Received: by 2002:ac0:aed5:0:0:0:0:0 with SMTP id t21csp4530592imb; Wed, 6 Mar 2019 16:06:03 -0800 (PST) X-Google-Smtp-Source: APXvYqzPH8NNFh2iW+zBj8W0lXROf8gXDBq9JMQvP66AiJM+rUQoReT3uXUdSx4u4UFqK6Eo9Wly X-Received: by 2002:a17:902:aa88:: with SMTP id d8mr9818687plr.61.1551917163154; Wed, 06 Mar 2019 16:06:03 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1551917163; cv=none; d=google.com; s=arc-20160816; b=dbUqc5ztnlh0mK9ZboibarWbN2ZFB6wdrEuDtgrbhJkp5g9LRL6B3HZZutlTYm6S+J DL75Y0Jt3sjLl0+MHyNFrmfaT+jrgpFD7q70ODai6siC7qd8ck7nndNB7sPwvizzsjKm AC/gId+iQD3IQl25yL4AnNPEU7QDHo2eNB86eVGxucEVxP5p0yLNq/B7d+tMuzPT19pW Z1bO0DwhH2IFDaI7idZLxaoKSTWjmZydwAp2LxlcCbdoAVbKnTzuwgSUy20n2VYB8yHO THxxMDVG4SYi80f4EP0vchMX6fbRr4CpnpEukSppFm6jJNOFyijcT/BnSWqBBhBUKdZ6 GNNA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=enpapSVZ3T4qwuVd0itEMSdcB6ByVgFhOPtmKx/Q3qU=; b=x5NbRB9nB/1Nf8r76JZaR1cxoDrf3pW910mJWYKfXylXcuW+P2FuBogiQ7AiIHo2id yLxsD46LwQCMsrdoU9m4yosBJ/nfKKDQUmT7pvTVBwilf29JGE8e/9AP0EyppaiIJTaD CJglvjS8uFvIF8mbIAht9JmTArWZtwe9c10q76fBbwDILGO+Kz7HbGPCY2jEU5gx5FXf AXHH9TGu1T1dqQ+mi0hYpzqIqH7TvYaYqOxf0UdT+NglrWbp10R26fFWKGg7VpyIgDP+ cnbcoARkcpj9JvTArvsf9091f8qbId8NJCjhMDOLV66NhPozMHh9bI/h8P66lxqCBw5D xW0g== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 1si2818299plw.207.2019.03.06.16.05.47; Wed, 06 Mar 2019 16:06:03 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726558AbfCGAD3 (ORCPT + 99 others); Wed, 6 Mar 2019 19:03:29 -0500 Received: from zeniv.linux.org.uk ([195.92.253.2]:39960 "EHLO ZenIV.linux.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725747AbfCGAD3 (ORCPT ); Wed, 6 Mar 2019 19:03:29 -0500 Received: from viro by ZenIV.linux.org.uk with local (Exim 4.92 #3 (Red Hat Linux)) id 1h1gVI-00086l-VW; Thu, 07 Mar 2019 00:03:17 +0000 From: Al Viro To: Linus Torvalds Cc: Eric Dumazet , David Miller , Jason Baron , kgraul@linux.ibm.com, ktkhai@virtuozzo.com, kyeongdon.kim@lge.com, Linux List Kernel Mailing , Netdev , pabeni@redhat.com, syzkaller-bugs@googlegroups.com, xiyou.wangcong@gmail.com, Christoph Hellwig , zhengbin , bcrl@kvack.org, linux-fsdevel@vger.kernel.org, linux-aio@kvack.org, houtao1@huawei.com, yi.zhang@huawei.com Subject: [PATCH 1/8] aio: make sure file is pinned Date: Thu, 7 Mar 2019 00:03:09 +0000 Message-Id: <20190307000316.31133-1-viro@ZenIV.linux.org.uk> X-Mailer: git-send-email 2.20.1 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Al Viro "aio: remove the extra get_file/fput pair in io_submit_one" was too optimistic - not dereferencing file pointer after e.g. ->write_iter() returns is not enough; that reference might've been the only thing that kept alive objects that are referenced *before* the method returns. Such as inode, for example... Signed-off-by: Al Viro --- fs/aio.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/aio.c b/fs/aio.c index 3d9669d011b9..ea30b78187ed 100644 --- a/fs/aio.c +++ b/fs/aio.c @@ -1790,6 +1790,7 @@ static int __io_submit_one(struct kioctx *ctx, const struct iocb *iocb, struct iocb __user *user_iocb, bool compat) { struct aio_kiocb *req; + struct file *file; ssize_t ret; /* enforce forwards compatibility on users */ @@ -1844,6 +1845,7 @@ static int __io_submit_one(struct kioctx *ctx, const struct iocb *iocb, req->ki_user_iocb = user_iocb; req->ki_user_data = iocb->aio_data; + file = get_file(req->ki_filp); /* req can die too early */ switch (iocb->aio_lio_opcode) { case IOCB_CMD_PREAD: @@ -1872,6 +1874,7 @@ static int __io_submit_one(struct kioctx *ctx, const struct iocb *iocb, ret = -EINVAL; break; } + fput(file); /* * If ret is 0, we'd either done aio_complete() ourselves or have -- 2.11.0