Re: [PATCH] aio: fix a user triggered use after free (and fix freeze protection of aio writes)

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sat, Oct 29, 2016 at 11:52 AM, Al Viro <viro@xxxxxxxxxxxxxxxxxx> wrote:
>
> And that call can happen as soon as we return from __blockdev_direct_IO()
> (even earlier, actually).  As soon as that happens, the reference to
> struct file we'd acquired in io_submit_one() is dropped.  If descriptor
> table had been shared, another thread might have already closed that sucker,
> and fput() from aio_complete() would free struct file.

But that's the point. We don't *do* anything like that any more. We
now always do the final access from aio_complete(). So it doesn't
matter if that is called asynchronously (very early) or not.

That's the whole point of the patch. Exactly to do everything either
*before* we even submit it (at which point no completion can happen),
or doing it in aio_complete() which is guaranteed to be after the
submission. No races, no use-after-free.

What am I missing?

             Linus
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]