From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Luis Henriques <lhenriques@suse.com>,
Jeff Layton <jlayton@kernel.org>,
Ilya Dryomov <idryomov@gmail.com>
Subject: [PATCH 4.9 18/65] ceph: fix use-after-free in __ceph_remove_cap()
Date: Mon, 11 Nov 2019 19:28:18 +0100 [thread overview]
Message-ID: <20191111181344.476514494@linuxfoundation.org> (raw)
In-Reply-To: <20191111181331.917659011@linuxfoundation.org>
From: Luis Henriques <lhenriques@suse.com>
commit ea60ed6fcf29eebc78f2ce91491e6309ee005a01 upstream.
KASAN reports a use-after-free when running xfstest generic/531, with the
following trace:
[ 293.903362] kasan_report+0xe/0x20
[ 293.903365] rb_erase+0x1f/0x790
[ 293.903370] __ceph_remove_cap+0x201/0x370
[ 293.903375] __ceph_remove_caps+0x4b/0x70
[ 293.903380] ceph_evict_inode+0x4e/0x360
[ 293.903386] evict+0x169/0x290
[ 293.903390] __dentry_kill+0x16f/0x250
[ 293.903394] dput+0x1c6/0x440
[ 293.903398] __fput+0x184/0x330
[ 293.903404] task_work_run+0xb9/0xe0
[ 293.903410] exit_to_usermode_loop+0xd3/0xe0
[ 293.903413] do_syscall_64+0x1a0/0x1c0
[ 293.903417] entry_SYSCALL_64_after_hwframe+0x44/0xa9
This happens because __ceph_remove_cap() may queue a cap release
(__ceph_queue_cap_release) which can be scheduled before that cap is
removed from the inode list with
rb_erase(&cap->ci_node, &ci->i_caps);
And, when this finally happens, the use-after-free will occur.
This can be fixed by removing the cap from the inode list before being
removed from the session list, and thus eliminating the risk of an UAF.
Cc: stable@vger.kernel.org
Signed-off-by: Luis Henriques <lhenriques@suse.com>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ceph/caps.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
--- a/fs/ceph/caps.c
+++ b/fs/ceph/caps.c
@@ -933,6 +933,11 @@ void __ceph_remove_cap(struct ceph_cap *
dout("__ceph_remove_cap %p from %p\n", cap, &ci->vfs_inode);
+ /* remove from inode's cap rbtree, and clear auth cap */
+ rb_erase(&cap->ci_node, &ci->i_caps);
+ if (ci->i_auth_cap == cap)
+ ci->i_auth_cap = NULL;
+
/* remove from session list */
spin_lock(&session->s_cap_lock);
if (session->s_cap_iterator == cap) {
@@ -968,11 +973,6 @@ void __ceph_remove_cap(struct ceph_cap *
spin_unlock(&session->s_cap_lock);
- /* remove from inode list */
- rb_erase(&cap->ci_node, &ci->i_caps);
- if (ci->i_auth_cap == cap)
- ci->i_auth_cap = NULL;
-
if (removed)
ceph_put_cap(mdsc, cap);
next prev parent reply other threads:[~2019-11-11 18:32 UTC|newest]
Thread overview: 71+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-11-11 18:28 [PATCH 4.9 00/65] 4.9.201-stable review Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.9 01/65] CDC-NCM: handle incomplete transfer of MTU Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.9 02/65] ipv4: Fix table id reference in fib_sync_down_addr Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.9 03/65] net: fix data-race in neigh_event_send() Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.9 04/65] net: usb: qmi_wwan: add support for DW5821e with eSIM support Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.9 05/65] NFC: fdp: fix incorrect free object Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.9 06/65] nfc: netlink: fix double device reference drop Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.9 07/65] NFC: st21nfca: fix double free Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.9 08/65] qede: fix NULL pointer deref in __qede_remove() Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.9 09/65] ALSA: timer: Fix incorrectly assigned timer instance Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.9 10/65] ALSA: bebob: fix to detect configured source of sampling clock for Focusrite Saffire Pro i/o series Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.9 11/65] ALSA: hda/ca0132 - Fix possible workqueue stall Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.9 12/65] mm, meminit: recalculate pcpu batch and high limits after init completes Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.9 13/65] mm: thp: handle page cache THP correctly in PageTransCompoundMap Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.9 14/65] mm, vmstat: hide /proc/pagetypeinfo from normal users Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.9 15/65] dump_stack: avoid the livelock of the dump_lock Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.9 16/65] perf tools: Fix time sorting Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.9 17/65] drm/radeon: fix si_enable_smc_cac() failed issue Greg Kroah-Hartman
2019-11-11 18:28 ` Greg Kroah-Hartman [this message]
