kernel_optimize_test/fs
Al Viro 86b62a2cb4 aio: fix io_setup/io_destroy race
Have ioctx_alloc() return an extra reference, so that caller would drop it
on success and not bother with re-grabbing it on failure exit.  The current
code is obviously broken - io_destroy() from another thread that managed
to guess the address io_setup() would've returned would free ioctx right
under us; gets especially interesting if aio_context_t * we pass to
io_setup() points to PROT_READ mapping, so put_user() fails and we end
up doing io_destroy() on kioctx another thread has just got freed...

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Acked-by: Benjamin LaHaise <bcrl@kvack.org>
Reviewed-by: Jeff Moyer <jmoyer@redhat.com>
Cc: stable@vger.kernel.org
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2012-03-09 18:59:59 -08:00
..
9p
adfs
affs
afs
autofs4 autofs: work around unhappy compat problem on x86-64 2012-02-25 12:10:27 -08:00
befs
bfs
btrfs Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs 2012-03-09 18:09:18 -08:00
cachefiles
ceph Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sage/ceph-client 2012-02-02 15:47:33 -08:00
cifs cifs: fix dentry refcount leak when opening a FIFO on lookup 2012-02-26 23:16:26 -06:00
coda
configfs
cramfs
debugfs kernel-doc: fix new warnings in debugfs 2012-01-24 10:47:41 -08:00
devpts
dlm
ecryptfs ecryptfs: fix printk format warning for size_t 2012-02-28 16:55:30 -08:00
efs
exofs
exportfs
ext2
ext3
ext4
fat
freevxfs
fscache
fuse
gfs2 GFS2: Read resource groups on mount 2012-02-28 09:52:39 +00:00
hfs
hfsplus
hostfs
hpfs
hppfs
hugetlbfs
isofs
jbd
jbd2
jffs2
jfs
lockd
logfs mtd: fix merge conflict resolution breakage 2012-02-01 11:10:24 -08:00
minix
ncpfs
nfs NFSv4: fix server_scope memory leak 2012-02-17 17:34:03 -05:00
nfs_common
nfsd
nilfs2 nilfs2: avoid overflowing segment numbers in nilfs_ioctl_clean_segments() 2012-02-08 19:03:51 -08:00
nls
notify
ntfs NTFS: Correct two spelling errors "dealocate" to "deallocate" in mft.c. 2012-02-24 09:17:09 +00:00
ocfs2 ocfs2: deal with wraparounds of i_nlink in ocfs2_rename() 2012-02-13 20:45:39 -05:00
omfs
openpromfs
proc Fix race in process_vm_rw_core 2012-02-02 12:55:17 -08:00
pstore
qnx4
quota quota: Fix deadlock with suspend and quotas 2012-02-13 20:45:39 -05:00
ramfs
reiserfs
romfs
squashfs
sysfs sysfs: Complain bitterly about attempts to remove files from nonexistent directories. 2012-01-24 12:12:32 -08:00
sysv
ubifs
udf
ufs
xfs xfs: make inode quota check more general 2012-02-21 10:12:43 -06:00
aio.c aio: fix io_setup/io_destroy race 2012-03-09 18:59:59 -08:00
anon_inodes.c
attr.c
bad_inode.c
binfmt_aout.c aout: move setup_arg_pages() prior to reading/mapping the binary 2012-03-05 13:51:32 -08:00
binfmt_elf_fdpic.c
binfmt_elf.c regset: Prevent null pointer reference on readonly regsets 2012-03-02 11:38:15 -08:00
binfmt_em86.c
binfmt_flat.c
binfmt_misc.c
binfmt_script.c
binfmt_som.c
bio-integrity.c
bio.c bio: don't overflow in bio_get_nr_vecs() 2012-02-08 22:07:18 +01:00
block_dev.c
buffer.c
char_dev.c
compat_binfmt_elf.c
compat_ioctl.c
compat.c vfs: fix compat_sys_stat() handling of overflows in st_nlink 2012-02-13 20:45:39 -05:00
dcache.c vfs: move dentry_cmp from <linux/dcache.h> to fs/dcache.c 2012-03-04 15:51:42 -08:00
dcookies.c
direct-io.c Restore direct_io / truncate locking API 2012-02-23 15:56:21 -08:00
drop_caches.c
eventfd.c
eventpoll.c epoll: ep_unregister_pollwait() can use the freed pwq->whead 2012-02-24 11:42:50 -08:00
exec.c coredump_wait: don't call complete_vfork_done() 2012-03-05 15:49:42 -08:00
fcntl.c
fhandle.c
fifo.c
file_table.c
file.c
filesystems.c
fs_struct.c
fs-writeback.c writeback: fix NULL bdi->dev in trace writeback_single_inode 2012-02-01 16:53:40 +08:00
generic_acl.c
inode.c vfs: fix panic in __d_lookup() with high dentry hashtable counts 2012-02-13 20:45:38 -05:00
internal.h
ioctl.c
ioprio.c block: strip out locking optimization in put_io_context() 2012-02-07 07:51:30 +01:00
Kconfig
Kconfig.binfmt
libfs.c
locks.c
Makefile
mbcache.c
mount.h
mpage.c
namei.c vfs: export full_name_hash() function to modules 2012-03-02 19:40:57 -08:00
namespace.c
no-block.c
open.c
pipe.c
pnode.c
pnode.h
posix_acl.c
proc_namespace.c
read_write.c
read_write.h
readdir.c
select.c sys_poll: fix incorrect type for 'timeout' parameter 2012-02-21 17:24:20 -08:00
seq_file.c
signalfd.c epoll: ep_unregister_pollwait() can use the freed pwq->whead 2012-02-24 11:42:50 -08:00
splice.c
stack.c
stat.c
statfs.c
super.c vfs: Provide function to get superblock and wait for it to thaw 2012-02-13 20:45:38 -05:00
sync.c
timerfd.c
utimes.c
xattr_acl.c
xattr.c