From: Lukas Czerner <lczerner@redhat.com>
Date: Fri, 9 Nov 2018 13:51:46 +0000 (+0100)
Subject: fuse: fix use-after-free in fuse_direct_IO()
X-Git-Tag: Ubuntu-4.15.0-49.53~74
X-Git-Url: https://git.proxmox.com/?p=mirror_ubuntu-bionic-kernel.git;a=commitdiff_plain;h=f52bd157607960f1602d5805a899aeb4fed83afe

fuse: fix use-after-free in fuse_direct_IO()

BugLink: https://bugs.launchpad.net/bugs/1824553

In async IO blocking case the additional reference to the io is taken for
it to survive fuse_aio_complete(). In non blocking case this additional
reference is not needed, however we still reference io to figure out
whether to wait for completion or not. This is wrong and will lead to
use-after-free. Fix it by storing blocking information in separate
variable.

This was spotted by KASAN when running generic/208 fstest.

Signed-off-by: Lukas Czerner <lczerner@redhat.com>
Reported-by: Zorro Lang <zlang@redhat.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Fixes: 744742d692e3 ("fuse: Add reference counting for fuse_io_priv")
Cc: <stable@vger.kernel.org> # v4.6
(cherry picked from commit ebacb81273599555a7a19f7754a1451206a5fc4f)
Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
Acked-by: Stefan Bader <stefan.bader@canonical.com>
Acked-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>
---

diff --git a/fs/fuse/file.c b/fs/fuse/file.c
index cb7dff5c45d7..5278c522543b 100644
--- a/fs/fuse/file.c
+++ b/fs/fuse/file.c
@@ -2911,10 +2911,12 @@ fuse_direct_IO(struct kiocb *iocb, struct iov_iter *iter)
 	}
 
 	if (io->async) {
+		bool blocking = io->blocking;
+
 		fuse_aio_complete(io, ret < 0 ? ret : 0, -1);
 
 		/* we have a non-extending, async request, so return */
-		if (!io->blocking)
+		if (!blocking)
 			return -EIOCBQUEUED;
 
 		wait_for_completion(&wait);