From: Benjamin LaHaise <bcrl@kvack.org>
Date: Fri, 27 Sep 2013 00:34:51 +0000 (-0400)
Subject: aio: fix use-after-free in aio_migratepage
X-Git-Tag: v3.12-rc4~27^2
X-Git-Url: http://git.openpandora.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=5e9ae2e5da0beb93f8557fc92a8f4fbc05ea448f;p=pandora-kernel.git

aio: fix use-after-free in aio_migratepage

Dmitry Vyukov managed to trigger a case where aio_migratepage can cause a
use-after-free during teardown of the aio ring buffer's mapping.  This turns
out to be caused by access to the ioctx's ring_pages via the migratepage
operation which was not being protected by any locks during ioctx freeing.
Use the address_space's private_lock to protect use and updates of the mapping's
private_data, and make ioctx teardown unlink the ioctx from the address space.

Reported-by: Dmitry Vyukov <dvyukov@google.com>
Tested-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Benjamin LaHaise <bcrl@kvack.org>
---

Reading git-diff-tree failed