diff options
author | Xiubo Li <xiubli@redhat.com> | 2022-11-17 03:57:53 +0100 |
---|---|---|
committer | Ilya Dryomov <idryomov@gmail.com> | 2023-01-02 12:27:25 +0100 |
commit | 8e1858710d9a71d88acd922f2e95d1eddb90eea0 (patch) | |
tree | 478a0dfc7713b89e895ea5ac7e8ed5020b782107 /include | |
parent | ceph: switch to vfs_inode_has_locks() to fix file lock bug (diff) | |
download | linux-8e1858710d9a71d88acd922f2e95d1eddb90eea0.tar.xz linux-8e1858710d9a71d88acd922f2e95d1eddb90eea0.zip |
ceph: avoid use-after-free in ceph_fl_release_lock()
When ceph releasing the file_lock it will try to get the inode pointer
from the fl->fl_file, which the memory could already be released by
another thread in filp_close(). Because in VFS layer the fl->fl_file
doesn't increase the file's reference counter.
Will switch to use ceph dedicate lock info to track the inode.
And in ceph_fl_release_lock() we should skip all the operations if the
fl->fl_u.ceph.inode is not set, which should come from the request
file_lock. And we will set fl->fl_u.ceph.inode when inserting it to the
inode lock list, which is when copying the lock.
Link: https://tracker.ceph.com/issues/57986
Signed-off-by: Xiubo Li <xiubli@redhat.com>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Diffstat (limited to 'include')
-rw-r--r-- | include/linux/fs.h | 3 |
1 files changed, 3 insertions, 0 deletions
diff --git a/include/linux/fs.h b/include/linux/fs.h index 066555ad1bf8..c1769a2c5d70 100644 --- a/include/linux/fs.h +++ b/include/linux/fs.h @@ -1119,6 +1119,9 @@ struct file_lock { int state; /* state of grant or error if -ve */ unsigned int debug_id; } afs; + struct { + struct inode *inode; + } ceph; } fl_u; } __randomize_layout; |