Skip to content
Commit 9a254403 authored by yangerkun's avatar yangerkun Committed by Miklos Szeredi
Browse files

ovl: fix use after free in struct ovl_aio_req 



Example for triggering use after free in a overlay on ext4 setup:

aio_read
  ovl_read_iter
    vfs_iter_read
      ext4_file_read_iter
        ext4_dio_read_iter
          iomap_dio_rw -> -EIOCBQUEUED
          /*
	   * Here IO is completed in a separate thread,
	   * ovl_aio_cleanup_handler() frees aio_req which has iocb embedded
	   */
          file_accessed(iocb->ki_filp); /**BOOM**/

Fix by introducing a refcount in ovl_aio_req similarly to aio_kiocb.  This
guarantees that iocb is only freed after vfs_read/write_iter() returns on
underlying fs.

Fixes: 2406a307 ("ovl: implement async IO routines")
Signed-off-by: default avataryangerkun <yangerkun@huawei.com>
Link: https://lore.kernel.org/r/20210930032228.3199690-3-yangerkun@huawei.com/


Cc: <stable@vger.kernel.org> # v5.6
Signed-off-by: default avatarMiklos Szeredi <mszeredi@redhat.com>
parent 1dc1eed4
Hide whitespace changes
Inline Side-by-side
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment