AuxXxilium/linux_dsm_epyc7002
1
0
Fork 0
mirror of https://github.com/AuxXxilium/linux_dsm_epyc7002.git synced 2024-12-23 03:45:20 +07:00
Code Issues Actions Packages Projects Releases Wiki Activity
ea60ed6fcf
linux_dsm_epyc7002/fs
History
Luis Henriques ea60ed6fcf ceph: fix use-after-free in __ceph_remove_cap() 
KASAN reports a use-after-free when running xfstest generic/531, with the
following trace:

[  293.903362]  kasan_report+0xe/0x20
[  293.903365]  rb_erase+0x1f/0x790
[  293.903370]  __ceph_remove_cap+0x201/0x370
[  293.903375]  __ceph_remove_caps+0x4b/0x70
[  293.903380]  ceph_evict_inode+0x4e/0x360
[  293.903386]  evict+0x169/0x290
[  293.903390]  __dentry_kill+0x16f/0x250
[  293.903394]  dput+0x1c6/0x440
[  293.903398]  __fput+0x184/0x330
[  293.903404]  task_work_run+0xb9/0xe0
[  293.903410]  exit_to_usermode_loop+0xd3/0xe0
[  293.903413]  do_syscall_64+0x1a0/0x1c0
[  293.903417]  entry_SYSCALL_64_after_hwframe+0x44/0xa9

This happens because __ceph_remove_cap() may queue a cap release
(__ceph_queue_cap_release) which can be scheduled before that cap is
removed from the inode list with

	rb_erase(&cap->ci_node, &ci->i_caps);

And, when this finally happens, the use-after-free will occur.

This can be fixed by removing the cap from the inode list before being
removed from the session list, and thus eliminating the risk of an UAF.

