Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp3034561imu; Mon, 19 Nov 2018 09:38:46 -0800 (PST) X-Google-Smtp-Source: AJdET5estELARr9zgYRfwTJHibfmGqrA5KiHIXkpFjyZ21PNxi+2PpLnrSYQB/VmLbWJVuDD2rm3 X-Received: by 2002:a62:da5a:: with SMTP id w26mr11280867pfl.106.1542649126547; Mon, 19 Nov 2018 09:38:46 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1542649126; cv=none; d=google.com; s=arc-20160816; b=otJRJuc6drLQaajH4wEJScrqJziM8lqyFXwSmeLYk+bJ7irvaQTerHhJ7QBhUSwGBg m0EJNxA281d5/yNTsfveAt+Mkfz1YSStidZTmzyJgtpGFbE8ng+pShzc/NuZ31YL2BGB I11mQxmmgJiSlN0046WvrjmoheqbaIAWBSVvKq37Mq8qLOKXRiVCzWjXH7jTMX62mwFk vsl1wDG8OxosSyq9pHriUda3+aX3oO6p/wEAdXzepK6FprOXm11RV7pcttLCJmrPxRIQ MEpzqG61oxZY65vF7on19wGw617/rlrKRUu12Vpe2mwNqR9gXrqA9iPvrNiAf6gV+OGC jweA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=tr0l6N46iJ6IQhr3/wW45uO7yUrIa7zS2GJHN4lW8wc=; b=dAacqVk8eV7qbalqQSwpaHxu1o7YFYXSoYrBSEuOfKizWKaHm7jBq0yTmlxclkqCvg f3GLBdJPIOINtS4XRYHVzYGHcGxiJUvTwvHGk/k1DZRW1hyrVCeaEs9BX6MRsLx6t0k3 R46QAvls9gVfRUxf+MBCfb/I+4ssXPVLj3ip9xN9m+ybWJA1tCEJkEj0DtRCXPZOm3cU qudJQXBlDzVkAfKNe5WIs/4EVNLwnSp24DT4oT9g7TKSUFcHhuhTDpu8lT5ADKk4ZfVQ DtWn3X1pDTI7MInNvB6vW1d8Br2uNXTtbY971mH6b5AIJx8t22oZ4+x+AuCsHIBEORZx lZng== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=VyLtbT+I; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id g3-v6si27937958plt.208.2018.11.19.09.38.30; Mon, 19 Nov 2018 09:38:46 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=VyLtbT+I; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2390188AbeKTDPP (ORCPT + 99 others); Mon, 19 Nov 2018 22:15:15 -0500 Received: from mail.kernel.org ([198.145.29.99]:52798 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2389271AbeKTDPO (ORCPT ); Mon, 19 Nov 2018 22:15:14 -0500 Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 3C728206BA; Mon, 19 Nov 2018 16:51:01 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1542646261; bh=l8X+xGKe4/Ox9BahvW6oAOpF4xhLIUXK8vsFXvrsSPE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=VyLtbT+IlJBgXqiz8hcI4sziRfQ4q7XG0FM4qYlfy/L/RzX5t2AzGrzt19SLCm9+v hSeCIAvxQYB6K8VP0XlDMhqFIfSTe41sjUBMrSan6uwbGObXR0IqjqQzOS9O+vgP7e LAzn0Xs6y3Dg9AcWMCZGZ+uaAGh8ROanZ9EYNRVE= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Lukas Czerner , Zorro Lang , Miklos Szeredi Subject: [PATCH 4.14 098/124] fuse: fix use-after-free in fuse_direct_IO() Date: Mon, 19 Nov 2018 17:29:12 +0100 Message-Id: <20181119162631.018795157@linuxfoundation.org> X-Mailer: git-send-email 2.19.1 In-Reply-To: <20181119162612.951907286@linuxfoundation.org> References: <20181119162612.951907286@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.14-stable review patch. If anyone has any objections, please let me know. ------------------ From: Lukas Czerner commit ebacb81273599555a7a19f7754a1451206a5fc4f upstream. In async IO blocking case the additional reference to the io is taken for it to survive fuse_aio_complete(). In non blocking case this additional reference is not needed, however we still reference io to figure out whether to wait for completion or not. This is wrong and will lead to use-after-free. Fix it by storing blocking information in separate variable. This was spotted by KASAN when running generic/208 fstest. Signed-off-by: Lukas Czerner Reported-by: Zorro Lang Signed-off-by: Miklos Szeredi Fixes: 744742d692e3 ("fuse: Add reference counting for fuse_io_priv") Cc: # v4.6 Signed-off-by: Greg Kroah-Hartman --- fs/fuse/file.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) --- a/fs/fuse/file.c +++ b/fs/fuse/file.c @@ -2912,10 +2912,12 @@ fuse_direct_IO(struct kiocb *iocb, struc } if (io->async) { + bool blocking = io->blocking; + fuse_aio_complete(io, ret < 0 ? ret : 0, -1); /* we have a non-extending, async request, so return */ - if (!io->blocking) + if (!blocking) return -EIOCBQUEUED; wait_for_completion(&wait);