From: Sasha Levin <sasha.levin@oracle.com>
Date: Tue, 19 Nov 2013 22:33:03 +0000 (-0500)
Subject: aio: nullify aio->ring_pages after freeing it
X-Git-Tag: v3.12.4~4
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=efbac2ca2f13d43a9aab37b84a3cca4d73b09c7c;p=thirdparty%2Fkernel%2Fstable.git

aio: nullify aio->ring_pages after freeing it

commit ddb8c45ba15149ebd41d7586261c05f7ca37f9a1 upstream.

After freeing ring_pages we leave it as is causing a dangling pointer. This
has already caused an issue so to help catching any issues in the future
NULL it out.

Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
Signed-off-by: Benjamin LaHaise <bcrl@kvack.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---

diff --git a/fs/aio.c b/fs/aio.c
index f4103b3634c64..08159ed13649c 100644
--- a/fs/aio.c
+++ b/fs/aio.c
@@ -251,8 +251,10 @@ static void aio_free_ring(struct kioctx *ctx)
 
 	put_aio_ring_file(ctx);
 
-	if (ctx->ring_pages && ctx->ring_pages != ctx->internal_pages)
+	if (ctx->ring_pages && ctx->ring_pages != ctx->internal_pages) {
 		kfree(ctx->ring_pages);
+		ctx->ring_pages = NULL;
+	}
 }
 
 static int aio_ring_mmap(struct file *file, struct vm_area_struct *vma)