ovl: fix use after free in struct ovl_aio_req

author yangerkun <yangerkun@huawei.com>

Thu, 30 Sep 2021 03:22:28 +0000 (11:22 +0800)

committer Andrea Righi <andrea.righi@canonical.com>

Tue, 4 Jan 2022 08:48:11 +0000 (09:48 +0100)
author yangerkun <yangerkun@huawei.com>
Thu, 30 Sep 2021 03:22:28 +0000 (11:22 +0800)
committer Andrea Righi <andrea.righi@canonical.com>
Tue, 4 Jan 2022 08:48:11 +0000 (09:48 +0100)
diff --git a/fs/overlayfs/file.c b/fs/overlayfs/file.c

index 3cd332cb77c9f4af254be48216d441402029c17c..d0c96ca0202eb3d9541c8e0920f26bb723ce0d60 100644 (file)
--- a/fs/overlayfs/file.c
+++ b/fs/overlayfs/file.c
@@ -17,6 +17,7 @@
  
  struct ovl_aio_req {
         struct kiocb iocb;
+       refcount_t ref;
         struct kiocb *orig_iocb;
         struct fd fd;
  };
@@ -254,6 +255,14 @@ static rwf_t ovl_iocb_to_rwf(int ifl)
         return flags;
  }
  
+static inline void ovl_aio_put(struct ovl_aio_req *aio_req)
+{
+       if (refcount_dec_and_test(&aio_req->ref)) {
+               fdput(aio_req->fd);
+               kmem_cache_free(ovl_aio_request_cachep, aio_req);
+       }
+}
+
  static void ovl_aio_cleanup_handler(struct ovl_aio_req *aio_req)
  {
         struct kiocb *iocb = &aio_req->iocb;
@@ -270,8 +279,7 @@ static void ovl_aio_cleanup_handler(struct ovl_aio_req *aio_req)
         }
  
         orig_iocb->ki_pos = iocb->ki_pos;
-       fdput(aio_req->fd);
-       kmem_cache_free(ovl_aio_request_cachep, aio_req);
+       ovl_aio_put(aio_req);
  }
  
  static void ovl_aio_rw_complete(struct kiocb *iocb, long res, long res2)
@@ -321,7 +329,9 @@ static ssize_t ovl_read_iter(struct kiocb *iocb, struct iov_iter *iter)
                 aio_req->orig_iocb = iocb;
                 kiocb_clone(&aio_req->iocb, iocb, real.file);
                 aio_req->iocb.ki_complete = ovl_aio_rw_complete;
+               refcount_set(&aio_req->ref, 2);
                 ret = vfs_iocb_iter_read(real.file, &aio_req->iocb, iter);
+               ovl_aio_put(aio_req);
                 if (ret != -EIOCBQUEUED)
                         ovl_aio_cleanup_handler(aio_req);
         }
@@ -392,7 +402,9 @@ static ssize_t ovl_write_iter(struct kiocb *iocb, struct iov_iter *iter)
                 kiocb_clone(&aio_req->iocb, iocb, real.file);
                 aio_req->iocb.ki_flags = ifl;
                 aio_req->iocb.ki_complete = ovl_aio_rw_complete;
+               refcount_set(&aio_req->ref, 2);
                 ret = vfs_iocb_iter_write(real.file, &aio_req->iocb, iter);
+               ovl_aio_put(aio_req);
                 if (ret != -EIOCBQUEUED)
                         ovl_aio_cleanup_handler(aio_req);
         }
author	yangerkun <yangerkun@huawei.com>
	Thu, 30 Sep 2021 03:22:28 +0000 (11:22 +0800)
committer	Andrea Righi <andrea.righi@canonical.com>
	Tue, 4 Jan 2022 08:48:11 +0000 (09:48 +0100)