git aio: fix aio request leak when events are reaped by userspace The aio cleanups and optimizations by kmo that were merged into the 3.10 tree added a regression for userspace event reaping. Specifically, the reference counts are not decremented if the event is reaped in userspace, leading to the application being unable to submit further aio requests. This patch applies to 3.12+. A separate backport is required for 3.10/3.11. This issue was uncovered as part of CVE-2014-0206. Signed-off-by: Benjamin LaHaise Cc: stable@vger.kernel.org Cc: Kent Overstreet Cc: Mateusz Guzik Cc: Petr Matousek --- diff --git a/fs/aio.c b/fs/aio.c index 4f078c054b41..6a9c7e489adf 100644 --- a/fs/aio.c +++ b/fs/aio.c @@ -1021,6 +1021,7 @@ void aio_complete(struct kiocb *iocb, long res, long res2) /* everything turned out well, dispose of the aiocb. */ kiocb_free(iocb); + put_reqs_available(ctx, 1); /* * We have to order our ring_info tail store above and test @@ -1100,8 +1101,6 @@ static long aio_read_events_ring(struct kioctx *ctx, flush_dcache_page(ctx->ring_pages[0]); pr_debug("%li h%u t%u\n", ret, head, tail); - - put_reqs_available(ctx, ret); out: mutex_unlock(&ctx->ring_lock);