Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp3107625imu; Mon, 19 Nov 2018 10:43:18 -0800 (PST) X-Google-Smtp-Source: AFSGD/W7iUZHEiQtT4UtUx2rDJsOjfsp2zsp0H7r8QE00swaKnN9wFTNeYVfpeyUqcY81llYxv8M X-Received: by 2002:a17:902:a411:: with SMTP id p17mr5481591plq.292.1542652998664; Mon, 19 Nov 2018 10:43:18 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1542652998; cv=none; d=google.com; s=arc-20160816; b=tqh8bXTWg+9B7gJQaNXHxphNVESgoxDL+Vypuvj9Hwg+y+ZwwcCiLnw8LmX8ZnYQ9J Yh90ua5wTfFQlkfVvbxfvmin64h1e/qWAjC8FfOtGGhFmqpWolPvO0bCUcOrg+Ouyimo VAwG/MB+LbExtIrYm6wQ7JDrv/WlLBWnLRZS1XMdryh+ulPjETHLAXelPM+HCkL9FA0M Ygj+lkoYEw7D2yhP0h7Y+164hPba1PPZsCU4fDo13GoWXSy1j5CIDyfGojSro1hEdynX hbim1OYAG9bYMC/011XvNb9/qXhYkJ5WZFeX3WqTRG5d9QU5mYHK3ExKmnK/Yt+bReeR /weA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=ozT7SXz9nDWCbltqELYQDDlA1WLIrMHDWQPvTKGSI+U=; b=Sx1J+1KFQIDDRtMoIw0NDbhAvTQHrKpPgf2mZvwdeuLrNNoHSJwuVhPWkVFZ6MAtxd uQ6F3H4TliBX6nVN7ORh+7eJGYEHo5ntigZ3d1biK9CjiWQX+9WUAcLE3Z4ggn9aUcZg 0zLamUYqfv34b6BOou9z1xnNWJ6EsPt/rMsrW14NFrq4br9CCfjDvIYtwT5/sDt+tZ56 CHVTIxntRpm21ygVoBuvL49DHmtB6QMbQ4Isb6ykHpBt++13RCQ/E8TeJmWGMsfU9RFs Mpzs8ZF65vFkKHxGoBQp8XMUJrzG+rVILFsGxRQ6w54fSaDDU1iiCaqCMJrE0Lh6AJ0h VQTw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=eNeKGJmt; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x5si36050151pga.440.2018.11.19.10.43.03; Mon, 19 Nov 2018 10:43:18 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=eNeKGJmt; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732119AbeKTDBR (ORCPT + 99 others); Mon, 19 Nov 2018 22:01:17 -0500 Received: from mail.kernel.org ([198.145.29.99]:33102 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730931AbeKTDBQ (ORCPT ); Mon, 19 Nov 2018 22:01:16 -0500 Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 31A38206BA; Mon, 19 Nov 2018 16:37:07 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1542645427; bh=pQ8ntqD13uH8NKE7EZxVsQ/ZQk2SpHeazIM2bm9i5yM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=eNeKGJmtLaayP5CzqSD7IOEvLfUQZ8HbXilpKTn5lCwYy5GtHa2BsF35/A2aPpe/T q/Gb2J1oxyHSBPQftBAe4sXC0TeJVjE+iSS16JiHG0IhhnaisiDXM9U5oXDiWe8EBT M3MI1ULmvmq3bXG9KzSVCKmiIJ6uHHRcvv5rLp70= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Lukas Czerner , Zorro Lang , Miklos Szeredi Subject: [PATCH 4.19 159/205] fuse: fix use-after-free in fuse_direct_IO() Date: Mon, 19 Nov 2018 17:27:46 +0100 Message-Id: <20181119162639.420353842@linuxfoundation.org> X-Mailer: git-send-email 2.19.1 In-Reply-To: <20181119162616.586062722@linuxfoundation.org> References: <20181119162616.586062722@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.19-stable review patch. If anyone has any objections, please let me know. ------------------ From: Lukas Czerner commit ebacb81273599555a7a19f7754a1451206a5fc4f upstream. In async IO blocking case the additional reference to the io is taken for it to survive fuse_aio_complete(). In non blocking case this additional reference is not needed, however we still reference io to figure out whether to wait for completion or not. This is wrong and will lead to use-after-free. Fix it by storing blocking information in separate variable. This was spotted by KASAN when running generic/208 fstest. Signed-off-by: Lukas Czerner Reported-by: Zorro Lang Signed-off-by: Miklos Szeredi Fixes: 744742d692e3 ("fuse: Add reference counting for fuse_io_priv") Cc: # v4.6 Signed-off-by: Greg Kroah-Hartman --- fs/fuse/file.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) --- a/fs/fuse/file.c +++ b/fs/fuse/file.c @@ -2913,10 +2913,12 @@ fuse_direct_IO(struct kiocb *iocb, struc } if (io->async) { + bool blocking = io->blocking; + fuse_aio_complete(io, ret < 0 ? ret : 0, -1); /* we have a non-extending, async request, so return */ - if (!io->blocking) + if (!blocking) return -EIOCBQUEUED; wait_for_completion(&wait);