projects / platform / kernel / linux-rpi.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: af7d25d) | patch
ovl: fix use after free in struct ovl_aio_req
authoryangerkun <yangerkun@huawei.com>
Thu, 30 Sep 2021 03:22:28 +0000 (11:22 +0800)
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>
Thu, 18 Nov 2021 13:03:49 +0000 (14:03 +0100)
commit4fd9f0509a1452b45e89c668e2bab854cb05cd25
tree522bff7811a72f685ffec62e3bf8cbfd193ad81ctree | snapshot
parentaf7d25d7853c286126e660e59cfa52c026334881commit | diff
ovl: fix use after free in struct ovl_aio_req

commit 9a254403760041528bc8f69fe2f5e1ef86950991 upstream.

Example for triggering use after free in a overlay on ext4 setup:

aio_read
  ovl_read_iter
    vfs_iter_read
      ext4_file_read_iter
        ext4_dio_read_iter
          iomap_dio_rw -> -EIOCBQUEUED
          /*
   * Here IO is completed in a separate thread,
   * ovl_aio_cleanup_handler() frees aio_req which has iocb embedded
   */
          file_accessed(iocb->ki_filp); /**BOOM**/

Fix by introducing a refcount in ovl_aio_req similarly to aio_kiocb.  This
guarantees that iocb is only freed after vfs_read/write_iter() returns on
underlying fs.

Fixes: 2406a307ac7d ("ovl: implement async IO routines")
Signed-off-by: yangerkun <yangerkun@huawei.com>
Link: https://lore.kernel.org/r/20210930032228.3199690-3-yangerkun@huawei.com/
Cc: <stable@vger.kernel.org> # v5.6
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
fs/overlayfs/file.c diff | blob | history
Domain: System / Kernel;