4c81f045c0
ext4_end_io_dio() queues io_end->work and then clears iocb->private;
however, io_end->work calls aio_complete() which frees the iocb
object. If that slab object gets reallocated, then ext4_end_io_dio()
can end up clearing someone else's iocb->private, this use-after-free
can cause a leak of a struct ext4_io_end_t structure.
Detected and tested with slab poisoning.
[ Note: Can also reproduce using 12 fio's against 12 file systems with the
following configuration file:
[global]
direct=1
ioengine=libaio
iodepth=1
bs=4k
ba=4k
size=128m
[create]
filename=${TESTDIR}
rw=write
-- tytso ]
Google-Bug-Id: 5354697
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
Reported-by: Kent Overstreet <koverstreet@google.com>
Tested-by: Kent Overstreet <koverstreet@google.com>
Cc: stable@kernel.org
|
||
|---|---|---|
| .. | ||
| acl.c | ||
| acl.h | ||
| balloc.c | ||
| bitmap.c | ||
| block_validity.c | ||
| dir.c | ||
| ext4_extents.h | ||
| ext4_jbd2.c | ||
| ext4_jbd2.h | ||
| ext4.h | ||
| extents.c | ||
| file.c | ||
| fsync.c | ||
| hash.c | ||
| ialloc.c | ||
| indirect.c | ||
| inode.c | ||
| ioctl.c | ||
| Kconfig | ||
| Makefile | ||
| mballoc.c | ||
| mballoc.h | ||
| migrate.c | ||
| mmp.c | ||
| move_extent.c | ||
| namei.c | ||
| page-io.c | ||
| resize.c | ||
| super.c | ||
| symlink.c | ||
| truncate.h | ||
| xattr_security.c | ||
| xattr_trusted.c | ||
| xattr_user.c | ||
| xattr.c | ||
| xattr.h | ||