lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Sun, 3 Mar 2019 10:37:37 -0800 From: Eric Dumazet <eric.dumazet@...il.com> To: Al Viro <viro@...iv.linux.org.uk>, Linus Torvalds <torvalds@...ux-foundation.org> Cc: davem@...emloft.net, jbaron@...mai.com, kgraul@...ux.ibm.com, ktkhai@...tuozzo.com, kyeongdon.kim@....com, linux-kernel@...r.kernel.org, netdev@...r.kernel.org, pabeni@...hat.com, syzkaller-bugs@...glegroups.com, xiyou.wangcong@...il.com, hch@....de Subject: Re: [PATCH] aio: prevent the final fput() in the middle of vfs_poll() (Re: KASAN: use-after-free Read in unix_dgram_poll) On 03/03/2019 07:18 AM, Al Viro wrote: > Fixes: bfe4037e722ec > Cc: stable@...r.kernel.org > Signed-off-by: Al Viro <viro@...iv.linux.org.uk> > --- > diff --git a/fs/aio.c b/fs/aio.c > index 3083180a54c8..7e88bfabdac2 100644 > --- a/fs/aio.c > +++ b/fs/aio.c > @@ -1767,6 +1767,7 @@ static ssize_t aio_poll(struct aio_kiocb *aiocb, const struct iocb *iocb) > > /* one for removal from waitqueue, one for this function */ > refcount_set(&aiocb->ki_refcnt, 2); > + get_file(req->file); > > mask = vfs_poll(req->file, &apt.pt) & req->events; > if (unlikely(!req->head)) { > @@ -1793,6 +1794,7 @@ static ssize_t aio_poll(struct aio_kiocb *aiocb, const struct iocb *iocb) > spin_unlock_irq(&ctx->ctx_lock); > > out: > + fput(req->file); > if (unlikely(apt.error)) { > fput(req->file); > return apt.error; > Very nice changelog Al, thanks for fixing this. Reviewed-by: Eric Dumazet <edumazet@...gle.com>
Powered by blists - more mailing lists