From patchwork Thu Feb 28 11:58:58 2013 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Luis Henriques X-Patchwork-Id: 223936 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) by ozlabs.org (Postfix) with ESMTP id 5B5F42C02A8 for ; Thu, 28 Feb 2013 22:59:17 +1100 (EST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.76) (envelope-from ) id 1UB28e-0004RZ-TX; Thu, 28 Feb 2013 11:59:04 +0000 Received: from youngberry.canonical.com ([91.189.89.112]) by huckleberry.canonical.com with esmtp (Exim 4.76) (envelope-from ) id 1UB28c-0004Q3-TE for kernel-team@lists.ubuntu.com; Thu, 28 Feb 2013 11:59:02 +0000 Received: from [188.250.143.69] (helo=localhost) by youngberry.canonical.com with esmtpsa (TLS1.0:DHE_RSA_AES_128_CBC_SHA1:16) (Exim 4.71) (envelope-from ) id 1UB28b-0006GO-0x; Thu, 28 Feb 2013 11:59:01 +0000 From: Luis Henriques To: Jan Kara Subject: [ 3.5.y.z extended stable ] Patch "ocfs2: fix possible use-after-free with AIO" has been added to staging queue Date: Thu, 28 Feb 2013 11:58:58 +0000 Message-Id: <1362052738-20534-1-git-send-email-luis.henriques@canonical.com> X-Mailer: git-send-email 1.8.1.2 X-Extended-Stable: 3.5 Cc: Mark Fasheh , kernel-team@lists.ubuntu.com, Jeff Moyer , Joel Becker , Andrew Morton , Al Viro X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.14 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: kernel-team-bounces@lists.ubuntu.com This is a note to let you know that I have just added a patch titled ocfs2: fix possible use-after-free with AIO to the linux-3.5.y-queue branch of the 3.5.y.z extended stable tree which can be found at: http://kernel.ubuntu.com/git?p=ubuntu/linux.git;a=shortlog;h=refs/heads/linux-3.5.y-queue If you, or anyone else, feels it should not be added to this tree, please reply to this email. For more information about the 3.5.y.z tree, see https://wiki.ubuntu.com/Kernel/Dev/ExtendedStable Thanks. -Luis ------ From 58e57cc1da263b391d27bb4f37dc95b90cf47bcf Mon Sep 17 00:00:00 2001 From: Jan Kara Date: Wed, 20 Feb 2013 13:16:39 +1100 Subject: [PATCH] ocfs2: fix possible use-after-free with AIO commit 9b171e0c74ca0549d0610990a862dd895870f04a upstream. Running AIO is pinning inode in memory using file reference. Once AIO is completed using aio_complete(), file reference is put and inode can be freed from memory. So we have to be sure that calling aio_complete() is the last thing we do with the inode. Signed-off-by: Jan Kara Acked-by: Jeff Moyer Acked-by: Joel Becker Cc: Mark Fasheh Cc: Al Viro Signed-off-by: Andrew Morton Signed-off-by: Al Viro Signed-off-by: Luis Henriques --- fs/ocfs2/aops.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -- 1.8.1.2 diff --git a/fs/ocfs2/aops.c b/fs/ocfs2/aops.c index 6577432..340bd02 100644 --- a/fs/ocfs2/aops.c +++ b/fs/ocfs2/aops.c @@ -593,9 +593,9 @@ static void ocfs2_dio_end_io(struct kiocb *iocb, level = ocfs2_iocb_rw_locked_level(iocb); ocfs2_rw_unlock(inode, level); + inode_dio_done(inode); if (is_async) aio_complete(iocb, ret, 0); - inode_dio_done(inode); } /*