yangerkun 9a25440376 ovl: fix use after free in struct ovl_aio_req ... Example for triggering use after free in a overlay on ext4 setup: aio_read ovl_read_iter vfs_iter_read ext4_file_read_iter ext4_dio_read_iter iomap_dio_rw -> -EIOCBQUEUED /* * Here IO is completed in a separate thread, * ovl_aio_cleanup_handler() frees aio_req which has iocb embedded */ file_accessed(iocb->ki_filp); /**BOOM**/ Fix by introducing a refcount in ovl_aio_req similarly to aio_kiocb. This guarantees that iocb is only freed after vfs_read/write_iter() returns on underlying fs. Fixes: 2406a307ac ("ovl: implement async IO routines") Signed-off-by: yangerkun <yangerkun@huawei.com> Link: https://lore.kernel.org/r/20210930032228.3199690-3-yangerkun@huawei.com/ Cc: <stable@vger.kernel.org> # v5.6 Signed-off-by: Miklos Szeredi <mszeredi@redhat.com>		2021-10-29 13:48:19 +02:00
..
copy_up.c	ovl: use kvalloc in xattr copy-up	2021-08-17 11:47:45 +02:00
dir.c	ovl: fix missing negative dentry check in ovl_rename()	2021-09-24 21:00:31 +02:00
export.c	ovl: fix uninitialized pointer read in ovl_lookup_real_one()	2021-08-10 10:21:30 +02:00
file.c	ovl: fix use after free in struct ovl_aio_req	2021-10-29 13:48:19 +02:00
inode.c	ovl: enable RCU'd ->get_acl()	2021-08-18 22:08:24 +02:00
Kconfig	docs: fix broken references to text files	2020-04-20 15:35:59 -06:00
Makefile	treewide: Add SPDX license identifier - Makefile/Kconfig	2019-05-21 10:50:46 +02:00
namei.c	ovl: relax lookup error on mismatch origin ftype	2021-08-17 11:47:44 +02:00
overlayfs.h	vfs: add rcu argument to ->get_acl() callback	2021-08-18 22:08:24 +02:00
ovl_entry.h	ovl: implement volatile-specific fsync error behaviour	2021-01-28 10:22:48 +01:00
readdir.c	ovl: skip stale entries in merge dir cache iteration	2021-08-10 10:21:30 +02:00
super.c	ovl: add ovl_allow_offline_changes() helper	2021-08-17 11:47:44 +02:00
util.c	ovl: consistent behavior for immutable/append-only inodes	2021-08-17 11:47:43 +02:00