Merge git://git.kvack.org/~bcrl/aio-fixes

Pull aio fixes from Ben LaHaise: "These fix a kernel memory disclosure issue (arbitrary kmap() & copy_to_user()) revealed in CVE-2014-0206 by changes that were introduced in v3.10" * git://git.kvack.org/~bcrl/aio-fixes: aio: fix kernel memory disclosure in io_getevents() introduced in v3.10 aio: fix aio request leak when events are reaped by userspace

Merge git://git.kvack.org/~bcrl/aio-fixes
Pull aio fixes from Ben LaHaise: "These fix a kernel memory disclosure issue (arbitrary kmap() & copy_to_user()) revealed in CVE-2014-0206 by changes that were introduced in v3.10" * git://git.kvack.org/~bcrl/aio-fixes: aio: fix kernel memory disclosure in io_getevents() introduced in v3.10 aio: fix aio request leak when events are reaped by userspace
10b5b536 · Linus Torvalds · b4b664be · edfbbf38 · 10b5b536
Commit 10b5b536 authored Jun 24, 2014 by Linus Torvalds
Hide whitespace changes
Inline Side-by-side

Showing with 4 additions and 2 deletions

fs/aio.c fs/aio.c +4 -2

No files found.
--- a/fs/aio.c
+++ b/fs/aio.c
@@ -1021,6 +1021,7 @@ void aio_complete(struct kiocb *iocb, long res, long res2)
 	/* everything turned out well, dispose of the aiocb. */
 	kiocb_free(iocb);
+	put_reqs_available(ctx, 1);
 	/*
 	 * We have to order our ring_info tail store above and test
@@ -1062,6 +1063,9 @@ static long aio_read_events_ring(struct kioctx *ctx,
 	if (head == tail)
 		goto out;
+	head %= ctx->nr_events;
+	tail %= ctx->nr_events;
 	while (ret < nr) {
 		long avail;
 		struct io_event *ev;
@@ -1100,8 +1104,6 @@ static long aio_read_events_ring(struct kioctx *ctx,
 	flush_dcache_page(ctx->ring_pages[0]);
 	pr_debug("%li  h%u t%u\n", ret, head, tail);
-	put_reqs_available(ctx, ret);
 out:
 	mutex_unlock(&ctx->ring_lock);