From: Robert Doebbelin <robert@quobyte.com>
Date: Mon, 7 Mar 2016 08:50:56 +0000 (+0100)
Subject: fuse: do not use iocb after it may have been freed
X-Git-Tag: v4.1.12-92~150^2~48
X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=88bdf1a2c491297a5960ea1b2dc6cdf4e04afe74;p=users%2Fjedix%2Flinux-maple.git

fuse: do not use iocb after it may have been freed

Orabug: 23331110

[ Upstream commit 7cabc61e01a0a8b663bd2b4c982aa53048218734 ]

There's a race in fuse_direct_IO(), whereby is_sync_kiocb() is called on an
iocb that could have been freed if async io has already completed.  The fix
in this case is simple and obvious: cache the result before starting io.

It was discovered by KASan:

kernel: ==================================================================
kernel: BUG: KASan: use after free in fuse_direct_IO+0xb1a/0xcc0 at addr ffff88036c414390

Signed-off-by: Robert Doebbelin <robert@quobyte.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Fixes: bcba24ccdc82 ("fuse: enable asynchronous processing direct IO")
Cc: <stable@vger.kernel.org> # 3.10+
Signed-off-by: Sasha Levin <sasha.levin@oracle.com>
(cherry picked from commit 19167d65fabb60ff11fc5f9c4a5248c17a12f615)

Signed-off-by: Dan Duval <dan.duval@oracle.com>
---

diff --git a/fs/fuse/file.c b/fs/fuse/file.c
index 5ef05b5c4cff8..e30b4c4fd81a4 100644
--- a/fs/fuse/file.c
+++ b/fs/fuse/file.c
@@ -2786,6 +2786,7 @@ fuse_direct_IO(struct kiocb *iocb, struct iov_iter *iter, loff_t offset)
 	loff_t i_size;
 	size_t count = iov_iter_count(iter);
 	struct fuse_io_priv *io;
+	bool is_sync = is_sync_kiocb(iocb);
 
 	pos = offset;
 	inode = file->f_mapping->host;
@@ -2825,11 +2826,11 @@ fuse_direct_IO(struct kiocb *iocb, struct iov_iter *iter, loff_t offset)
 	 * to wait on real async I/O requests, so we must submit this request
 	 * synchronously.
 	 */
-	if (!is_sync_kiocb(iocb) && (offset + count > i_size) &&
+	if (!is_sync && (offset + count > i_size) &&
 	    iov_iter_rw(iter) == WRITE)
 		io->async = false;
 
-	if (io->async && is_sync_kiocb(iocb))
+	if (io->async && is_sync)
 		io->done = &wait;
 
 	if (iov_iter_rw(iter) == WRITE) {
@@ -2843,7 +2844,7 @@ fuse_direct_IO(struct kiocb *iocb, struct iov_iter *iter, loff_t offset)
 		fuse_aio_complete(io, ret < 0 ? ret : 0, -1);
 
 		/* we have a non-extending, async request, so return */
-		if (!is_sync_kiocb(iocb))
+		if (!is_sync)
 			return -EIOCBQUEUED;
 
 		wait_for_completion(&wait);