[PATCH OLK-6.6 0/1] mfs: Avoid UAF on cache object when anon_file is release
Avoid UAF on cache object when anon_file is release. Hongbo Li (1): mfs: Avoid UAF on cache object when anon_file is release fs/mfs/cache.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) -- 2.34.1
In MFS, each anon_file pointers a cache object which holds the reference of real inode, but the inode can left only one reference in some cases. When the daemon process is exit, the anon file related with fd will be closed. If we call iput first, the inode may trigger eviction which destroys the cache object. So, we should iput later to avoid the UAF problem. Fixes: 2f9b2be9c1a1 ("[Huawei] mfs: Add user command for handling events") Signed-off-by: Hongbo Li <lihongbo22@huawei.com> --- fs/mfs/cache.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/fs/mfs/cache.c b/fs/mfs/cache.c index 2675fe58b781..c06dcc9dc758 100644 --- a/fs/mfs/cache.c +++ b/fs/mfs/cache.c @@ -24,9 +24,11 @@ static int fd_release(struct inode *inode, struct file *file) if (object->fd > 0) { object->fd = -1; object->anon_file = NULL; + up_write(&object->rwsem); iput(object->mfs_inode); + } else { + up_write(&object->rwsem); } - up_write(&object->rwsem); return 0; } -- 2.34.1
反馈: 您发送到kernel@openeuler.org的补丁/补丁集,已成功转换为PR! PR链接地址: https://atomgit.com/openeuler/kernel/merge_requests/19927 邮件列表地址:https://mailweb.openeuler.org/archives/list/kernel@openeuler.org/message/UVV... FeedBack: The patch(es) which you have sent to kernel@openeuler.org mailing list has been converted to a pull request successfully! Pull request link: https://atomgit.com/openeuler/kernel/merge_requests/19927 Mailing list address: https://mailweb.openeuler.org/archives/list/kernel@openeuler.org/message/UVV...
participants (2)
-
Hongbo Li -
patchwork bot