From: Kirill Tkhai <ktkhai@virtuozzo.com>
Date: Tue, 25 Sep 2018 09:28:55 +0000 (+0300)
Subject: fuse: Fix use-after-free in fuse_dev_do_read()
X-Git-Tag: v4.14.82~94
X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=d94b3a2375cbbd55e6961c7b0dd1f8a75ebc8e10;p=users%2Fjedix%2Flinux-maple.git

fuse: Fix use-after-free in fuse_dev_do_read()

commit bc78abbd55dd28e2287ec6d6502b842321a17c87 upstream.

We may pick freed req in this way:

[cpu0]                                  [cpu1]
fuse_dev_do_read()                      fuse_dev_do_write()
   list_move_tail(&req->list, ...);     ...
   spin_unlock(&fpq->lock);             ...
   ...                                  request_end(fc, req);
   ...                                    fuse_put_request(fc, req);
   if (test_bit(FR_INTERRUPTED, ...))
         queue_interrupt(fiq, req);

Fix that by keeping req alive until we finish all manipulations.

Reported-by: syzbot+4e975615ca01f2277bdd@syzkaller.appspotmail.com
Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com>
Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>
Fixes: 46c34a348b0a ("fuse: no fc->lock for pqueue parts")
Cc: <stable@vger.kernel.org> # v4.2
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---

diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c
index ee8105af40010..9a1ca92f97fb1 100644
--- a/fs/fuse/dev.c
+++ b/fs/fuse/dev.c
@@ -1309,12 +1309,14 @@ static ssize_t fuse_dev_do_read(struct fuse_dev *fud, struct file *file,
 		goto out_end;
 	}
 	list_move_tail(&req->list, &fpq->processing);
+	__fuse_get_request(req);
 	spin_unlock(&fpq->lock);
 	set_bit(FR_SENT, &req->flags);
 	/* matches barrier in request_wait_answer() */
 	smp_mb__after_atomic();
 	if (test_bit(FR_INTERRUPTED, &req->flags))
 		queue_interrupt(fiq, req);
+	fuse_put_request(fc, req);
 
 	return reqsize;