From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mx1.redhat.com ([209.132.183.28]:53352 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727735AbeKIXcd (ORCPT ); Fri, 9 Nov 2018 18:32:33 -0500 From: Lukas Czerner To: linux-fsdevel@vger.kernel.org Cc: miklos@szeredi.hu Subject: [PATCH] fuse: fix use-after-free in fuse_direct_IO() Date: Fri, 9 Nov 2018 14:51:46 +0100 Message-Id: <20181109135146.23470-1-lczerner@redhat.com> Sender: linux-fsdevel-owner@vger.kernel.org List-ID: In async IO blocking case the additional reference to the io is taken for it to survive fuse_aio_complete(). In non blocking case this additional reference is not needed, however we still reference io to figure out whether to wait for completion or not. This is wrong and will lead to use-after-free. Fix it by storing blocking information in separate variable. This was spotted by KASAN when running generic/208 fstest. Signed-off-by: Lukas Czerner Fixes: 744742d692e3 ("fuse: Add reference counting for fuse_io_priv") Reported-by: Zorro Lang --- fs/fuse/file.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/fs/fuse/file.c b/fs/fuse/file.c index cc2121b37bf5..b52f9baaa3e7 100644 --- a/fs/fuse/file.c +++ b/fs/fuse/file.c @@ -2924,10 +2924,12 @@ fuse_direct_IO(struct kiocb *iocb, struct iov_iter *iter) } if (io->async) { + bool blocking = io->blocking; + fuse_aio_complete(io, ret < 0 ? ret : 0, -1); /* we have a non-extending, async request, so return */ - if (!io->blocking) + if (!blocking) return -EIOCBQUEUED; wait_for_completion(&wait); -- 2.17.2