linux/fs/ext4
Tejun Heo 4c81f045c0 ext4: fix racy use-after-free in ext4_end_io_dio()
ext4_end_io_dio() queues io_end->work and then clears iocb->private;
however, io_end->work calls aio_complete() which frees the iocb
object.  If that slab object gets reallocated, then ext4_end_io_dio()
can end up clearing someone else's iocb->private, this use-after-free
can cause a leak of a struct ext4_io_end_t structure.

Detected and tested with slab poisoning.

[ Note: Can also reproduce using 12 fio's against 12 file systems with the
  following configuration file:

  [global]
  direct=1
  ioengine=libaio
  iodepth=1
  bs=4k
  ba=4k
  size=128m

  [create]
  filename=${TESTDIR}
  rw=write

  -- tytso ]

Google-Bug-Id: 5354697
Signed-off-by: Tejun Heo <tj@kernel.org>
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
Reported-by: Kent Overstreet <koverstreet@google.com>
Tested-by: Kent Overstreet <koverstreet@google.com>
Cc: stable@kernel.org
2011-11-24 19:22:24 -05:00
..
acl.c switch posix_acl_equiv_mode() to umode_t * 2011-08-01 02:10:06 -04:00
acl.h fs: take the ACL checks to common code 2011-07-25 14:30:23 -04:00
balloc.c ext4: fix up a undefined error in ext4_free_blocks in debugging code 2011-11-21 12:09:19 -05:00
bitmap.c
block_validity.c ext4: move ext4_ind_* functions from inode.c to indirect.c 2011-06-27 19:40:50 -04:00
dir.c ext4: Use ext4_error_file() to print the pathname to the corrupted inode 2011-01-10 12:10:55 -05:00
ext4_extents.h ext4: Fix bigalloc quota accounting and i_blocks value 2011-09-09 19:04:51 -04:00
ext4_jbd2.c jbd2: add debugging information to jbd2_journal_dirty_metadata() 2011-09-04 10:18:14 -04:00
ext4_jbd2.h ext4: Fix ext4_should_writeback_data() for no-journal mode 2011-08-13 11:25:18 -04:00
ext4.h Merge branch 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4 2011-11-02 10:06:20 -07:00
extents.c ext4: let ext4_ext_rm_leaf work with EXT_DEBUG defined 2011-11-01 18:59:26 -04:00
file.c Merge branch 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4 2011-11-02 10:06:20 -07:00
fsync.c ext4: optimize locking for end_io extent conversion 2011-10-31 10:56:32 -04:00
hash.c
ialloc.c Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/hch/vfs-queue 2011-11-02 11:41:01 -07:00
indirect.c ext4: enforce bigalloc restrictions (e.g., no online resizing, etc.) 2011-09-09 18:36:51 -04:00
inode.c ext4: fix racy use-after-free in ext4_end_io_dio() 2011-11-24 19:22:24 -05:00
ioctl.c ext4: add __user decoration to calls of copy_{from,to}_user() 2011-10-18 10:59:51 -04:00
Kconfig
Makefile ext4: move ext4_ind_* functions from inode.c to indirect.c 2011-06-27 19:40:50 -04:00
mballoc.c ext4: fix a wrong comment in __mb_check_buddy() 2011-10-26 08:48:54 -04:00
mballoc.h ext4: fix a typo in struct ext4_allocation_context 2011-10-31 18:55:50 -04:00
migrate.c Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/hch/vfs-queue 2011-11-02 11:41:01 -07:00
mmp.c ext4: Fix comparison endianness problem in MMP initialization 2011-10-18 10:53:51 -04:00
move_extent.c ext4: add some tracepoints in ext4/extents.c 2011-09-09 19:18:51 -04:00
namei.c Merge branch 'for-next' of git://git.kernel.org/pub/scm/linux/kernel/git/hch/vfs-queue 2011-11-02 11:41:01 -07:00
page-io.c ext4: Create helper function for EXT4_IO_END_UNWRITTEN and i_aiodio_unwritten 2011-10-31 17:30:44 -04:00
resize.c ext4: Rename ext4_free_blks_{count,set}() to refer to clusters 2011-09-09 19:08:51 -04:00
super.c ext4: Remove kernel_lock annotations 2011-11-07 10:50:09 -05:00
symlink.c
truncate.h ext4: move common truncate functions to header file 2011-06-27 19:16:04 -04:00
xattr_security.c security: new security_inode_init_security API adds function callback 2011-07-18 12:29:38 -04:00
xattr_trusted.c
xattr_user.c
xattr.c ext4: fix race in xattr block allocation path 2011-10-29 10:15:35 -04:00
xattr.h fs/vfs/security: pass last path component to LSM on inode creation 2011-02-01 11:12:29 -05:00