Patch "fuse: fix use-after-free in fuse_direct_IO()" has been added to the 4.19-stable tree

<gregkh@xxxxxxxxxxxxxxxxxxx> · Mon, 19 Nov 2018 14:00:04 +0100

This is a note to let you know that I've just added the patch titled

    fuse: fix use-after-free in fuse_direct_IO()

to the 4.19-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     fuse-fix-use-after-free-in-fuse_direct_io.patch
and it can be found in the queue-4.19 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.


>From ebacb81273599555a7a19f7754a1451206a5fc4f Mon Sep 17 00:00:00 2001
From: Lukas Czerner <lczerner@xxxxxxxxxx>
Date: Fri, 9 Nov 2018 14:51:46 +0100
Subject: fuse: fix use-after-free in fuse_direct_IO()

From: Lukas Czerner <lczerner@xxxxxxxxxx>

commit ebacb81273599555a7a19f7754a1451206a5fc4f upstream.

In async IO blocking case the additional reference to the io is taken for
it to survive fuse_aio_complete(). In non blocking case this additional
reference is not needed, however we still reference io to figure out
whether to wait for completion or not. This is wrong and will lead to
use-after-free. Fix it by storing blocking information in separate
variable.

This was spotted by KASAN when running generic/208 fstest.

Signed-off-by: Lukas Czerner <lczerner@xxxxxxxxxx>
Reported-by: Zorro Lang <zlang@xxxxxxxxxx>
Signed-off-by: Miklos Szeredi <mszeredi@xxxxxxxxxx>
Fixes: 744742d692e3 ("fuse: Add reference counting for fuse_io_priv")
Cc: <stable@xxxxxxxxxxxxxxx> # v4.6
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>

---
 fs/fuse/file.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

--- a/fs/fuse/file.c
+++ b/fs/fuse/file.c
@@ -2913,10 +2913,12 @@ fuse_direct_IO(struct kiocb *iocb, struc
 	}
 
 	if (io->async) {
+		bool blocking = io->blocking;
+
 		fuse_aio_complete(io, ret < 0 ? ret : 0, -1);
 
 		/* we have a non-extending, async request, so return */
-		if (!io->blocking)
+		if (!blocking)
 			return -EIOCBQUEUED;
 
 		wait_for_completion(&wait);


Patches currently in stable-queue which might be from lczerner@xxxxxxxxxx are

queue-4.19/fuse-fix-use-after-free-in-fuse_direct_io.patch






