ovl: fix use after free in struct ovl_aio_req - blaster4385/linux-IllusionX - Linux kernel with personal config changes for arch linux

diff options

author	yangerkun <[email protected]>	2021-09-30 11:22:28 +0800
committer	Miklos Szeredi <[email protected]>	2021-10-29 13:48:19 +0200
commit	9a254403760041528bc8f69fe2f5e1ef86950991 (patch)
tree	8f18843e1fb6bf5cf3b9a9ab2ed6f91737c2eeb8 /net/lapb/lapb_timer.c
parent	1dc1eed46f9fa4cb8a07baa24fb44c96d6dd35c9 (diff)

ovl: fix use after free in struct ovl_aio_req

Example for triggering use after free in a overlay on ext4 setup: aio_read ovl_read_iter vfs_iter_read ext4_file_read_iter ext4_dio_read_iter iomap_dio_rw -> -EIOCBQUEUED /* * Here IO is completed in a separate thread, * ovl_aio_cleanup_handler() frees aio_req which has iocb embedded */ file_accessed(iocb->ki_filp); /**BOOM**/ Fix by introducing a refcount in ovl_aio_req similarly to aio_kiocb. This guarantees that iocb is only freed after vfs_read/write_iter() returns on underlying fs. Fixes: 2406a307ac7d ("ovl: implement async IO routines") Signed-off-by: yangerkun <[email protected]> Link: https://lore.kernel.org/r/[email protected]/ Cc: <[email protected]> # v5.6 Signed-off-by: Miklos Szeredi <[email protected]>

Diffstat (limited to 'net/lapb/lapb_timer.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: