From patchwork Tue Sep 25 09:52:42 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kirill Tkhai X-Patchwork-Id: 10613831 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 3AF6E6CB for ; Tue, 25 Sep 2018 09:53:04 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 2B85A26D08 for ; Tue, 25 Sep 2018 09:53:04 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 1F59327DCD; Tue, 25 Sep 2018 09:53:04 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.0 required=2.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,MAILING_LIST_MULTI,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id AC5E926D08 for ; Tue, 25 Sep 2018 09:53:03 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727441AbeIYP7f (ORCPT ); Tue, 25 Sep 2018 11:59:35 -0400 Received: from mail-eopbgr70133.outbound.protection.outlook.com ([40.107.7.133]:4416 "EHLO EUR04-HE1-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726030AbeIYP7f (ORCPT ); Tue, 25 Sep 2018 11:59:35 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=virtuozzo.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=4N+D9X37VP78BUnv/CUpmF7NSaNUpYn7PWoTyU/rw9M=; b=CsxLWjgzcT/ay3GOImdAQZkxisil91Akq+Z9ec+1S6cfyuFZT0C7VsYmZbRyonVSJqRO+fwFpU6BbE0P2SUrQs5+CfRCNFggYy3ks9eEfvPjFazF8Xs/8Ht0j0qDwkFzGU0yghSIevmO63LnufFixgn3fdrgA7LuHHgGYpJLVeY= Authentication-Results: spf=none (sender IP is ) smtp.mailfrom=ktkhai@virtuozzo.com; Received: from localhost.localdomain (185.231.240.5) by VI1PR0801MB2030.eurprd08.prod.outlook.com (2603:10a6:800:8b::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1164.22; Tue, 25 Sep 2018 09:52:45 +0000 Subject: [PATCH] fuse: Fix use-after-free in fuse_dev_do_write() From: Kirill Tkhai To: miklos@szeredi.hu, dvyukov@google.com, syzbot+4e975615ca01f2277bdd@syzkaller.appspotmail.com, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, ktkhai@virtuozzo.com Date: Tue, 25 Sep 2018 12:52:42 +0300 Message-ID: <153786915356.22029.14929917223689579717.stgit@localhost.localdomain> User-Agent: StGit/0.18 MIME-Version: 1.0 X-Originating-IP: [185.231.240.5] X-ClientProxiedBy: HE1PR08CA0076.eurprd08.prod.outlook.com (2603:10a6:7:2a::47) To VI1PR0801MB2030.eurprd08.prod.outlook.com (2603:10a6:800:8b::11) X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: e2dc89e0-4328-4214-f1bb-08d622cca51a X-Microsoft-Antispam: BCL:0;PCL:0;RULEID:(7020095)(4652040)(8989299)(4534165)(4627221)(201703031133081)(201702281549075)(8990200)(5600074)(711020)(2017052603328)(7153060)(7193020);SRVR:VI1PR0801MB2030; X-Microsoft-Exchange-Diagnostics: 