From: Al Viro <viro@zeniv.linux.org.uk>
Date: Fri, 6 Feb 2015 07:07:45 +0000 (-0500)
Subject: gadgetfs: use-after-free in ->aio_read()
X-Git-Tag: omap-for-v4.1/wl12xx-dt~21^2~3
X-Git-Url: https://git.openpandora.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=f01d35a15fa0;p=pandora-kernel.git

gadgetfs: use-after-free in ->aio_read()

AIO_PREAD requests call ->aio_read() with iovec on caller's stack, so if
we are going to access it asynchronously, we'd better get ourselves
a copy - the one on kernel stack of aio_run_iocb() won't be there
anymore.  function/f_fs.c take care of doing that, legacy/inode.c
doesn't...

Cc: stable@vger.kernel.org
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
---

Reading git-diff-tree failed