review.tizen.org Git - platform/kernel/linux-starfive.git/commit

author	yangerkun <yangerkun@huawei.com>
	Thu, 30 Sep 2021 03:22:28 +0000 (11:22 +0800)
committer	Miklos Szeredi <mszeredi@redhat.com>
	Fri, 29 Oct 2021 11:48:19 +0000 (13:48 +0200)
commit	9a254403760041528bc8f69fe2f5e1ef86950991
tree	8f18843e1fb6bf5cf3b9a9ab2ed6f91737c2eeb8	tree \| snapshot
parent	1dc1eed46f9fa4cb8a07baa24fb44c96d6dd35c9	commit \| diff

ovl: fix use after free in struct ovl_aio_req

Example for triggering use after free in a overlay on ext4 setup:

aio_read
  ovl_read_iter
    vfs_iter_read
      ext4_file_read_iter
        ext4_dio_read_iter
          iomap_dio_rw -> -EIOCBQUEUED
          /*
   * Here IO is completed in a separate thread,
   * ovl_aio_cleanup_handler() frees aio_req which has iocb embedded
   */
          file_accessed(iocb->ki_filp); /**BOOM**/

Fix by introducing a refcount in ovl_aio_req similarly to aio_kiocb.  This
guarantees that iocb is only freed after vfs_read/write_iter() returns on
underlying fs.

Fixes: 2406a307ac7d ("ovl: implement async IO routines")
Signed-off-by: yangerkun <yangerkun@huawei.com>
Link: https://lore.kernel.org/r/20210930032228.3199690-3-yangerkun@huawei.com/
Cc: <stable@vger.kernel.org> # v5.6
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>