1;VI1PR0801MB2030;3:ab2JCeu5u/wgFrSpcwX/iMEPHwQ6WoUI2iY9aLASmDG6DLEYbxMV/DLG8QMF6zia6GHCC9DDnjIiJwf4lExMxJ6ULN2VvQ3S/RLVi4257GTkSZlSt8B5bvzjSX4OX9wb8FU067T3PD2P0L4GfegYjNMT1PeHJqHdqXOIbWJKFhGAI5E1cY59/xSpyOCMrklJUm6ix2nQHSoHOAUwtNAVZNdUh4jE6BnyM+g8gtTBTyQ5AaXd60LXW4PiA+DQkf6M;25:7T6Z/0ueg3rtjVc0thiXJMU49ue1bIXW0RhaXpTbydea5qEGXQEUxWtGSWY1/51357JAHqIF9I8oc7bJVxMGGNlwiqzLzql/2ZlJYWtvxzlb+UiV1uLIPYPjn+7JEXjZ6SebkQYCFQEgtpQ1MKZluG6THnBIPddeb+O8nTz5mGOXDV/sdWtstnPj1GcexTiRK9YEjSRo4RKcKvb6YzFXG6jWk4ekB3SF5KbnMaLas4zQP4c/+bltkxIEq+MN3PVZh1w5uayZgaTGr40WLpLs3cwhS1IDBw4ngbnN5YBA34h/SvoElkBJJ0WXtyrIgJCWJBICkDmK9NtTnTjCF7keyQ==;31:d9cR7sJFvRC8MiHNWDmBvAF1f2m8/HZm3OsHEIFGWZB45ZQelUEDFgMCkG5M2mTUasb6w/EDc6rBhDCF8RGV4GtKuyRE2sWxh76rQAoASdLkKCrFvN1VwbveaqSwhXsBPQ/qpH1dvbL2A8EV7fGS1mB4IYmZmTwLOyWDxn3pgW7OiQpFzVTHc+1zm0U0vns0YxpUWJlN2GIODOpifnGX40z5E12RvXTuf0+6UqlVJCM= X-MS-TrafficTypeDiagnostic: VI1PR0801MB2030: X-Microsoft-Exchange-Diagnostics: 1;VI1PR0801MB2030;20:heKhGrWsJU43i2kouaWn6yJRH7OwBn9QzWNQbVSIWiItIi7+4iEiD9xYi1wpQRbIAieyo0Qju6kUYEY0jWw43oJXsKCriiKDQU/jOp1Vq5Lk0cfsiRf7sUSB/yFvVOicfckmdYmEKj3MNmXT+/DOQJscXfj3iS7UVtuuZq8h9Cgv7U5sdNoaLQHe1Mq5hDusncG5fBfv9Ql+qOuP6fnKs+YZnc8UOos0eYxoKoSVbCBYek0ujIBo6zfma15GNTir8aaX4dwqIc+X6sPKl38HDub7eyHtsfn+iSAwft72fbKyHF51G/HS8g/AUDzovdlqdLRxpe9jexX/IKlof3e88PMfwvxZJZOqrM2A8o9KsgFxbCaNBvAit+Q7vQFkgfcwVXRwz3qi1wQ+gEnCcntX60O7HY7n5Ja1zdsNesHC8pEihagWuNIyyTJxaDS0FqB5im0DhePxXEqV4kJUk18vRQkNHudDpU1s5YuB5Ih/bahKxXma5Qu8xaGPoNHv+WEQ;4:MvpEtIyoqsG92pKTHPybFuxpyvBNHJCRqr50D3Y7vTOzTe+DzfLyLxv5z6AG3JjYUEkIEkUjAoSAGigmDz3O+PabYVpiP3OlEZQzWdiifHEWgGo+176juksQqbyQDInsRvAB1sPvWuowSAFUjMhHupFh5owprCgKPNRQUKkRjfovOr7e9ICChiqwOU/q0YHaUKQvmJR+/SBi4LRRk0ocOzjfR1me5rPVOSIzKge8lxPjaO7BrXEfF31NPnkTHoxeKkp5LsVHZDL0NE06Pq+ukA== X-Microsoft-Antispam-PRVS: X-Exchange-Antispam-Report-Test: UriScan:; X-MS-Exchange-SenderADCheck: 1 X-Exchange-Antispam-Report-CFA-Test: BCL:0;PCL:0;RULEID:(6040522)(2401047)(5005006)(8121501046)(10201501046)(93006095)(93001095)(3002001)(3231355)(944501410)(52105095)(149066)(150027)(6041310)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123564045)(20161123560045)(20161123562045)(20161123558120)(201708071742011)(7699051);SRVR:VI1PR0801MB2030;BCL:0;PCL:0;RULEID:;SRVR:VI1PR0801MB2030; X-Forefront-PRVS: 08062C429B X-Forefront-Antispam-Report: