Commit 592950ac authored Jul 30, 2024 by Jeff Layton Committed by Yifan Qiao Jul 30, 2024

filelock: fix potential use-after-free in posix_lock_inode

stable inclusion
from stable-v5.10.222
commit 7d4c14f4b511fd4c0dc788084ae59b4656ace58b
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAGEKN
CVE: CVE-2024-41049

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=7d4c14f4b511fd4c0dc788084ae59b4656ace58b

--------------------------------

[ Upstream commit 1b3ec4f7c03d4b07bad70697d7e2f4088d2cfe92 ]

Light Hsieh reported a KASAN UAF warning in trace_posix_lock_inode().
The request pointer had been changed earlier to point to a lock entry
that was added to the inode's list. However, before the tracepoint could
fire, another task raced in and freed that lock.

Fix this by moving the tracepoint inside the spinlock, which should
ensure that this doesn't happen.

Fixes: 74f6f591 ("locks: fix KASAN: use-after-free in trace_event_raw_event_filelock_lock")
Link: https://lore.kernel.org/linux-fsdevel/724ffb0a2962e912ea62bb0515deadf39c325112.camel@kernel.org/


Reported-by: Light Hsieh (謝明燈) <Light.Hsieh@mediatek.com>
Signed-off-by: Jeff Layton <jlayton@kernel.org>
Link: https://lore.kernel.org/r/20240702-filelock-6-10-v1-1-96e766aadc98@kernel.org


Reviewed-by: Alexander Aring <aahringo@redhat.com>
Signed-off-by: Christian Brauner <brauner@kernel.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Yifan Qiao <qiaoyifan4@huawei.com>

parent 2d99a8d0

fs/locks.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -1337,9 +1337,9 @@ static int posix_lock_inode(struct inode inode, struct file_lock request,
		locks_wake_up_blocks(left);
		}
		out:
		trace_posix_lock_inode(inode, request, error);
		spin_unlock(&ctx->flc_lock);
		percpu_up_read(&file_rwsem);
		trace_posix_lock_inode(inode, request, error);
		/*
		* Free any unused locks.
		*/