From: Jeff Layton jlayton@kernel.org
stable inclusion from stable-v5.10.222 commit 7d4c14f4b511fd4c0dc788084ae59b4656ace58b category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/IAGEKN CVE: CVE-2024-41049
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=...
--------------------------------
[ Upstream commit 1b3ec4f7c03d4b07bad70697d7e2f4088d2cfe92 ]
Light Hsieh reported a KASAN UAF warning in trace_posix_lock_inode(). The request pointer had been changed earlier to point to a lock entry that was added to the inode's list. However, before the tracepoint could fire, another task raced in and freed that lock.
Fix this by moving the tracepoint inside the spinlock, which should ensure that this doesn't happen.
Fixes: 74f6f5912693 ("locks: fix KASAN: use-after-free in trace_event_raw_event_filelock_lock") Link: https://lore.kernel.org/linux-fsdevel/724ffb0a2962e912ea62bb0515deadf39c3251... Reported-by: Light Hsieh (謝明燈) Light.Hsieh@mediatek.com Signed-off-by: Jeff Layton jlayton@kernel.org Link: https://lore.kernel.org/r/20240702-filelock-6-10-v1-1-96e766aadc98@kernel.or... Reviewed-by: Alexander Aring aahringo@redhat.com Signed-off-by: Christian Brauner brauner@kernel.org Signed-off-by: Sasha Levin sashal@kernel.org Signed-off-by: Yifan Qiao qiaoyifan4@huawei.com --- fs/locks.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/locks.c b/fs/locks.c index 4e4b36c330f9..f4504008a2ea 100644 --- a/fs/locks.c +++ b/fs/locks.c @@ -1337,9 +1337,9 @@ static int posix_lock_inode(struct inode *inode, struct file_lock *request, locks_wake_up_blocks(left); } out: + trace_posix_lock_inode(inode, request, error); spin_unlock(&ctx->flc_lock); percpu_up_read(&file_rwsem); - trace_posix_lock_inode(inode, request, error); /* * Free any unused locks. */