SFV:NSPM;SFS:(10019020)(6069001)(346002)(376002)(39850400004)(396003)(136003)(366004)(189003)(199004)(58126008)(6666003)(186003)(55016002)(16526019)(305945005)(9686003)(14444005)(5660300001)(1857600001)(7736002)(3846002)(6116002)(386003)(61506002)(66066001)(26005)(68736007)(478600001)(47776003)(316002)(6506007)(97736004)(106356001)(7696005)(86362001)(25786009)(230700001)(105586002)(476003)(33896004)(52116002)(486006)(23676004)(2486003)(81156014)(81166006)(8936002)(956004)(50466002)(2906002)(53936002)(103116003)(8676002);DIR:OUT;SFP:1102;SCL:1;SRVR:VI1PR0801MB2030;H:localhost.localdomain;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;MX:1;A:1; Received-SPF: None (protection.outlook.com: virtuozzo.com does not designate permitted sender hosts) X-Microsoft-Exchange-Diagnostics: =?utf-8?q?1=3BVI1PR0801MB2030=3B23=3A8828b?= =?utf-8?q?ddW33qbr/gwEg+wI6SJDX0BJlSme7nykoESDNi0ege6g6i+HQGcShLHf12GXXxnoi?= =?utf-8?q?1xPJAiAs2nQhXTLklmDg90eYKeEiw0tNvBo9FaXT6+NdCZL55tylpKIPmBpKjNvSA?= =?utf-8?q?tejSw7Twaxk9Ju76L2a/MpOeyb7HjoJy/12jkktA63GbVt719Q1K5z16CrRGaNbmZ?= =?utf-8?q?bhu/unfyFH3Ocu1+SFWRsTq80Rsh9o+MDAPLFim5fNYheVu0UNpN3I5Ic+DZ7L5NH?= =?utf-8?q?stqOVBS3wKBXLyIHTR+xUnCj5najIYxDX2UOE2z41cRrQHSUSNaCyW2kpvjis8lG/?= =?utf-8?q?w/ekcbSVPcqK7IsgoREH6BvFIQob49NkgrV7PpJ9Q6fazXdOWSuPe0AhLVz+/Q0I3?= =?utf-8?q?OFy54Z7MJjoqcLS+idSd2kYGie9R8ubXH/7B2SggoVK6vWitNF+okHPr0NWYFYus9?= =?utf-8?q?84DGlMJl/JkAF23QQNtia62cFEZYf8l6nS3MjIS7Aca3jW2ZSrZQv6gfMH+z8gEK2?= =?utf-8?q?7JWA7y6KfuFKT7Q0+udcNDpD7CxOv7AP29CoIioR8q9rjcyoyGOE7z+ma1n3Bwrti?= =?utf-8?q?BcW8VexFwTy3LS5sGSUrQpE3/OHL2e2t3sfuJS3Lb/1qs+F24RTqom9bPiCRGlYJd?= =?utf-8?q?7ZK2zOnZ9RaInZrgco6yQy66g4uEan2jQB+OSiiRMv4XXIOQS5Bj+NoFt5pkhTfVI?= =?utf-8?q?uTFfLRG/D0ue/ETs1/HdM8/HQZaE2uhp2TA5DmbseL6qk+xewONDhgSGJadad+m44?= =?utf-8?q?CGbd7kOdU4zIsaGCIT7vM2QJ3+fneaI0qYizzoOS1Fesutp6jwH1XY4S4+M2ANIJ5?= =?utf-8?q?H6BE349lt1WxSrbSAWRa7RIQLWBpF54qPf7HkhVXKkRfQBPxkP0RRcckSYoLcxppb?= =?utf-8?q?BnXrPXt1AEUZjlgQekoia7tWlOZ00Wc0PujRhzLcMRoORjHK0R+//QVGAn9U+h8Oc?= =?utf-8?q?JET9fzyjVBWZTtZNcHRCIkAppJ5VIq4IV/q3gP14FZeU1RLIdVnThx2YiSDLkf1cf?= =?utf-8?q?ig/qoUOaj9A/h5o9kUavr0S0qOM4frvVHHZlqMsr1z2mgxFpcwSFLM66+k83z6212?= =?utf-8?q?yniMlAznz1gVnclnUiEo3z41TYEYJoq24y6Ofo6DGI2lQLfs1ZvJqZML9Zt5M6wAh?= =?utf-8?q?ikzaFTES5BOjs3g9v0ek=3D?= X-Microsoft-Antispam-Message-Info: H1kB8k5J5XvQdg4tIZl7b4UawWN9TlnQK3N8ry/xCXscB6OXM6vWa0ldaSdOPX/d16Vx7X2yiBvbaMgcsBKf7zpcNGOaoabwpaD2GTQdPfjVGyByC8wJABUWrI5Sl25Y/0Fd2PQiGtTYxO4Jf3Xlthq/LSlfgJ5jWeRh5IEx1knReo7iF9Txqq9f/0vbM9L+4LWyg9pii/YCTO+9GY1JtBAnAt/LHrYmrcWjsnkdUyM9ypu5t5oSyrslpZ+KM+gPezuOzwGsPBFWgLSk7TMXGRIcqh1O4agvrcuWDTa3L0Hk92BW3AYvpdISvypBvSbKTG+5JWdUxK22Axj7idzq6qrThb2WABLwEdM7e1NnUp8= X-Microsoft-Exchange-Diagnostics: 