From patchwork Tue Mar 22 13:51:58 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Seth Forshee X-Patchwork-Id: 600794 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) by ozlabs.org (Postfix) with ESMTP id 3qTvKC024hz9s9Z; Wed, 23 Mar 2016 00:52:47 +1100 (AEDT) Authentication-Results: ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical-com.20150623.gappssmtp.com header.i=@canonical-com.20150623.gappssmtp.com header.b=ohvjD2CC; dkim-atps=neutral Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.76) (envelope-from ) id 1aiMjk-0003Ry-NR; Tue, 22 Mar 2016 13:52:44 +0000 Received: from mail-oi0-f50.google.com ([209.85.218.50]) by huckleberry.canonical.com with esmtps (TLS1.0:RSA_ARCFOUR_SHA1:16) (Exim 4.76) (envelope-from ) id 1aiMjV-0003N3-WA for kernel-team@lists.ubuntu.com; Tue, 22 Mar 2016 13:52:30 +0000 Received: by mail-oi0-f50.google.com with SMTP id r187so175620299oih.3 for ; Tue, 22 Mar 2016 06:52:29 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical-com.20150623.gappssmtp.com; s=20150623; h=from:to:subject:date:message-id:in-reply-to:references; bh=krIJARN0wvua5lhDf3QSg938TGzgjHfWy9cXkUabTKM=; b=ohvjD2CCtSrtY6O36k/Nmm74Qj9LR8sWdS3YGPRszqclVVNU8XOPZZXSc2yp+cJVqd EbozvyVGTJzg/K5knJ+hvUhHN59/ZNZ+Sh7H0+O2qNVRwQ+OgZ/7VzRezSUlZCFH5uxL LGXv2WffeDCImmtFUp5ABUCVkZrwvuxO5BcCiKcWae5jvemIQ2k9uQrQsOsKe1uz9FZ1 1DphR4fPOmCKYDXorYI5TORX036cKGvFY1/JL1Fnt+/rPgftJX0kkKpb4ODFvA2vmNuo CRTVD+i21pELzRbRnPaepI6bhXTPi/yXl9EqPhCjEg/uawn+S4Q+4k+22ThwnbpgrY5e WOPQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:subject:date:message-id:in-reply-to :references; bh=krIJARN0wvua5lhDf3QSg938TGzgjHfWy9cXkUabTKM=; b=faiWbGmRWjepLvexQ6OWA/ccWAVM7YKd6mQdYqTeUCHXNjDXWQSjJTMfqnUcl7FK5U oxlkIaLO30gayBTrixqIqDXV2/UhGAfCiLU5LDPVcIlaPS5E9l5ImslV8fKyD8BoJXIl wbTKmwD3u7tIqeCGdqKLaA418ajv9AqfNxbf4DpKqHGFhN1g7IZLewAebikopvaN4BfW uXPde+XOXtatUjUXN13EYQixJDRmoPsv77daAHMVuuAbYHdWHPSXw7g+Ub5L2QWUcBm1 3g5+eq2tI43NIr7jQH6i+g3jkHBQN0EuZ9Q9g3Vu0YbJsDW2WSSbXHeQrOj+zWfAF62T eixg== X-Gm-Message-State: AD7BkJIXB+ONBbF+mwC8crZmHyVIeCREVS8xkK9syDrj0C4iYJJqBIf9bTh/dTSDnrtAif49 X-Received: by 10.157.2.39 with SMTP id 36mr2577557otb.140.1458654748778; Tue, 22 Mar 2016 06:52:28 -0700 (PDT) Received: from localhost ([2605:a601:aab:f920:f5cc:f15e:6a31:a2c0]) by smtp.gmail.com with ESMTPSA id i1sm13587992oef.7.2016.03.22.06.52.28 for (version=TLS1_2 cipher=AES128-SHA bits=128/128); Tue, 22 Mar 2016 06:52:28 -0700 (PDT) From: Seth Forshee To: kernel-team@lists.ubuntu.com Subject: [PATCH 1/2][wily] fuse: do not use iocb after it may have been freed Date: Tue, 22 Mar 2016 08:51:58 -0500 Message-Id: <1458654721-63028-2-git-send-email-seth.forshee@canonical.com> X-Mailer: git-send-email 1.9.1 In-Reply-To: <1458654721-63028-1-git-send-email-seth.forshee@canonical.com> References: <1458654721-63028-1-git-send-email-seth.forshee@canonical.com> X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.14 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , MIME-Version: 1.0 Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: kernel-team-bounces@lists.ubuntu.com From: Robert Doebbelin BugLink: http://bugs.launchpad.net/bugs/1505948 There's a race in fuse_direct_IO(), whereby is_sync_kiocb() is called on an iocb that could have been freed if async io has already completed. The fix in this case is simple and obvious: cache the result before starting io. It was discovered by KASan: kernel: ================================================================== kernel: BUG: KASan: use after free in fuse_direct_IO+0xb1a/0xcc0 at addr ffff88036c414390 Signed-off-by: Robert Doebbelin Signed-off-by: Miklos Szeredi Fixes: bcba24ccdc82 ("fuse: enable asynchronous processing direct IO") Cc: # 3.10+ (cherry picked from commit 7cabc61e01a0a8b663bd2b4c982aa53048218734 git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/fuse.git) Signed-off-by: Seth Forshee --- fs/fuse/file.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/fs/fuse/file.c b/fs/fuse/file.c index 195476a..9e80d01 100644 --- a/fs/fuse/file.c +++ b/fs/fuse/file.c @@ -2786,6 +2786,7 @@ fuse_direct_IO(struct kiocb *iocb, struct iov_iter *iter, loff_t offset) loff_t i_size; size_t count = iov_iter_count(iter); struct fuse_io_priv *io; + bool is_sync = is_sync_kiocb(iocb); pos = offset; inode = file->f_mapping->host; @@ -2825,11 +2826,11 @@ fuse_direct_IO(struct kiocb *iocb, struct iov_iter *iter, loff_t offset) * to wait on real async I/O requests, so we must submit this request * synchronously. */ - if (!is_sync_kiocb(iocb) && (offset + count > i_size) && + if (!is_sync && (offset + count > i_size) && iov_iter_rw(iter) == WRITE) io->async = false; - if (io->async && is_sync_kiocb(iocb)) + if (io->async && is_sync) io->done = &wait; if (iov_iter_rw(iter) == WRITE) { @@ -2843,7 +2844,7 @@ fuse_direct_IO(struct kiocb *iocb, struct iov_iter *iter, loff_t offset) fuse_aio_complete(io, ret < 0 ? ret : 0, -1); /* we have a non-extending, async request, so return */ - if (!is_sync_kiocb(iocb)) + if (!is_sync) return -EIOCBQUEUED; wait_for_completion(&wait);