In the Linux kernel, the following vulnerability has been resolved:
fs/aio: Check IOCBAIORW before the struct aio_kiocb conversion
The first kiocbsetcancelfn() argument may point at a struct kiocb that is not embedded inside struct aiokiocb. With the current code, depending on the compiler, the req->kictx read happens either before the IOCBAIORW test or after that test. Move the req->kictx read such that it is guaranteed that the IOCBAIORW test happens first.