From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michal Nazarewicz Subject: Re: [PATCH 06/12] gadgetfs: use-after-free in ->aio_read() Date: Mon, 09 Mar 2015 16:18:49 +0100 Message-ID: References: <1424714436-19371-1-git-send-email-hch@lst.de> <1424714436-19371-7-git-send-email-hch@lst.de> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: QUOTED-PRINTABLE Cc: Al Viro , Maxim Patlasov , Robert Baldyga , Felipe Balbi , "open list\:AIO" , Linux FS Devel , stable To: Ming Lei , Christoph Hellwig Return-path: In-Reply-To: Sender: stable-owner@vger.kernel.org List-Id: linux-fsdevel.vger.kernel.org On Sun, Mar 08 2015, Ming Lei wrote: > On Tue, Feb 24, 2015 at 2:00 AM, Christoph Hellwig wrote= : >> From: Al Viro >> >> AIO_PREAD requests call ->aio_read() with iovec on caller's stack, s= o if >> we are going to access it asynchronously, we'd better get ourselves >> a copy - the one on kernel stack of aio_run_iocb() won't be there >> anymore. function/f_fs.c take care of doing that, legacy/inode.c >> doesn't... >> >> Cc: stable@vger.kernel.org >> Signed-off-by: Al Viro Acked-by: Michal Nazarewicz but at the same time: >> @@ -649,7 +650,14 @@ fail: >> } >> iocb->private =3D priv; >> priv->iocb =3D iocb; >> - priv->iv =3D iv; >> + if (iv) { >> + priv->iv =3D kmemdup(iv, nr_segs * sizeof(struct iov= ec), >> + GFP_KERNEL); >> + if (!priv->iv) { >> + kfree(priv); >> + goto fail; >> + } >> + } > > It should be simpler and more efficient to allocate 'iv' piggyback > inside 'priv'. +1 priv =3D kmalloc(sizeof *priv + (iv ? nr_segs * sizeof *iv : 0), GFP_KERNEL); =E2=80=A6 priv->iv =3D iv ? (void*)(priv + 1) : NULL; >> priv->nr_segs =3D nr_segs; >> INIT_WORK(&priv->work, ep_user_copy_worker); >> --=20 Best regards, _ _ =2Eo. | Liege of Serenely Enlightened Majesty of o' \,=3D./ `o =2E.o | Computer Science, Micha=C5=82 =E2=80=9Cmina86=E2=80=9D Nazarew= icz (o o) ooo +------ooO--(_)--Ooo--