--- /dev/null
+From f8567a3845ac05bb28f3c1b478ef752762bd39ef Mon Sep 17 00:00:00 2001
+From: Benjamin LaHaise <bcrl@kvack.org>
+Date: Tue, 24 Jun 2014 13:12:55 -0400
+Subject: aio: fix aio request leak when events are reaped by userspace
+
+From: Benjamin LaHaise <bcrl@kvack.org>
+
+commit f8567a3845ac05bb28f3c1b478ef752762bd39ef upstream.
+
+The aio cleanups and optimizations by kmo that were merged into the 3.10
+tree added a regression for userspace event reaping. Specifically, the
+reference counts are not decremented if the event is reaped in userspace,
+leading to the application being unable to submit further aio requests.
+This patch applies to 3.12+. A separate backport is required for 3.10/3.11.
+This issue was uncovered as part of CVE-2014-0206.
+
+[jmoyer@redhat.com: backported to 3.10]
+Signed-off-by: Benjamin LaHaise <bcrl@kvack.org>
+Signed-off-by: Jeff Moyer <jmoyer@redhat.com>
+Cc: Kent Overstreet <kmo@daterainc.com>
+Cc: Mateusz Guzik <mguzik@redhat.com>
+Cc: Petr Matousek <pmatouse@redhat.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/aio.c | 4 +---
+ 1 file changed, 1 insertion(+), 3 deletions(-)
+
+--- a/fs/aio.c
++++ b/fs/aio.c
+@@ -310,7 +310,6 @@ static void free_ioctx(struct kioctx *ct
+
+ avail = (head <= ctx->tail ? ctx->tail : ctx->nr_events) - head;
+
+- atomic_sub(avail, &ctx->reqs_active);
+ head += avail;
+ head %= ctx->nr_events;
+ }
+@@ -678,6 +677,7 @@ void aio_complete(struct kiocb *iocb, lo
+ put_rq:
+ /* everything turned out well, dispose of the aiocb. */
+ aio_put_req(iocb);
++ atomic_dec(&ctx->reqs_active);
+
+ /*
+ * We have to order our ring_info tail store above and test
+@@ -755,8 +755,6 @@ static long aio_read_events_ring(struct
+ flush_dcache_page(ctx->ring_pages[0]);
+
+ pr_debug("%li h%u t%u\n", ret, head, ctx->tail);
+-
+- atomic_sub(ret, &ctx->reqs_active);
+ out:
+ mutex_unlock(&ctx->ring_lock);
+
--- /dev/null
+From edfbbf388f293d70bf4b7c0bc38774d05e6f711a Mon Sep 17 00:00:00 2001
+From: Benjamin LaHaise <bcrl@kvack.org>
+Date: Tue, 24 Jun 2014 13:32:51 -0400
+Subject: aio: fix kernel memory disclosure in io_getevents() introduced in v3.10
+
+From: Benjamin LaHaise <bcrl@kvack.org>
+
+commit edfbbf388f293d70bf4b7c0bc38774d05e6f711a upstream.
+
+A kernel memory disclosure was introduced in aio_read_events_ring() in v3.10
+by commit a31ad380bed817aa25f8830ad23e1a0480fef797. The changes made to
+aio_read_events_ring() failed to correctly limit the index into
+ctx->ring_pages[], allowing an attacked to cause the subsequent kmap() of
+an arbitrary page with a copy_to_user() to copy the contents into userspace.
+This vulnerability has been assigned CVE-2014-0206. Thanks to Mateusz and
+Petr for disclosing this issue.
+
+This patch applies to v3.12+. A separate backport is needed for 3.10/3.11.
+
+[jmoyer@redhat.com: backported to 3.10]
+Signed-off-by: Benjamin LaHaise <bcrl@kvack.org>
+Signed-off-by: Jeff Moyer <jmoyer@redhat.com>
+Cc: Mateusz Guzik <mguzik@redhat.com>
+Cc: Petr Matousek <pmatouse@redhat.com>
+Cc: Kent Overstreet <kmo@daterainc.com>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/aio.c | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/fs/aio.c
++++ b/fs/aio.c
+@@ -717,6 +717,8 @@ static long aio_read_events_ring(struct
+ if (head == ctx->tail)
+ goto out;
+
++ head %= ctx->nr_events;
++
+ while (ret < nr) {
+ long avail;
+ struct io_event *ev;
projects / thirdparty / kernel / stable-queue.git / commitdiff