Cc: stable@vger.kernel.org
Signed-off-by: Luis Henriques <lhenriques@suse.com>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
2019-10-29 22:29:51 +01:00
..
9p 9p pull request for inclusion in 5.4 2019-09-27 15:10:34 -07:00
adfs
affs
afs Merge branch 'work.misc' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2019-09-29 19:42:07 -07:00
autofs
befs
bfs
btrfs for-5.4-rc4-tag 2019-10-23 06:14:29 -04:00
cachefiles
ceph ceph: fix use-after-free in __ceph_remove_cap() 2019-10-29 22:29:51 +01:00
cifs cifs: Fix cifsInodeInfo lock_sem deadlock when reconnect occurs 2019-10-24 21:35:04 -05:00
coda
configfs
cramfs
crypto
debugfs Merge branch 'next-lockdown' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security 2019-09-28 08:14:15 -07:00
devpts
dlm
ecryptfs
efivarfs
efs
erofs erofs: fix mis-inplace determination related with noio chain 2019-10-01 04:54:45 +08:00
exportfs
ext2 \n 2019-09-21 13:53:34 -07:00
ext4 Merge branch 'entropy' 2019-09-29 19:25:39 -07:00
f2fs f2fs-for-5.4-rc1 2019-09-21 14:26:33 -07:00
fat fat: delete an unnecessary check before brelse() 2019-09-25 17:51:40 -07:00
freevxfs
fscache
fuse add virtio-fs 2019-09-27 15:54:24 -07:00
gfs2 gfs2: Fix memory leak when gfs2meta's fs_context is freed 2019-10-24 16:20:43 +02:00
hfs
hfsplus
hostfs
hpfs
hugetlbfs
iomap
isofs
jbd2 jbd2: remove jbd2_journal_inode_add_[write|wait] 2019-09-24 15:54:07 -07:00
jffs2 Merge branch 'work.mount3' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2019-09-26 11:33:30 -07:00
jfs
kernfs
lockd
minix
nfs NFSv4: Fix leak of clp->cl_acceptor string 2019-10-10 16:14:02 -04:00
nfs_common
nfsd Highlights: 2019-09-27 17:00:27 -07:00
nilfs2
nls
notify Highlights: 2019-09-27 17:00:27 -07:00
ntfs ntfs: remove (un)?likely() from IS_ERR() conditions 2019-09-26 10:10:44 -07:00
ocfs2 ocfs2: fix panic due to ocfs2_wq is null 2019-10-19 06:32:32 -04:00
omfs
openpromfs
orangefs
overlayfs
proc proc/meminfo: fix output alignment 2019-10-19 06:32:32 -04:00
pstore
qnx4
qnx6
quota
ramfs
reiserfs fs/reiserfs/do_balan.c: remove set but not used variable 2019-09-25 17:51:40 -07:00
romfs
squashfs
sysfs
sysv
tracefs tracing: Do not create tracefs files if tracefs lockdown is in effect 2019-10-12 20:49:07 -04:00
ubifs This pull request contains the following changes for UBI, UBIFS and JFFS2: 2019-09-21 11:10:16 -07:00
udf
ufs
unicode
verity
xfs xfs: change the seconds fields in xfs_bulkstat to signed 2019-10-15 08:46:07 -07:00
aio.c
anon_inodes.c
attr.c
bad_inode.c
binfmt_aout.c
binfmt_elf_fdpic.c
binfmt_elf.c elf: don't use MAP_FIXED_NOREPLACE for elf executable mappings 2019-10-06 13:53:27 -07:00
binfmt_em86.c
binfmt_flat.c
binfmt_misc.c
binfmt_script.c
block_dev.c
buffer.c
char_dev.c
compat_binfmt_elf.c
compat_ioctl.c
compat.c
coredump.c
d_path.c
dax.c fs/dax: Fix pmd vs pte conflict detection 2019-10-22 22:53:02 -07:00
dcache.c
dcookies.c
direct-io.c fs/direct-io.c: fix kernel-doc warning 2019-10-14 15:04:01 -07:00
drop_caches.c
eventfd.c
eventpoll.c
exec.c sched/membarrier: Fix p->mm->membarrier_state racy load 2019-09-25 17:42:30 +02:00
fcntl.c
fhandle.c
file_table.c
file.c
filesystems.c
fs_context.c
fs_parser.c
fs_pin.c
fs_struct.c
fs_types.c
fs-writeback.c fs/fs-writeback.c: fix kernel-doc warning 2019-10-14 15:04:01 -07:00
fsopen.c
inode.c mm,thp: avoid writes to file with THP in pagecache 2019-09-24 15:54:11 -07:00
internal.h
io_uring.c io_uring: fix bad inflight accounting for SETUP_IOPOLL|SETUP_SQTHREAD 2019-10-25 10:58:53 -06:00
ioctl.c
Kconfig
Kconfig.binfmt
libfs.c fs/libfs.c: fix kernel-doc warning 2019-10-14 15:04:01 -07:00
locks.c Highlights: 2019-09-27 17:00:27 -07:00
Makefile
mbcache.c
mount.h
mpage.c
namei.c
namespace.c Merge branch 'akpm' (patches from Andrew) 2019-09-26 10:29:42 -07:00
no-block.c
nsfs.c
open.c fs: remove unlikely() from WARN_ON() condition 2019-09-26 10:10:30 -07:00
pipe.c
pnode.c
pnode.h
posix_acl.c
proc_namespace.c
read_write.c
readdir.c filldir[64]: remove WARN_ON_ONCE() for bad directory entries 2019-10-18 18:41:16 -04:00
select.c
seq_file.c
signalfd.c
splice.c
stack.c
stat.c
statfs.c vfs: Fix EOVERFLOW testing in put_compat_statfs64 2019-10-03 14:21:35 -07:00
super.c Merge branch 'work.mount3' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2019-10-10 08:16:44 -07:00
sync.c
timerfd.c
userfaultfd.c userfaultfd: untag user pointers 2019-09-25 17:51:41 -07:00
utimes.c
xattr.c