Skip to content

L
linux
Switch branch/tag
Find file BlameHistoryPermalink
  • Kirill Tkhai's avatar
    fuse: Fix use-after-free in fuse_dev_do_write() · d2d2d4fb
    Kirill Tkhai authored 
    After we found req in request_find() and released the lock,
everything may happen with the req in parallel:

cpu0                              cpu1
fuse_dev_do_write()               fuse_dev_do_write()
  req = request_find(fpq, ...)    ...
  spin_unlock(&fpq->lock)         ...
  ...                             req = request_find(fpq, oh.unique)
  ...                             spin_unlock(&fpq->lock)
  queue_interrupt(&fc->iq, req);   ...
  ...                              ...
  ...                              ...
  request_end(fc, req);
    fuse_put_request(fc, req);
  ...                              queue_interrupt(&fc->iq, req);
Signed-off-by: default avatarKirill Tkhai <ktkhai@virtuozzo.com>
Signed-off-by: default avatarMiklos Szeredi <mszeredi@redhat.com>
Fixes: 46c34a34 ("fuse: no fc->lock for pqueue parts")
Cc: <stable@vger.kernel.org> # v4.2
    d2d2d4fb
dev.c 52 KB
GitLab Nexedi Edition | About GitLab | About Nexedi | 沪ICP备2021021310号-2 | 沪ICP备2021021310号-7