Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 10b5b536 authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge git://git.kvack.org/~bcrl/aio-fixes 

Pull aio fixes from Ben LaHaise:
 "These fix a kernel memory disclosure issue (arbitrary kmap() &
  copy_to_user()) revealed in CVE-2014-0206 by changes that were
  introduced in v3.10"

* git://git.kvack.org/~bcrl/aio-fixes:
  aio: fix kernel memory disclosure in io_getevents() introduced in v3.10
  aio: fix aio request leak when events are reaped by userspace
parents b4b664be edfbbf38

fs/aio.c

+4 −2
Original line number Diff line number Diff line
@@ -1021,6 +1021,7 @@ void aio_complete(struct kiocb *iocb, long res, long res2) 


	/* everything turned out well, dispose of the aiocb. */

	kiocb_free(iocb);

	put_reqs_available(ctx, 1);



	/*

	 * We have to order our ring_info tail store above and test
@@ -1062,6 +1063,9 @@ static long aio_read_events_ring(struct kioctx *ctx, 
	if (head == tail)

		goto out;



	head %= ctx->nr_events;

	tail %= ctx->nr_events;



	while (ret < nr) {

		long avail;

		struct io_event *ev;
@@ -1100,8 +1104,6 @@ static long aio_read_events_ring(struct kioctx *ctx, 
	flush_dcache_page(ctx->ring_pages[0]);



	pr_debug("%li  h%u t%u\n", ret, head, tail);



	put_reqs_available(ctx, ret);

out:

	mutex_unlock(&ctx->ring_lock);