Commit 120a1814 authored Jul 30, 2024 by Jeff Layton Committed by Yifan Qiao Jul 30, 2024

filelock: fix potential use-after-free in posix_lock_inode

stable inclusion
from stable-v6.6.41
commit 432b06b69d1d354a171f7499141116536579eb6a
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAGEKN
CVE: CVE-2024-41049

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=432b06b69d1d354a171f7499141116536579eb6a

--------------------------------

[ Upstream commit 1b3ec4f7c03d4b07bad70697d7e2f4088d2cfe92 ]

Light Hsieh reported a KASAN UAF warning in trace_posix_lock_inode().
The request pointer had been changed earlier to point to a lock entry
that was added to the inode's list. However, before the tracepoint could
fire, another task raced in and freed that lock.

Fix this by moving the tracepoint inside the spinlock, which should
ensure that this doesn't happen.

Fixes: 74f6f591 ("locks: fix KASAN: use-after-free in trace_event_raw_event_filelock_lock")
Link: https://lore.kernel.org/linux-fsdevel/724ffb0a2962e912ea62bb0515deadf39c325112.camel@kernel.org/


Reported-by: Light Hsieh (謝明燈) <Light.Hsieh@mediatek.com>
Signed-off-by: Jeff Layton <jlayton@kernel.org>
Link: https://lore.kernel.org/r/20240702-filelock-6-10-v1-1-96e766aadc98@kernel.org


Reviewed-by: Alexander Aring <aahringo@redhat.com>
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Yifan Qiao <qiaoyifan4@huawei.com>

parent 3e3fceae

fs/locks.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -1314,9 +1314,9 @@ static int posix_lock_inode(struct inode inode, struct file_lock request,
		locks_wake_up_blocks(left);
		}
		out:
		trace_posix_lock_inode(inode, request, error);
		spin_unlock(&ctx->flc_lock);
		percpu_up_read(&file_rwsem);
		trace_posix_lock_inode(inode, request, error);
		/*
		* Free any unused locks.
		*/