git.proxmox.com Git - mirror_ubuntu-bionic-kernel.git/commit

author	Lukas Czerner <lczerner@redhat.com>
	Fri, 9 Nov 2018 13:51:46 +0000 (14:51 +0100)
committer	Kleber Sacilotto de Souza <kleber.souza@canonical.com>
	Tue, 23 Apr 2019 15:51:48 +0000 (17:51 +0200)
commit	f52bd157607960f1602d5805a899aeb4fed83afe
tree	e6c28035520930b344aea1b318401eb094bd4566	tree
parent	ff94570664fe61f0be998ed01ef1e8559cc6e2a7	commit \| diff

fuse: fix use-after-free in fuse_direct_IO()

BugLink: https://bugs.launchpad.net/bugs/1824553
In async IO blocking case the additional reference to the io is taken for
it to survive fuse_aio_complete(). In non blocking case this additional
reference is not needed, however we still reference io to figure out
whether to wait for completion or not. This is wrong and will lead to
use-after-free. Fix it by storing blocking information in separate
variable.

This was spotted by KASAN when running generic/208 fstest.

Signed-off-by: Lukas Czerner <lczerner@redhat.com>
Reported-by: Zorro Lang <zlang@redhat.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Fixes: 744742d692e3 ("fuse: Add reference counting for fuse_io_priv")
Cc: <stable@vger.kernel.org> # v4.6
(cherry picked from commit ebacb81273599555a7a19f7754a1451206a5fc4f)
Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>