Received: by 2002:a05:6358:4e97:b0:b3:742d:4702 with SMTP id ce23csp5157428rwb; Wed, 17 Aug 2022 12:07:09 -0700 (PDT) X-Google-Smtp-Source: AA6agR6x9+dkegKuDXDtmyXAwpH/MIWE0JqcGLRyM4B9lODLd5Djc7KL1J/zTXEEthf1iQDYf74P X-Received: by 2002:a05:6402:4446:b0:43b:e1f4:8525 with SMTP id o6-20020a056402444600b0043be1f48525mr24567228edb.236.1660763229228; Wed, 17 Aug 2022 12:07:09 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1660763229; cv=none; d=google.com; s=arc-20160816; b=pxTgNvvwlBejMMEqU2DCHey5b8XKmORH2jJ1MW9ae4yS7x5Wy7GIJmjokGqf/DQz5H wjyZRphRUZgtPscJhBt69dIFVQV6xB7UoJFfD/KkcQPL2JWUlC71fU52OeUY+rdxtvsU 7868Q8ZJsqm9MNR+66HruQG3CZtX5S/nYCpnRSmJBPJme8G62it/R/3jNpS27rAut5QE Bx+3txeHRJeg+CioTrwQPpFqbMAWQ5GVzBPeAYRm1Iat0scJ/TSkPFh+hYt2HzH7FQ8u tp6EJigSY8lefgMy5y9CK2sqwueXdwdsGi4EVibvzU8Qyq/ni0SyR+vFoY4jWCL1M2Ih dpfA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:user-agent :content-transfer-encoding:references:in-reply-to:date:cc:to:from :subject:message-id:dkim-signature; bh=qrjdsIuwGu9u5//Dr5rs0xvSza58iCI9aGeE9NNFKc0=; b=u/SCJtS8+ulWKmpztwYPYV9ALSzLQcmQnXE12CkTe+kIIY0HlDNqXSoT3y3HhXDl11 /O/H0+LeBDZT8WzVZHkxA/3Sr8RT9c0RMPmPeY3P9643Exi0awtFfNhZLsYUH20G3kHd 1tV1mWdGE+ZrQ7Gek/QwC5+XmACrhX2jJ+JCeaWY1bV3uiAXvpz/smX3N++VtXgO9aek uPJdDDzk+7WQVe8RtqAq7rfzcZvHho2KuEEUcoZiSSu5lFv2HksgTwi/n9ENalRRcfv7 ym4npKOSO74c7GASpS/aLdiej06HNHeLTQqKbhX0y8mMQ+tv1M1eS3Afkml0+x6qqDxH 2QLg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=m2hF+lr7; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id nd22-20020a170907629600b00738795d6591si5351915ejc.434.2022.08.17.12.06.38; Wed, 17 Aug 2022 12:07:09 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=m2hF+lr7; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231651AbiHQSnD (ORCPT + 99 others); Wed, 17 Aug 2022 14:43:03 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46172 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239643AbiHQSnB (ORCPT ); Wed, 17 Aug 2022 14:43:01 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D7C27A00E5; Wed, 17 Aug 2022 11:43:00 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id F08CC6138B; Wed, 17 Aug 2022 18:42:59 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id A5665C433D6; Wed, 17 Aug 2022 18:42:58 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1660761779; bh=mZlL2HyXzYY0uChXc/V3+qQzkCuusK5P5PJx7zGmsH8=; h=Subject:From:To:Cc:Date:In-Reply-To:References:From; b=m2hF+lr71XxxwoN9szdS3g6zeud9f/3jjfq8Qvgq5GRTR7U5Ho7resONzKNOtmHvs xJ7ulDj1xLhwqxexs8GE6tOMaykayDoff2GvSUaqI2WzWIeXEnLImXRl6ZpIan6lrE mugM5xO9aHj9epx8UW5nTNDHBkm58T9FUYXxWxxV1sdI6acLFlx+tfqM5zpJrJjYaQ FpLgLuxV3RrKg6fXetCnwscitVMamBDbKHcjyEeBz6xh7bTXgCiQjqESvs9im0hqlU MULEpGLaMmGW2ObdV91Bqq3sE9El9umcoyehOQ28C42lg7o4KEjHSrem8GsSyqRUMb 4wGjF7jEx6L3g== Message-ID: Subject: Re: [PATCH v2] locks: Fix dropped call to ->fl_release_private() From: Jeff Layton To: David Howells Cc: Kuniyuki Iwashima , Chuck Lever , Marc Dionne , linux-afs@lists.infradead.org, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org Date: Wed, 17 Aug 2022 14:42:57 -0400 In-Reply-To: <166076168742.3677624.2936950729624462101.stgit@warthog.procyon.org.uk> References: <166076168742.3677624.2936950729624462101.stgit@warthog.procyon.org.uk> Content-Type: text/plain; charset="ISO-8859-15" Content-Transfer-Encoding: quoted-printable User-Agent: Evolution 3.44.4 (3.44.4-1.fc36) MIME-Version: 1.0 X-Spam-Status: No, score=-7.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, 2022-08-17 at 19:41 +0100, David Howells wrote: > Prior to commit 4149be7bda7e, sys_flock() would allocate the file_lock > struct it was going to use to pass parameters, call ->flock() and then ca= ll > locks_free_lock() to get rid of it - which had the side effect of calling > locks_release_private() and thus ->fl_release_private(). >=20 > With commit 4149be7bda7e, however, this is no longer the case: the struct > is now allocated on the stack, and locks_free_lock() is no longer called = - > and thus any remaining private data doesn't get cleaned up either. >=20 > This causes afs flock to cause oops. Kasan catches this as a UAF by the > list_del_init() in afs_fl_release_private() for the file_lock record > produced by afs_fl_copy_lock() as the original record didn't get delisted= . > It can be reproduced using the generic/504 xfstest. >=20 > Fix this by reinstating the locks_release_private() call in sys_flock(). > I'm not sure if this would affect any other filesystems. If not, then th= e > release could be done in afs_flock() instead. >=20 > Changes > =3D=3D=3D=3D=3D=3D=3D > ver #2) > - Don't need to call ->fl_release_private() after calling the security > hook, only after calling ->flock(). >=20 > Fixes: 4149be7bda7e ("fs/lock: Don't allocate file_lock in flock_make_loc= k().") > cc: Kuniyuki Iwashima > cc: Chuck Lever > cc: Jeff Layton > cc: Marc Dionne > cc: linux-afs@lists.infradead.org > cc: linux-fsdevel@vger.kernel.org > Link: https://lore.kernel.org/r/166075758809.3532462.13307935588777587536= .stgit@warthog.procyon.org.uk/ # v1 > --- >=20 > fs/locks.c | 1 + > 1 file changed, 1 insertion(+) >=20 > diff --git a/fs/locks.c b/fs/locks.c > index c266cfdc3291..607f94a0e789 100644 > --- a/fs/locks.c > +++ b/fs/locks.c > @@ -2129,6 +2129,7 @@ SYSCALL_DEFINE2(flock, unsigned int, fd, unsigned i= nt, cmd) > else > error =3D locks_lock_file_wait(f.file, &fl); > =20 > + locks_release_private(&fl); > out_putf: > fdput(f); > =20 >=20 >=20 Looks good. I'll get this into -next and plan to get it up to Linus soon. Thanks! --=20 Jeff Layton