Commit c0f52986 authored by Lukas Czerner's avatar Lukas Czerner Committed by Greg Kroah-Hartman

fuse: fix use-after-free in fuse_direct_IO()

commit ebacb812 upstream.

In async IO blocking case the additional reference to the io is taken for
it to survive fuse_aio_complete(). In non blocking case this additional
reference is not needed, however we still reference io to figure out
whether to wait for completion or not. This is wrong and will lead to
use-after-free. Fix it by storing blocking information in separate
variable.

This was spotted by KASAN when running generic/208 fstest.
Signed-off-by: default avatarLukas Czerner <lczerner@redhat.com>
Reported-by: default avatarZorro Lang <zlang@redhat.com>
Signed-off-by: default avatarMiklos Szeredi <mszeredi@redhat.com>
Fixes: 744742d6 ("fuse: Add reference counting for fuse_io_priv")
Cc: <stable@vger.kernel.org> # v4.6
Signed-off-by: default avatarGreg Kroah-Hartman <gregkh@linuxfoundation.org>
parent 3363e711
......@@ -2913,10 +2913,12 @@ fuse_direct_IO(struct kiocb *iocb, struct iov_iter *iter)
}
if (io->async) {
bool blocking = io->blocking;
fuse_aio_complete(io, ret < 0 ? ret : 0, -1);
/* we have a non-extending, async request, so return */
if (!io->blocking)
if (!blocking)
return -EIOCBQUEUED;
wait_for_completion(&wait);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment