On Mon, Feb 04, 2013 at 12:31:09PM -0800, [email protected] wrote: > > The patch titled > Subject: ext4: fix possible use-after-free with AIO > has been removed from the -mm tree. Its filename was > ext4-fix-possible-use-after-free-with-aio.patch > > This patch was dropped because it was merged into mainline or a subsystem tree
Any hint from anyone as to where this patch ended up at? Is this in the ext4 tree in linux-next and it is marked with a stable@ tag as well? thanks, greg k-h > ------------------------------------------------------ > From: Jan Kara <[email protected]> > Subject: ext4: fix possible use-after-free with AIO > > Running AIO is pinning inode in memory using file reference. Once AIO > is completed using aio_complete(), file reference is put and inode can > be freed from memory. So we have to be sure that calling aio_complete() > is the last thing we do with the inode. > > Signed-off-by: Jan Kara <[email protected]> > Reviewed-by: Carlos Maiolino <[email protected]> > Acked-by: Jeff Moyer <[email protected]> > Cc: "Theodore Ts'o" <[email protected]> > Cc: Al Viro <[email protected]> > Cc: <[email protected]> > Signed-off-by: Andrew Morton <[email protected]> > --- > > fs/ext4/inode.c | 2 +- > fs/ext4/page-io.c | 9 ++++----- > 2 files changed, 5 insertions(+), 6 deletions(-) > > diff -puN fs/ext4/inode.c~ext4-fix-possible-use-after-free-with-aio > fs/ext4/inode.c > --- a/fs/ext4/inode.c~ext4-fix-possible-use-after-free-with-aio > +++ a/fs/ext4/inode.c > @@ -2973,9 +2973,9 @@ static void ext4_end_io_dio(struct kiocb > if (!(io_end->flag & EXT4_IO_END_UNWRITTEN)) { > ext4_free_io_end(io_end); > out: > + inode_dio_done(inode); > if (is_async) > aio_complete(iocb, ret, 0); > - inode_dio_done(inode); > return; > } > > diff -puN fs/ext4/page-io.c~ext4-fix-possible-use-after-free-with-aio > fs/ext4/page-io.c > --- a/fs/ext4/page-io.c~ext4-fix-possible-use-after-free-with-aio > +++ a/fs/ext4/page-io.c > @@ -103,14 +103,13 @@ static int ext4_end_io(ext4_io_end_t *io > "(inode %lu, offset %llu, size %zd, error %d)", > inode->i_ino, offset, size, ret); > } > - if (io->iocb) > - aio_complete(io->iocb, io->result, 0); > - > - if (io->flag & EXT4_IO_END_DIRECT) > - inode_dio_done(inode); > /* Wake up anyone waiting on unwritten extent conversion */ > if (atomic_dec_and_test(&EXT4_I(inode)->i_unwritten)) > wake_up_all(ext4_ioend_wq(inode)); > + if (io->flag & EXT4_IO_END_DIRECT) > + inode_dio_done(inode); > + if (io->iocb) > + aio_complete(io->iocb, io->result, 0); > return ret; > } > > _ > > Patches currently in -mm which might be from [email protected] are > > linux-next.patch > fs-change-return-values-from-eacces-to-eperm.patch > bdi-allow-block-devices-to-say-that-they-require-stable-page-writes.patch > mm-only-enforce-stable-page-writes-if-the-backing-device-requires-it.patch > 9pfs-fix-filesystem-to-wait-for-stable-page-writeback.patch > block-optionally-snapshot-page-contents-to-provide-stable-pages-during-write.patch > ocfs2-wait-for-page-writeback-to-provide-stable-pages.patch > ubifs-wait-for-page-writeback-to-provide-stable-pages.patch > hfsplus-add-osx-prefix-for-handling-namespace-of-mac-os-x-extended-attributes.patch > hfsplus-add-on-disk-layout-declarations-related-to-attributes-tree.patch > hfsplus-add-functionality-of-manipulating-by-records-in-attributes-tree.patch > hfsplus-rework-functionality-of-getting-setting-and-deleting-of-extended-attributes.patch > hfsplus-add-support-of-manipulation-by-attributes-file.patch > ocfs2-fix-possible-use-after-free-with-aio.patch > fs-direct-ioc-fix-possible-use-after-free-with-aio.patch > > -- > To unsubscribe from this list: send the line "unsubscribe stable" in > the body of a message to [email protected] > More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe stable" in the body of a message to [email protected] More majordomo info at http://vger.kernel.org/majordomo-info.html
