From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <stable-owner@vger.kernel.org>
Received: from verein.lst.de ([213.95.11.211]:39025 "EHLO newverein.lst.de"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1750796AbcJ2PUU (ORCPT <rfc822;stable@vger.kernel.org>);
        Sat, 29 Oct 2016 11:20:20 -0400
Date: Sat, 29 Oct 2016 17:20:17 +0200
From: Christoph Hellwig <hch@lst.de>
To: Al Viro <viro@ZenIV.linux.org.uk>
Cc: Christoph Hellwig <hch@lst.de>, torvalds@linux-foundation.org,
        jack@suse.cz, dmonakhov@openvz.org, jmoyer@redhat.com,
        linux-fsdevel@vger.kernel.org, linux-aio@kvack.org,
        linux-kernel@vger.kernel.org, stable@vger.kernel.org
Subject: Re: [PATCH] aio: fix a user triggered use after free (and fix
        freeze protection of aio writes)
Message-ID: <20161029152017.GA7388@lst.de>
References: <1477727070-18806-1-git-send-email-hch@lst.de> <1477727070-18806-2-git-send-email-hch@lst.de> <20161029122451.GQ19539@ZenIV.linux.org.uk>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20161029122451.GQ19539@ZenIV.linux.org.uk>
Sender: stable-owner@vger.kernel.org
List-ID: <stable.vger.kernel.org>

On Sat, Oct 29, 2016 at 01:24:51PM +0100, Al Viro wrote:
> How about taking this chunk (i.e. telling lockdep that we are not holding this
> thing) past the iter_op() call, where file_end_write() used to be?

We can't as that would not fix the use after free (at least for the lockdep
case - otherwise the call is a no-op).  Once iter_op returns aio_complete
might have dropped our reference to the file, and another thread might
have closed the fd so that the fput from aio_complete was the last one.

This is something that xfstests/323 can reproduce under the right conditions.