system/linux
system/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux synced 2024-10-04 02:10:58 +00:00
Code Issues Packages Projects Releases Wiki Activity
linux/fs/ceph
History
Luis Henriques ea60ed6fcf ceph: fix use-after-free in __ceph_remove_cap() 
KASAN reports a use-after-free when running xfstest generic/531, with the
following trace:

[  293.903362]  kasan_report+0xe/0x20
[  293.903365]  rb_erase+0x1f/0x790
[  293.903370]  __ceph_remove_cap+0x201/0x370
[  293.903375]  __ceph_remove_caps+0x4b/0x70
[  293.903380]  ceph_evict_inode+0x4e/0x360
[  293.903386]  evict+0x169/0x290
[  293.903390]  __dentry_kill+0x16f/0x250
[  293.903394]  dput+0x1c6/0x440
[  293.903398]  __fput+0x184/0x330
[  293.903404]  task_work_run+0xb9/0xe0
[  293.903410]  exit_to_usermode_loop+0xd3/0xe0
[  293.903413]  do_syscall_64+0x1a0/0x1c0
[  293.903417]  entry_SYSCALL_64_after_hwframe+0x44/0xa9

This happens because __ceph_remove_cap() may queue a cap release
(__ceph_queue_cap_release) which can be scheduled before that cap is
removed from the inode list with

	rb_erase(&cap->ci_node, &ci->i_caps);

And, when this finally happens, the use-after-free will occur.

This can be fixed by removing the cap from the inode list before being
removed from the session list, and thus eliminating the risk of an UAF.

Cc: stable@vger.kernel.org
Signed-off-by: Luis Henriques <lhenriques@suse.com>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
2019-10-29 22:29:51 +01:00
..
acl.c ceph: rename struct ceph_acls_info to ceph_acl_sec_ctx 2019-07-08 14:01:42 +02:00
addr.c ceph: use release_pages() directly 2019-09-16 12:06:25 +02:00
cache.c ceph: include ceph_debug.h in cache.c 2019-09-16 12:06:25 +02:00
cache.h treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 188 2019-05-30 11:29:21 -07:00
caps.c ceph: fix use-after-free in __ceph_remove_cap() 2019-10-29 22:29:51 +01:00
ceph_frag.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
debugfs.c ceph: don't return a value from void function 2019-09-16 12:06:25 +02:00
dir.c Merge branch 'work.dcache2' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2019-07-20 09:15:51 -07:00
export.c ceph: move static keyword to the front of declarations 2019-09-16 12:06:25 +02:00
file.c ceph: allow object copies across different filesystems in the same cluster 2019-09-16 12:06:25 +02:00
inode.c ceph: update the mtime when truncating up 2019-09-16 12:06:24 +02:00
io.c ceph: add buffered/direct exclusionary locking for reads and writes 2019-09-16 12:06:25 +02:00
io.h ceph: add buffered/direct exclusionary locking for reads and writes 2019-09-16 12:06:25 +02:00
ioctl.c libceph, ceph: move ceph_calc_file_object_mapping() to striper.c 2018-04-02 10:12:43 +02:00
ioctl.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
Kconfig ceph: add selinux support 2019-07-08 14:01:42 +02:00
locks.c ceph: return -EIO if read/write against filp that lost file locks 2019-09-16 12:06:24 +02:00
Makefile ceph: add buffered/direct exclusionary locking for reads and writes 2019-09-16 12:06:25 +02:00
mds_client.c ceph: just skip unrecognized info in ceph_reply_info_extra 2019-10-15 17:43:10 +02:00
mds_client.h ceph: eliminate session->s_trim_caps 2019-09-16 12:06:24 +02:00
mdsmap.c ceph: have MDS map decoding use entity_addr_t decoder 2019-07-08 14:01:43 +02:00
quota.c ceph: fix infinite loop in get_quota_realm() 2019-07-08 14:01:42 +02:00
snap.c ceph: fix buffer free while holding i_ceph_lock in __ceph_build_xattrs_blob() 2019-08-22 10:47:41 +02:00
strings.c License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
super.c The highlights are: 2019-09-25 10:21:13 -07:00
super.h ceph: turn ceph_security_invalidate_secctx into static inline 2019-09-16 12:06:25 +02:00
xattr.c ceph: allow arbitrary security.* xattrs 2019-09-16 12:06:25 +02:00