Re: [PATCH 06/12] gadgetfs: use-after-free in ->aio_read()

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Michal Nazarewicz <mina86@mina86.com>
To: Ming Lei <tom.leiming@gmail.com>, Christoph Hellwig <hch@lst.de>
Cc: Al Viro <viro@zeniv.linux.org.uk>,
	Maxim Patlasov <MPatlasov@parallels.com>,
	Robert Baldyga <r.baldyga@samsung.com>,
	Felipe Balbi <balbi@ti.com>,
	"open list\:AIO" <linux-aio@kvack.org>,
	Linux FS Devel <linux-fsdevel@vger.kernel.org>,
	stable <stable@vger.kernel.org>
Subject: Re: [PATCH 06/12] gadgetfs: use-after-free in ->aio_read()
Date: Mon, 09 Mar 2015 16:18:49 +0100	[thread overview]
Message-ID: <xa1tioeakxly.fsf@mina86.com> (raw)
In-Reply-To: <CACVXFVMZeiZML6Hxxn1sdObj-cqRO8fv9L+x9T0LuwcMd2Xsbg@mail.gmail.com>

On Sun, Mar 08 2015, Ming Lei <tom.leiming@gmail.com> wrote:
> On Tue, Feb 24, 2015 at 2:00 AM, Christoph Hellwig <hch@lst.de> wrote:
>> From: Al Viro <viro@zeniv.linux.org.uk>
>>
>> AIO_PREAD requests call ->aio_read() with iovec on caller's stack, so if
>> we are going to access it asynchronously, we'd better get ourselves
>> a copy - the one on kernel stack of aio_run_iocb() won't be there
>> anymore.  function/f_fs.c take care of doing that, legacy/inode.c
>> doesn't...
>>
>> Cc: stable@vger.kernel.org
>> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

Acked-by: Michal Nazarewicz <mina86@mina86.com>

but at the same time:

>> @@ -649,7 +650,14 @@ fail:
>>         }
>>         iocb->private = priv;
>>         priv->iocb = iocb;
>> -       priv->iv = iv;
>> +       if (iv) {
>> +               priv->iv = kmemdup(iv, nr_segs * sizeof(struct iovec),
>> +                                  GFP_KERNEL);
>> +               if (!priv->iv) {
>> +                       kfree(priv);
>> +                       goto fail;
>> +               }
>> +       }
>
> It should be simpler and more efficient to allocate 'iv' piggyback
> inside 'priv'.

+1

	priv = kmalloc(sizeof *priv + (iv ? nr_segs * sizeof *iv : 0),
		       GFP_KERNEL);
	…
	priv->iv = iv ? (void*)(priv + 1) : NULL;

>>         priv->nr_segs = nr_segs;
>>         INIT_WORK(&priv->work, ep_user_copy_worker);
>>

-- 
Best regards,                                         _     _
.o. | Liege of Serenely Enlightened Majesty of      o' \,=./ `o
..o | Computer Science,  Michał “mina86” Nazarewicz    (o o)
ooo +--<mpn@google.com>--<xmpp:mina86@jabber.org>--ooO--(_)--Ooo--

next prev parent reply	other threads:[~2015-03-09 15:18 UTC|newest]

Thread overview: 24+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2015-02-23 18:00 [RFC] split struct kiocb Christoph Hellwig
2015-02-23 18:00 ` [PATCH 01/12] new helper: dup_iter() Christoph Hellwig
2015-02-23 18:00 ` [PATCH 02/12] move iov_iter.c from mm/ to lib/ Christoph Hellwig
2015-02-23 18:00 ` [PATCH 03/12] gadget/function/f_fs.c: close leaks Christoph Hellwig
2015-02-23 18:00 ` [PATCH 04/12] gadget/function/f_fs.c: use put iov_iter into io_data Christoph Hellwig
2015-02-23 18:00 ` [PATCH 05/12] gadget/function/f_fs.c: switch to ->{read,write}_iter() Christoph Hellwig
2015-02-23 18:00 ` [PATCH 06/12] gadgetfs: use-after-free in ->aio_read() Christoph Hellwig
2015-03-08 10:07   ` Ming Lei
2015-03-09 15:18     ` Michal Nazarewicz [this message]
2015-02-23 18:00 ` [PATCH 07/12] gadget: switch ep_io_operations to ->read_iter/->write_iter Christoph Hellwig
2015-02-23 18:00 ` [PATCH 08/12] fs: remove ki_nbytes Christoph Hellwig
2015-02-23 18:00 ` [PATCH 09/12] fuse: handle synchronous iocbs internally Christoph Hellwig
2015-03-06  2:54   ` Maxim Patlasov
2015-02-23 18:00 ` [PATCH 10/12] fs: don't allow to complete sync iocbs through aio_complete Christoph Hellwig
2015-02-23 18:00 ` [PATCH 11/12] fs: split generic and aio kiocb Christoph Hellwig
2015-02-23 18:00 ` [PATCH 12/12] fs: move struct kiocb to fs.h Christoph Hellwig
2015-02-23 21:20 ` [RFC] split struct kiocb Al Viro
2015-02-23 21:22   ` Christoph Hellwig
2015-02-23 21:39     ` Al Viro
2015-02-24  3:47       ` Al Viro
2015-02-23 21:23   ` Felipe Balbi
2015-02-23 21:42     ` Al Viro
2015-02-23 21:50       ` Felipe Balbi
2015-02-25 17:13   ` Felipe Balbi

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=xa1tioeakxly.fsf@mina86.com \
    --to=mina86@mina86.com \
    --cc=MPatlasov@parallels.com \
    --cc=balbi@ti.com \
    --cc=hch@lst.de \
    --cc=linux-aio@kvack.org \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=r.baldyga@samsung.com \
    --cc=stable@vger.kernel.org \
    --cc=tom.leiming@gmail.com \
    --cc=viro@zeniv.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.