Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / msm-4.9 / f01d35a15fa04162a58b95970fc01fa70ec9dacd
commitf01d35a15fa04162a58b95970fc01fa70ec9dacd[log] [tgz]
authorAl Viro <viro@zeniv.linux.org.uk>Fri Feb 06 02:07:45 2015 -0500
committerAl Viro <viro@zeniv.linux.org.uk>Tue Feb 17 22:23:32 2015 -0500
tree4a54918fe9e942e5826d6e4ddfcda6bc979af21e
parent70e60d917e91fff2237095b8950810effa2b1a50 [diff]
gadgetfs: use-after-free in ->aio_read()

AIO_PREAD requests call ->aio_read() with iovec on caller's stack, so if
we are going to access it asynchronously, we'd better get ourselves
a copy - the one on kernel stack of aio_run_iocb() won't be there
anymore.  function/f_fs.c take care of doing that, legacy/inode.c
doesn't...

Cc: stable@vger.kernel.org
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
1 file changed
tree: 4a54918fe9e942e5826d6e4ddfcda6bc979af21e
  1. arch/
  2. block/
  3. crypto/
  4. Documentation/
  5. drivers/
  6. firmware/
  7. fs/
  8. include/
  9. init/
  10. ipc/
  11. kernel/
  12. lib/
  13. mm/
  14. net/
  15. samples/
  16. scripts/
  17. security/
  18. sound/
  19. tools/
  20. usr/
  21. virt/
  22. .gitignore
  23. .mailmap
  24. COPYING
  25. CREDITS
  26. Kbuild
  27. Kconfig
  28. MAINTAINERS
  29. Makefile
  30. README
  31. REPORTING-BUGS