Sophie: kernel-2.6.18-238.el5 src

kernel-2.6.18-238.el5.src.rpm

From: Jeff Moyer <jmoyer@redhat.com>
Date: Fri, 3 Sep 2010 18:37:15 -0400
Subject: [fs] aio: fix cleanup in io_submit_one
Message-id: <x49vd6md678.fsf@segfault.boston.devel.redhat.com>
Patchwork-id: 4467
O-Subject: [kernel team] [RHEL5 PATCH] AIO: fix cleanup in io_submit_one(...)
Bugzilla: 631721
CVE: CVE-2010-3066
RH-Acked-by: Rik van Riel <riel@redhat.com>
RH-Acked-by: Jerome Marchand <jmarchan@redhat.com>
RH-Acked-by: Eugene Teo <eugene@redhat.com>

Hi,

This is a backport of the following upstream commit:

commit 87e2831c3fa39cbf6f7ab676bb5aef039b9659e2
Author: Yan Zheng <yanzheng@21cn.com>
Date:   Mon Oct 8 12:16:20 2007 -0700

    AIO: fix cleanup in io_submit_one(...)

    When IOCB_FLAG_RESFD flag is set and iocb->aio_resfd is incorrect,
    statement 'goto out_put_req' is executed. At label 'out_put_req',
    aio_put_req(..) is called, which requires 'req->ki_filp' set.

    Signed-off-by: Yan Zheng<yanzheng@21cn.com>
    Cc: Zach Brown <zach.brown@oracle.com>
    Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
    Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

It's pretty straight-foward.  Quite frankly, I have no clue what
bugzilla I should reference here (since there are no fewer than nine of
them, covering two bugs across however many releases), so I'm just going
to pick one and someone in the know can correct me if I'm wrong.  So,
fixes bug 629441.

Comments, as always, are appreciated.

Cheers,
Jeff

Signed-off-by: Jarod Wilson <jarod@redhat.com>

diff --git a/fs/aio.c b/fs/aio.c
index e21f7d4..a4386b6 100644
--- a/fs/aio.c
+++ b/fs/aio.c
@@ -1737,6 +1737,7 @@ int fastcall io_submit_one(struct kioctx *ctx, struct iocb __user *user_iocb,
 		fput(file);
 		return -EAGAIN;
 	}
+	req->ki_filp = file;
 
 	if (iocb->aio_flags & IOCB_FLAG_RESFD) {
 		/*
@@ -1751,7 +1752,6 @@ int fastcall io_submit_one(struct kioctx *ctx, struct iocb __user *user_iocb,
 		kiocbSetRESFD(req);
 	}
 
-	req->ki_filp = file;
 	ret = put_user(req->ki_key, &user_iocb->aio_key);
 	if (unlikely(ret)) {
 		dprintk("EFAULT: aio_key\n");