Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp3021096imu; Mon, 19 Nov 2018 09:27:37 -0800 (PST) X-Google-Smtp-Source: AJdET5cFqG3NmAtTBup9NNRSpGoHLgWPWLz/A3ZFYZQzO54ZrAqX3nmPGGy10AKa68wIMujvUQht X-Received: by 2002:a63:8f45:: with SMTP id r5mr20680093pgn.222.1542648457562; Mon, 19 Nov 2018 09:27:37 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1542648457; cv=none; d=google.com; s=arc-20160816; b=hY/SKOzDP/cyc1+QzSm3wRSWAp6LzD6KJfdTM3sPRPMkUiEWR0yyYmcK95mAk+HHN6 8gu+krxrDHioaOuOkmPhtKMilW7n3xVrn8SN0LKtdHZ45E7AZwL+paHsJjeG9gkoIAsg sJWxuvALrTAR41O3Nb+UMvEgUdxO9jxgl4sajxAo1oLkfBvU42Bp8uLwFtR7abtdBndd W+LD719u4f0DdEgkU93QW21ZMGeYjVA9iZkhubJJKsAL6j5AUFn6Q5npoplQlZF1moOM sezGfgufoLNyS0x8f9KZc8jGNiL79rB4v6mUyqOKc+xwDhKrduW7hxeLklf7BIHGdm/b LZQQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=/J8MeGWfiR8nFc49Ma7UEo1q6urggxgTZNtjdH3fPhg=; b=cFX2Pv6kbAGp6P6SPL3JDkPAhSv31g3svQm9dylmnW0rkP4dK4ajZGMXZ5hYX0jvWm VpEhkEzJNaYkUqj7k8FKlr3Q1ROE9fdQ/haMSvqXV+UFxrh5FulZ3R+aDNDitBUO/3aG lTuzMqZ5bH0s0YknHiNUNiLc/sfLKE2k/Ugv04bkiYtjKFuS61zqPNblt3i+/a+kGYo5 06A+Czfhc6T0SJqqizJ+WkvJiUhKVBNl6NgkNph8kHBSwb6caZUtSYYXQ60kLDnNWjy7 rtxfaUBxL/eepur79ByMRg+l4X2Rbz19gr3Hz9nhFhyG/xXjixS7FlbAhlWewmNK9qui qFog== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=WkmsV3MW; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c138-v6si36675431pfc.6.2018.11.19.09.27.15; Mon, 19 Nov 2018 09:27:37 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=WkmsV3MW; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2391113AbeKTDUH (ORCPT + 99 others); Mon, 19 Nov 2018 22:20:07 -0500 Received: from mail.kernel.org ([198.145.29.99]:59360 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2390603AbeKTDUG (ORCPT ); Mon, 19 Nov 2018 22:20:06 -0500 Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 84D7F206BA; Mon, 19 Nov 2018 16:55:51 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1542646552; bh=E6aPQV8v4bgHxu+qayvaR6b+2t4DKafqYDvyWnO8PIk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=WkmsV3MWvvaBSuX1YaSSCj181jfsvh4q6oxjF3Ydlqg3o7UG2pKr9+p2UvgA8xzyA EcwvM7xv1kcpgxTkDqTb5oBYM+ODXMUNtIDF+ol9Xyh4QZ6EXmX8uAWxNi9rRKlbLi IIrff9v6wEGo6JKI1Wul4iq0mM4h8mgKGG5QoYxo= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Lukas Czerner , Zorro Lang , Miklos Szeredi Subject: [PATCH 4.9 72/83] fuse: fix use-after-free in fuse_direct_IO() Date: Mon, 19 Nov 2018 17:29:38 +0100 Message-Id: <20181119162626.093978363@linuxfoundation.org> X-Mailer: git-send-email 2.19.1 In-Reply-To: <20181119162612.046511542@linuxfoundation.org> References: <20181119162612.046511542@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.9-stable review patch. If anyone has any objections, please let me know. ------------------ From: Lukas Czerner commit ebacb81273599555a7a19f7754a1451206a5fc4f upstream. In async IO blocking case the additional reference to the io is taken for it to survive fuse_aio_complete(). In non blocking case this additional reference is not needed, however we still reference io to figure out whether to wait for completion or not. This is wrong and will lead to use-after-free. Fix it by storing blocking information in separate variable. This was spotted by KASAN when running generic/208 fstest. Signed-off-by: Lukas Czerner Reported-by: Zorro Lang Signed-off-by: Miklos Szeredi Fixes: 744742d692e3 ("fuse: Add reference counting for fuse_io_priv") Cc: # v4.6 Signed-off-by: Greg Kroah-Hartman --- fs/fuse/file.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) --- a/fs/fuse/file.c +++ b/fs/fuse/file.c @@ -2900,10 +2900,12 @@ fuse_direct_IO(struct kiocb *iocb, struc } if (io->async) { + bool blocking = io->blocking; + fuse_aio_complete(io, ret < 0 ? ret : 0, -1); /* we have a non-extending, async request, so return */ - if (!io->blocking) + if (!blocking) return -EIOCBQUEUED; wait_for_completion(&wait);