Patch "cachefiles: remove requests from xarray during flushing requests" has been added to the 6.9-stable tree

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This is a note to let you know that I've just added the patch titled

    cachefiles: remove requests from xarray during flushing requests

to the 6.9-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     cachefiles-remove-requests-from-xarray-during-flushi.patch
and it can be found in the queue-6.9 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 4bb8edc7bd6c798084a8d43ced490552b34b39ad
Author: Baokun Li <libaokun1@xxxxxxxxxx>
Date:   Wed May 22 19:42:58 2024 +0800

    cachefiles: remove requests from xarray during flushing requests
    
    [ Upstream commit 0fc75c5940fa634d84e64c93bfc388e1274ed013 ]
    
    Even with CACHEFILES_DEAD set, we can still read the requests, so in the
    following concurrency the request may be used after it has been freed:
    
         mount  |   daemon_thread1    |    daemon_thread2
    ------------------------------------------------------------
     cachefiles_ondemand_init_object
      cachefiles_ondemand_send_req
       REQ_A = kzalloc(sizeof(*req) + data_len)
       wait_for_completion(&REQ_A->done)
                cachefiles_daemon_read
                 cachefiles_ondemand_daemon_read
                                      // close dev fd
                                      cachefiles_flush_reqs
                                       complete(&REQ_A->done)
       kfree(REQ_A)
                  xa_lock(&cache->reqs);
                  cachefiles_ondemand_select_req
                    req->msg.opcode != CACHEFILES_OP_READ
                    // req use-after-free !!!
                  xa_unlock(&cache->reqs);
                                       xa_destroy(&cache->reqs)
    
    Hence remove requests from cache->reqs when flushing them to avoid
    accessing freed requests.
    
    Fixes: c8383054506c ("cachefiles: notify the user daemon when looking up cookie")
    Signed-off-by: Baokun Li <libaokun1@xxxxxxxxxx>
    Link: https://lore.kernel.org/r/20240522114308.2402121-3-libaokun@xxxxxxxxxxxxxxx
    Acked-by: Jeff Layton <jlayton@xxxxxxxxxx>
    Reviewed-by: Jia Zhu <zhujia.zj@xxxxxxxxxxxxx>
    Reviewed-by: Gao Xiang <hsiangkao@xxxxxxxxxxxxxxxxx>
    Reviewed-by: Jingbo Xu <jefflexu@xxxxxxxxxxxxxxxxx>
    Signed-off-by: Christian Brauner <brauner@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/fs/cachefiles/daemon.c b/fs/cachefiles/daemon.c
index 6465e25742309..ccb7b707ea4b7 100644
--- a/fs/cachefiles/daemon.c
+++ b/fs/cachefiles/daemon.c
@@ -159,6 +159,7 @@ static void cachefiles_flush_reqs(struct cachefiles_cache *cache)
 	xa_for_each(xa, index, req) {
 		req->error = -EIO;
 		complete(&req->done);
+		__xa_erase(xa, index);
 	}
 	xa_unlock(xa);
 




[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Index of Archives]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux