mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2025-01-10 07:00:48 +00:00
fuse: fix use-after-free in fuse_direct_IO()
In async IO blocking case the additional reference to the io is taken for it to survive fuse_aio_complete(). In non blocking case this additional reference is not needed, however we still reference io to figure out whether to wait for completion or not. This is wrong and will lead to use-after-free. Fix it by storing blocking information in separate variable. This was spotted by KASAN when running generic/208 fstest. Signed-off-by: Lukas Czerner <lczerner@redhat.com> Reported-by: Zorro Lang <zlang@redhat.com> Signed-off-by: Miklos Szeredi <mszeredi@redhat.com> Fixes: 744742d692e3 ("fuse: Add reference counting for fuse_io_priv") Cc: <stable@vger.kernel.org> # v4.6
This commit is contained in:
parent
2d84a2d19b
commit
ebacb81273
@ -2924,10 +2924,12 @@ fuse_direct_IO(struct kiocb *iocb, struct iov_iter *iter)
|
||||
}
|
||||
|
||||
if (io->async) {
|
||||
bool blocking = io->blocking;
|
||||
|
||||
fuse_aio_complete(io, ret < 0 ? ret : 0, -1);
|
||||
|
||||
/* we have a non-extending, async request, so return */
|
||||
if (!io->blocking)
|
||||
if (!blocking)
|
||||
return -EIOCBQUEUED;
|
||||
|
||||
wait_for_completion(&wait);
|
||||
|
Loading…
x
Reference in New Issue
Block a user