[PATCH OLK-5.10 v2 062/133] anolis: cachefiles: reset object->private to NULL when it's freed

25 Dec 2024

From: Jingbo Xu <jefflexu@linux.alibaba.com>

anolis inclusion
category: feature
bugzilla: https://gitee.com/openeuler/kernel/issues/IB5UKT

Reference: https://gitee.com/anolis/cloud-kernel/commit/d736b9b9be9f

--------------------------------

ANBZ: #3213

cachefiles_object is allocated from cachefiles_object_jar slab cache
without zeroing.

Apart from cachefiles_alloc_object(), cachefiles_daemon_add_cache() also
allocates cachefiles_object directly from cachefiles_object_jar slab
cache, in which object->private is not initialized, while the allocated
cachefiles_object is still freed in cachefiles_put_object().  This is
reasonable since the cachefiles_object allocated in
cachefiles_daemon_add_cache() represents a directory rather than a data
file, while object->private is only used for data files.

However, if object->private is not reset to NULL when cachefiles_object
is freed, and then the cachefiles_object is allocated again in
cachefiles_alloc_object(), a wild pointer is exposed in object->private,
which can cause double-free or use-after-free.

Fixes: 679445f70359 ("anolis: cachefiles: extract ondemand info field from cachefiles_object")
Signed-off-by: Jingbo Xu <jefflexu@linux.alibaba.com>
Reviewed-by: Joseph Qi <joseph.qi@linux.alibaba.com>
Link: https://gitee.com/anolis/cloud-kernel/pulls/915
Signed-off-by: Zizhi Wo <wozizhi@huawei.com>
Signed-off-by: Baokun Li <libaokun1@huawei.com>
---
 fs/cachefiles/interface.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/fs/cachefiles/interface.c b/fs/cachefiles/interface.c
index 0a946d046724..5eedd6382737 100644
--- a/fs/cachefiles/interface.c
+++ b/fs/cachefiles/interface.c
@@ -106,6 +106,7 @@ static struct fscache_object *cachefiles_alloc_object(
 	kfree(buffer);
 nomem_buffer:
 	kfree(object->private);
+	object->private = NULL;
 nomem_obj_info:
 	BUG_ON(test_bit(CACHEFILES_OBJECT_ACTIVE, &object->flags));
 	kmem_cache_free(cachefiles_object_jar, object);
@@ -379,6 +380,7 @@ static void cachefiles_put_object(struct fscache_object *_object,
 
 		cache = object->fscache.cache;
 		kfree(object->private);
+		object->private = NULL;
 		fscache_object_destroy(&object->fscache);
 		kmem_cache_free(cachefiles_object_jar, object);
 		fscache_object_destroyed(cache);
-- 
2.46.1

    