1;VI1PR0801MB2030;6:nulm35lXagZ2udmXTnKF2TXm6/bx8+csB9W0njJVpl0zsMF0NRhJIR9jOjcOETiLyjjlx/JdpFJmEi7VSDuDxfNMdEUFpS+9VdEGggQf2Zl1JWue/Uny0DKf8KAVdEFeVmDlsuG9n7SQf9mNpk71rObMYCLckVt3QP6N1fUcYFNuJSkiXt0ZDG3fvshKmF8w9PbJSTGursagHUF6ILs/iNZfL4oZp80V2N0soxycuqHlKsMbxlsa54cQoF8WBAgp0XnK/Y9Zl0RqCSA7ciNTOjxvfok/l7p8LM4SUBmP5oGxwdRDJphivj3Erb+vwo8RrXkaPtQd4jfTKwVxfYdyLwDKOu/Spazn60bUPYTcAu05+kKtN5m4vnM6/eanvTD8dz6mL27/buxTj0tYXSiA7h9CTLgi755qHHdyCZtNxDSeotvuOGV2gB3GGORWRChv0Qtk3vhnhMAKh6zgM2FePQ==;5:YE66tTaoikQ41/fjKBFqUEH0EAZVLTtcBdxnFbZfgyVZidIgpK3NnG298ObkHLHFefRpaoK2akFnUptDt0qmktQkO0xAFx9yavd4GIen8ykGTdbsEDa1u1PdrlFHXGB6BBJdn2bMEggtsrbrpfGvXe8dGV3oX0/YM/wta2hsCX8=;7:QOfdo3ku6+bT+NtN9Jc0ltnn8RKGGlHmh01Py0c9MYE4C5qY4yZntK/zqCIq1BxbuT+IK8WvNXV+6EEC06Kn9C3cj4nLFJWQA0w9f/X1HwgjQJdhmjgjJR8jYRAUHauFsaySTiec8j6fDUl+1z9O9/cDQqvSpRntdK4fWXAp/jfrDX/MFr9q1F5lxB5CexU+lf68UqFl0GCbE9qCeUwkoBgrT0P6hkaCTUFhZRpuNWYcTGU2swPJzlkbCyNdeQT7 SpamDiagnosticOutput: 1:99 SpamDiagnosticMetadata: NSPM X-Microsoft-Exchange-Diagnostics: 1;VI1PR0801MB2030;20:U3sqI0a1Q8L9RXU3UCXfti/l/j/oHuDGpRTIunPb3EcTZgeH/R0hXUSkD6aY2yOSCGUjP9qp+8Ax3BIhK75jjEPk3gOXDVpNZ+oM9pKeuIbp4rtjc3BWGlX4mqTyeF8nQU3yGwXfQ0sMrPWeXEKcwNlNCR4w7uSV0ws6NG22TFc= X-OriginatorOrg: virtuozzo.com X-MS-Exchange-CrossTenant-OriginalArrivalTime: 25 Sep 2018 09:52:45.1308 (UTC) X-MS-Exchange-CrossTenant-Network-Message-Id: e2dc89e0-4328-4214-f1bb-08d622cca51a X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 0bc7f26d-0264-416e-a6fc-8352af79c58f X-MS-Exchange-Transport-CrossTenantHeadersStamped: VI1PR0801MB2030 Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP After we found req in request_find() and released the lock, everything may happen with the req in parallel. Keep it alive till we finish touch its memory. Signed-off-by: Kirill Tkhai --- fs/fuse/dev.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/fs/fuse/dev.c b/fs/fuse/dev.c index 675caed3e655..c2af8042f176 100644 --- a/fs/fuse/dev.c +++ b/fs/fuse/dev.c @@ -1877,16 +1877,20 @@ static ssize_t fuse_dev_do_write(struct fuse_dev *fud, /* Is it an interrupt reply? */ if (req->intr_unique == oh.unique) { + __fuse_get_request(req); spin_unlock(&fpq->lock); err = -EINVAL; - if (nbytes != sizeof(struct fuse_out_header)) + if (nbytes != sizeof(struct fuse_out_header)) { + fuse_put_request(fc, req); goto err_finish; + } if (oh.error == -ENOSYS) fc->no_interrupt = 1; else if (oh.error == -EAGAIN) queue_interrupt(&fc->iq, req); + fuse_put_request(fc, req); fuse_copy_finish(cs); return nbytes;