From patchwork Tue Mar 22 13:52:00 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Seth Forshee X-Patchwork-Id: 600793 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) by ozlabs.org (Postfix) with ESMTP id 3qTvK71k65z9sD3; Wed, 23 Mar 2016 00:52:43 +1100 (AEDT) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical-com.20150623.gappssmtp.com header.i=@canonical-com.20150623.gappssmtp.com header.b=Eyt1G45H; dkim-atps=neutral Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.76) (envelope-from ) id 1aiMjg-0003Py-Et; Tue, 22 Mar 2016 13:52:40 +0000 Received: from mail-oi0-f53.google.com ([209.85.218.53]) by huckleberry.canonical.com with esmtps (TLS1.0:RSA_ARCFOUR_SHA1:16) (Exim 4.76) (envelope-from ) id 1aiMjY-0003ND-E4 for kernel-team@lists.ubuntu.com; Tue, 22 Mar 2016 13:52:32 +0000 Received: by mail-oi0-f53.google.com with SMTP id d205so174954023oia.0 for ; Tue, 22 Mar 2016 06:52:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical-com.20150623.gappssmtp.com; s=20150623; h=from:to:subject:date:message-id:in-reply-to:references; bh=r6cf+6+naxeHypZZSR1R44wbruibJ8DlP2ifuhUA95c=; b=Eyt1G45H2rTlx697+6TxE/M4aiUarnrU32ynM2x4I6KyALDcoELofoeOE3rwP2EJbo 7AVhO4q5CR4EgoObsDKFgkH8JPnZUDaq5Lhq5ECX3xkTYoe6toSeYW80qg6JKCnOSViR C07GuqCxfFv0Iyn8yudOiIWHGA3BWnnGJtyJ4z3tXrCKM8Ok+yauWRVWimorzuxREDQI GVKUJZl3M++zYAccCxB+VL9fib3Vd78NlGxFuZeATFrLuYH0dxg5khTdUTBzZZie2xMA LlSIff8dULR/vCz7asETe8yctf8bBH75QWAsp6Tjz5+xklQi3QVEf9JHEyFXDh/oDppS OHtg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references; bh=r6cf+6+naxeHypZZSR1R44wbruibJ8DlP2ifuhUA95c=; b=YWLvE9rrdK9cwfKwZBv0lmAjnNTCCvT/KKXdln5zrazoaetkIMPRn7MPb2Q8R55vhA XNwGYZywgu8znG2mkHwsnlyOTCjEgJN+WrHQIV6Erp74mKYTbbFXtosffNX6jxWd+zdp +uFbuii5kE29vuVoPjKkRQZAvicjxhfMPeQJVBfWfo6gdJOyUq9RpltOe5k3/0rCbIKk hQZWduL3xjURKZjnALJpba4y3lPcp1ggZFNgDSgYcGOQMpElBGuVVj+B8+kcW/V0z2df 5ANbuNYNQ3SZZ/8VqGsPgX4U8hKfqHzwAEcWkXHU/EULLVOfL/fbUzmsvw5OA4bDCI2D ShpA== X-Gm-Message-State: AD7BkJLJPJKhkfLaS1P9Cp9GNlZ1wLu0wBEgyMUCQmldtZlIJTsxd9bG7xg2LNIBbmZ4nmUS X-Received: by 10.202.175.148 with SMTP id y142mr19913831oie.107.1458654750933; Tue, 22 Mar 2016 06:52:30 -0700 (PDT) Received: from localhost ([2605:a601:aab:f920:f5cc:f15e:6a31:a2c0]) by smtp.gmail.com with ESMTPSA id ji4sm13701837obc.6.2016.03.22.06.52.30 for (version=TLS1_2 cipher=AES128-SHA bits=128/128); Tue, 22 Mar 2016 06:52:30 -0700 (PDT) From: Seth Forshee To: kernel-team@lists.ubuntu.com Subject: [PATCH 1/2][xenial] fuse: do not use iocb after it may have been freed Date: Tue, 22 Mar 2016 08:52:00 -0500 Message-Id: <1458654721-63028-4-git-send-email-seth.forshee@canonical.com> X-Mailer: git-send-email 1.9.1 In-Reply-To: <1458654721-63028-1-git-send-email-seth.forshee@canonical.com> References: <1458654721-63028-1-git-send-email-seth.forshee@canonical.com> X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.14 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: kernel-team-bounces@lists.ubuntu.com From: Robert Doebbelin BugLink: http://bugs.launchpad.net/bugs/1505948 There's a race in fuse_direct_IO(), whereby is_sync_kiocb() is called on an iocb that could have been freed if async io has already completed. The fix in this case is simple and obvious: cache the result before starting io. It was discovered by KASan: kernel: ================================================================== kernel: BUG: KASan: use after free in fuse_direct_IO+0xb1a/0xcc0 at addr ffff88036c414390 Signed-off-by: Robert Doebbelin Signed-off-by: Miklos Szeredi Fixes: bcba24ccdc82 ("fuse: enable asynchronous processing direct IO") Cc: # 3.10+ (cherry picked from commit 7cabc61e01a0a8b663bd2b4c982aa53048218734 git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/fuse.git) Signed-off-by: Seth Forshee --- fs/fuse/file.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/fs/fuse/file.c b/fs/fuse/file.c index 119f35ff..65ca924 100644 --- a/fs/fuse/file.c +++ b/fs/fuse/file.c @@ -2798,6 +2798,7 @@ fuse_direct_IO(struct kiocb *iocb, struct iov_iter *iter, loff_t offset) loff_t i_size; size_t count = iov_iter_count(iter); struct fuse_io_priv *io; + bool is_sync = is_sync_kiocb(iocb); pos = offset; inode = file->f_mapping->host; @@ -2837,11 +2838,11 @@ fuse_direct_IO(struct kiocb *iocb, struct iov_iter *iter, loff_t offset) * to wait on real async I/O requests, so we must submit this request * synchronously. */ - if (!is_sync_kiocb(iocb) && (offset + count > i_size) && + if (!is_sync && (offset + count > i_size) && iov_iter_rw(iter) == WRITE) io->async = false; - if (io->async && is_sync_kiocb(iocb)) + if (io->async && is_sync) io->done = &wait; if (iov_iter_rw(iter) == WRITE) { @@ -2855,7 +2856,7 @@ fuse_direct_IO(struct kiocb *iocb, struct iov_iter *iter, loff_t offset) fuse_aio_complete(io, ret < 0 ? ret : 0, -1); /* we have a non-extending, async request, so return */ - if (!is_sync_kiocb(iocb)) + if (!is_sync) return -EIOCBQUEUED; wait_for_completion(&wait);