Commit c81fc59b authored by Al Viro's avatar Al Viro Committed by Sasha Levin

gadgetfs: use-after-free in ->aio_read()

[ Upstream commit f01d35a1 ]

AIO_PREAD requests call ->aio_read() with iovec on caller's stack, so if
we are going to access it asynchronously, we'd better get ourselves
a copy - the one on kernel stack of aio_run_iocb() won't be there
anymore.  function/f_fs.c take care of doing that, legacy/inode.c
doesn't...

Cc: stable@vger.kernel.org
Signed-off-by: default avatarAl Viro <viro@zeniv.linux.org.uk>
Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
parent c7fd1867
......@@ -565,7 +565,6 @@ static ssize_t ep_copy_to_user(struct kiocb_priv *priv)
if (total == 0)
break;
}
return len;
}
......@@ -584,6 +583,7 @@ static void ep_user_copy_worker(struct work_struct *work)
aio_complete(iocb, ret, ret);
kfree(priv->buf);
kfree(priv->iv);
kfree(priv);
}
......@@ -604,6 +604,7 @@ static void ep_aio_complete(struct usb_ep *ep, struct usb_request *req)
*/
if (priv->iv == NULL || unlikely(req->actual == 0)) {
kfree(req->buf);
kfree(priv->iv);
kfree(priv);
iocb->private = NULL;
/* aio_complete() reports bytes-transferred _and_ faults */
......@@ -639,7 +640,7 @@ ep_aio_rwtail(
struct usb_request *req;
ssize_t value;
priv = kmalloc(sizeof *priv, GFP_KERNEL);
priv = kzalloc(sizeof *priv, GFP_KERNEL);
if (!priv) {
value = -ENOMEM;
fail:
......@@ -648,7 +649,14 @@ ep_aio_rwtail(
}
iocb->private = priv;
priv->iocb = iocb;
priv->iv = iv;
if (iv) {
priv->iv = kmemdup(iv, nr_segs * sizeof(struct iovec),
GFP_KERNEL);
if (!priv->iv) {
kfree(priv);
goto fail;
}
}
priv->nr_segs = nr_segs;
INIT_WORK(&priv->work, ep_user_copy_worker);
......@@ -688,6 +696,7 @@ ep_aio_rwtail(
mutex_unlock(&epdata->lock);
if (unlikely(value)) {
kfree(priv->iv);
kfree(priv);
put_ep(epdata);
} else
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment