Re: [PATCH] aio: fix a user triggered use after free (and fix freeze protection of aio writes)

From: Al Viro
Date: Sat Oct 29 2016 - 08:25:28 EST

Next message: Borislav Petkov: "Re: [PATCH] x86/cpuid: expose AVX512_4VNNIW and AVX512_4FMAPS features to kvm guest"
Previous message: Paolo Bonzini: "Re: [PATCH] x86/cpuid: expose AVX512_4VNNIW and AVX512_4FMAPS features to kvm guest"
In reply to: Christoph Hellwig: "[PATCH] aio: fix a user triggered use after free (and fix freeze protection of aio writes)"
Next in thread: Christoph Hellwig: "Re: [PATCH] aio: fix a user triggered use after free (and fix freeze protection of aio writes)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Sat, Oct 29, 2016 at 09:44:29AM +0200, Christoph Hellwig wrote:

> - if (rw == WRITE)
> + if (rw == WRITE) {
> file_start_write(file);
> + req->ki_flags |= IOCB_WRITE;
> + }

> + if (rw == WRITE) {
> + /*
> + * We release freeze protection in aio_complete(). Fool
> + * lockdep by telling it the lock got released so that
> + * it doesn't complain about held lock when we return
> + * to userspace.
> + */
> + __sb_writers_release(file_inode(file)->i_sb,
> + SB_FREEZE_WRITE);
> + }

How about taking this chunk (i.e. telling lockdep that we are not holding this
thing) past the iter_op() call, where file_end_write() used to be?

As it is, you risk hiding the lock dependencies the current mainline would've
caught. Other than that I see no problems with the patch...

Next message: Borislav Petkov: "Re: [PATCH] x86/cpuid: expose AVX512_4VNNIW and AVX512_4FMAPS features to kvm guest"
Previous message: Paolo Bonzini: "Re: [PATCH] x86/cpuid: expose AVX512_4VNNIW and AVX512_4FMAPS features to kvm guest"
In reply to: Christoph Hellwig: "[PATCH] aio: fix a user triggered use after free (and fix freeze protection of aio writes)"
Next in thread: Christoph Hellwig: "Re: [PATCH] aio: fix a user triggered use after free (and fix freeze protection of aio writes)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]