Merge git://git.kvack.org/~bcrl/aio-fixes

Pull aio fixes from Ben LaHaise: "These fix a kernel memory disclosure issue (arbitrary kmap() & copy_to_user()) revealed in CVE-2014-0206 by changes that were introduced in v3.10" * git://git.kvack.org/~bcrl/aio-fixes: aio: fix kernel memory disclosure in io_getevents() introduced in v3.10 aio: fix aio request leak when events are reaped by userspace
git-mirror · Jun 24, 2014 · 10b5b53 · 10b5b53
2 parents b4b664b + edfbbf3
commit 10b5b53
Showing 1 changed file with 4 additions and 2 deletions.
diff --git a/fs/aio.c b/fs/aio.c
@@ -1021,6 +1021,7 @@ void aio_complete(struct kiocb *iocb, long res, long res2)
 
 	/* everything turned out well, dispose of the aiocb. */
 	kiocb_free(iocb);
+	put_reqs_available(ctx, 1);
 
 	/*
 	 * We have to order our ring_info tail store above and test
@@ -1062,6 +1063,9 @@ static long aio_read_events_ring(struct kioctx *ctx,
 	if (head == tail)
 		goto out;
 
+	head %= ctx->nr_events;
+	tail %= ctx->nr_events;
+
 	while (ret < nr) {
 		long avail;
 		struct io_event *ev;
@@ -1100,8 +1104,6 @@ static long aio_read_events_ring(struct kioctx *ctx,
 	flush_dcache_page(ctx->ring_pages[0]);
 
 	pr_debug("%li  h%u t%u\n", ret, head, tail);
-
-	put_reqs_available(ctx, ret);
 out:
 	mutex_unlock(&ctx->ring_lock);