OpenCloudOS-Kernel/fs/9p
Dominique Martinet f0c5c944c6 9p: add missing locking around taking dentry fid list
commit c898afdc15645efb555acb6d85b484eb40a45409 upstream.

Fix a use-after-free on dentry's d_fsdata fid list when a thread
looks up a fid through dentry while another thread unlinks it:

UAF thread:
refcount_t: addition on 0; use-after-free.
 p9_fid_get linux/./include/net/9p/client.h:262
 v9fs_fid_find+0x236/0x280 linux/fs/9p/fid.c:129
 v9fs_fid_lookup_with_uid linux/fs/9p/fid.c:181
 v9fs_fid_lookup+0xbf/0xc20 linux/fs/9p/fid.c:314
 v9fs_vfs_getattr_dotl+0xf9/0x360 linux/fs/9p/vfs_inode_dotl.c:400
 vfs_statx+0xdd/0x4d0 linux/fs/stat.c:248

Freed by:
 p9_fid_destroy (inlined)
 p9_client_clunk+0xb0/0xe0 linux/net/9p/client.c:1456
 p9_fid_put linux/./include/net/9p/client.h:278
 v9fs_dentry_release+0xb5/0x140 linux/fs/9p/vfs_dentry.c:55
 v9fs_remove+0x38f/0x620 linux/fs/9p/vfs_inode.c:518
 vfs_unlink+0x29a/0x810 linux/fs/namei.c:4335

The problem is that d_fsdata was not accessed under d_lock, because
d_release() normally is only called once the dentry is otherwise no
longer accessible but since we also call it explicitly in v9fs_remove
that lock is required:
move the hlist out of the dentry under lock then unref its fids once
they are no longer accessible.

Fixes: 154372e67d ("fs/9p: fix create-unlink-getattr idiom")
Cc: stable@vger.kernel.org
Reported-by: Meysam Firouzi
Reported-by: Amirmohammad Eftekhar
Reviewed-by: Christian Schoenebeck <linux_oss@crudebyte.com>
Message-ID: <20240521122947.1080227-1-asmadeus@codewreck.org>
Signed-off-by: Dominique Martinet <asmadeus@codewreck.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2024-06-16 13:47:37 +02:00
..
Kconfig 9p: Remove INET dependency 2023-05-04 21:46:57 +01:00
Makefile License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
acl.c fs: port inode_owner_or_capable() to mnt_idmap 2023-01-19 09:24:29 +01:00
acl.h fs: port ->set_acl() to pass mnt_idmap 2023-01-19 09:24:27 +01:00
cache.c mm, netfs, fscache: stop read optimisation when folio removed from pagecache 2023-08-18 10:12:13 -07:00
cache.h fs/9p: Rework cache modes and add new options to Documentation 2023-04-09 21:41:21 +00:00
fid.c fs/9p: remove writeback fid and fix per-file modes 2023-03-27 02:33:48 +00:00
fid.h fs/9p: fix the cache always being enabled on files with qid flags 2024-05-17 12:02:18 +02:00
v9fs.c fs/9p: Remove unused extern declaration 2023-07-20 19:21:48 +00:00
v9fs.h fs/9p: Fix a datatype used with V9FS_DIRECT_IO 2023-07-10 13:04:37 +00:00
v9fs_vfs.h 9p: Fix initialisation of netfs_inode for 9p 2024-02-05 20:14:32 +00:00
vfs_addr.c Including fixes from netfilter. 2023-05-05 19:12:01 -07:00
vfs_dentry.c 9p: add missing locking around taking dentry fid list 2024-06-16 13:47:37 +02:00
vfs_dir.c 9p: fix ignored return value in v9fs_dir_release 2023-07-20 19:05:52 +00:00
vfs_file.c 9p: explicitly deny setlease attempts 2024-05-17 12:02:18 +02:00
vfs_inode.c fs/9p: translate O_TRUNC into OTRUNC 2024-05-17 12:02:18 +02:00
vfs_inode_dotl.c 9p: Fix initialisation of netfs_inode for 9p 2024-02-05 20:14:32 +00:00
vfs_super.c fs/9p: drop inodes immediately on non-.L too 2024-05-17 12:02:19 +02:00
xattr.c 9p: v9fs_listxattr: fix %s null argument warning 2023-11-28 17:19:46 +00:00
xattr.h 9p: use stub posix acl handlers 2022-10-20 10:13:32 +02:00