[Devel] [PATCH RHEL8 COMMIT] fuse: fix use after free

Wed, 18 Aug 2021 15:07:39 -0700 

The commit is pushed to "branch-rh8-4.18.0-305.3.1.vz8.7.x-ovz" and will appear 
at https://src.openvz.org/scm/ovz/vzkernel.git
after rh8-4.18.0-305.3.1.vz8.7.7
------>
commit 208c07541079cc707568fe470c96e7595ee788bc
Author: Alexey Kuznetsov <[email protected]>
Date:   Wed Aug 18 04:52:55 2021 +0800

    fuse: fix use after free
    
    Port mistake. Field io->file has gone in mainstream, but
    use of io->iocb->ki_filp is invalid, io->iocb is already freed.
    Add io->file back, but use it only in this context.
    
    It is quite possible that this particular bug will not be fixed,
    the state observed in #VSTOR-45882 is too weird and have no explanation,
    even if reused io->iocb is referenced. But yet, it is also severe bug.
    
    Affects: #VSTOR-45882
    https://pmc.acronis.com/browse/VSTOR-45882
    
    Signed-off-by: Alexey Kuznetsov <[email protected]>
    Acked-by: Andrey Zaitsev <[email protected]>
---
 fs/fuse/file.c   | 3 ++-
 fs/fuse/fuse_i.h | 1 +
 2 files changed, 3 insertions(+), 1 deletion(-)

diff --git a/fs/fuse/file.c b/fs/fuse/file.c
index 6b273984bbb8..cda5bb82dff3 100644
--- a/fs/fuse/file.c
+++ b/fs/fuse/file.c
@@ -817,7 +817,7 @@ static void fuse_fput_routine(struct work_struct *data)
                struct fuse_io_priv *io = list_entry(fuse_fput_head.next,
                                                     struct fuse_io_priv,
                                                     list);
-               struct file *file = io->iocb->ki_filp;
+               struct file *file = io->file;
 
                list_del(&io->list);
                spin_unlock(&fuse_fput_lock);
@@ -895,6 +895,7 @@ static void fuse_aio_complete(struct fuse_io_priv *io, int 
err, ssize_t pos)
                io->iocb->ki_complete(io->iocb, res, 0);
 
                if (unlikely(atomic_long_dec_and_test(&file->f_count))) {
+                       io->file = file;
                        spin_lock(&fuse_fput_lock);
                        list_add(&io->list, &fuse_fput_head);
                        spin_unlock(&fuse_fput_lock);
diff --git a/fs/fuse/fuse_i.h b/fs/fuse/fuse_i.h
index 014c44ec9e26..eb028d0d3951 100644
--- a/fs/fuse/fuse_i.h
+++ b/fs/fuse/fuse_i.h
@@ -357,6 +357,7 @@ struct fuse_io_priv {
        struct completion *done;
        bool blocking;
        struct list_head list;
+       struct file * file;
 };
 
 #define FUSE_IO_PRIV_SYNC(i) \
_______________________________________________
Devel mailing list
[email protected]
https://lists.openvz.org/mailman/listinfo/devel

Reply via email to