2019-11-11 18:28 ` [PATCH 4.9 19/65] iio: imu: adis16480: make sure provided frequency is positive Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.9 20/65] netfilter: nf_tables: Align nft_expr private data to 64-bit Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.9 21/65] netfilter: ipset: Fix an error code in ip_set_sockfn_get() Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.9 22/65] can: usb_8dev: fix use-after-free on disconnect Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.9 23/65] can: c_can: c_can_poll(): only read status register after status IRQ Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.9 24/65] can: peak_usb: fix a potential out-of-sync while decoding packets Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.9 25/65] can: gs_usb: gs_can_open(): prevent memory leak Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.9 26/65] can: peak_usb: fix slab info leak Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.9 27/65] configfs: Fix bool initialization/comparison Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.9 28/65] configfs: stash the data we need into configfs_buffer at open time Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.9 29/65] configfs_register_group() shouldnt be (and isnt) called in rmdirable parts Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.9 30/65] configfs: new object reprsenting tree fragments Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.9 31/65] configfs: provide exclusion between IO and removals Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.9 32/65] configfs: fix a deadlock in configfs_symlink() Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.9 33/65] usbip: stub_rx: fix static checker warning on unnecessary checks Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.9 34/65] usbip: Fix vhci_urb_enqueue() URB null transfer buffer error path Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.9 35/65] usbip: fix possibility of dereference by NULLL pointer in vhci_hcd.c Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.9 36/65] drivers: usb: usbip: Add missing break statement to switch Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.9 37/65] PCI: tegra: Enable Relaxed Ordering only for Tegra20 & Tegra30 Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.9 38/65] dmaengine: xilinx_dma: Fix control reg update in vdma_channel_set_config Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.9 39/65] HID: intel-ish-hid: fix wrong error handling in ishtp_cl_alloc_tx_ring() Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.9 40/65] scsi: qla2xxx: fixup incorrect usage of host_byte Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.9 41/65] scsi: lpfc: Honor module parameter lpfc_use_adisc Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.9 42/65] ipvs: move old_secure_tcp into struct netns_ipvs Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.9 43/65] bonding: fix unexpected IFF_BONDING bit unset Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.9 44/65] usb: fsl: Check memory resource before releasing it Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.9 45/65] usb: gadget: udc: atmel: Fix interrupt storm in FIFO mode Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.9 46/65] usb: gadget: composite: Fix possible double free memory bug Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.9 47/65] usb: gadget: configfs: fix concurrent issue between composite APIs Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.9 48/65] usb: dwc3: remove the call trace of USBx_GFLADJ Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.9 49/65] perf/x86/amd/ibs: Fix reading of the IBS OpData register and thus precise RIP validity Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.9 50/65] perf/x86/amd/ibs: Handle erratum #420 only on the affected CPU family (10h) Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.9 51/65] USB: Skip endpoints with 0 maxpacket length Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.9 52/65] RDMA/iw_cxgb4: Avoid freeing skb twice in arp failure case Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.9 53/65] scsi: qla2xxx: stop timer in shutdown path Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.9 54/65] fjes: Handle workqueue allocation failure Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.9 55/65] net: hisilicon: Fix "Trying to free already-free IRQ" Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.9 56/65] NFSv4: Dont allow a cached open with a revoked delegation Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.9 57/65] net: ethernet: arc: add the missed clk_disable_unprepare Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.9 58/65] igb: Fix constant media auto sense switching when no cable is connected Greg Kroah-Hartman
2019-11-11 18:28 ` [PATCH 4.9 59/65] e1000: fix memory leaks Greg Kroah-Hartman
2019-11-11 18:29 ` [PATCH 4.9 60/65] x86/apic: Move pending interrupt check code into its own function Greg Kroah-Hartman
2019-11-11 18:29 ` [PATCH 4.9 61/65] x86/apic: Drop logical_smp_processor_id() inline Greg Kroah-Hartman
2019-11-11 18:29 ` [PATCH 4.9 62/65] x86/apic/32: Avoid bogus LDR warnings Greg Kroah-Hartman
2019-11-11 18:29 ` [PATCH 4.9 63/65] can: flexcan: disable completely the ECC mechanism Greg Kroah-Hartman
2019-11-11 18:29 ` [PATCH 4.9 64/65] mm/filemap.c: dont initiate writeback if mapping has no dirty pages Greg Kroah-Hartman
2019-11-11 18:29 ` [PATCH 4.9 65/65] cgroup,writeback: dont switch wbs immediately on dead wbs if the memcg is dead Greg Kroah-Hartman
2019-11-12 0:38 ` [PATCH 4.9 00/65] 4.9.201-stable review kernelci.org bot
2019-11-12 5:27 ` Greg Kroah-Hartman
2019-11-12 12:00 ` Jon Hunter
2019-11-12 13:24 ` Naresh Kamboju
2019-11-12 18:19 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191111181344.476514494@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=idryomov@gmail.com \
--cc=jlayton@kernel.org \
--cc=lhenriques@suse.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).