From patchwork Fri Jul 1 12:56:07 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Miklos Szeredi X-Patchwork-Id: 9209883 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 679F3607D8 for ; Fri, 1 Jul 2016 13:19:19 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5842B286B0 for ; Fri, 1 Jul 2016 13:19:19 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 4D085286B3; Fri, 1 Jul 2016 13:19:19 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 0EF6D286B0 for ; Fri, 1 Jul 2016 13:19:18 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752496AbcGANTJ (ORCPT ); Fri, 1 Jul 2016 09:19:09 -0400 Received: from mail-wm0-f50.google.com ([74.125.82.50]:36958 "EHLO mail-wm0-f50.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932145AbcGANTF (ORCPT ); Fri, 1 Jul 2016 09:19:05 -0400 Received: by mail-wm0-f50.google.com with SMTP id a66so29112176wme.0 for ; Fri, 01 Jul 2016 06:18:44 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=WQpYZl2q12MOcRmO+Wb1OORkXcllo8ZuEDUJmvVzR5A=; b=fQhtYF9fQeq7lLG98GL3eQR0I5640yE9+Ydyxl3+NGT+xzE8p6u0SajuExtzWBHUQ+ FmITSlVDhjZ6CUDAYW5ULdd0H+vIiGt36j/oK8sxwnZjgYHd8g6Qn7dnv5mN8q1RNEdu qz+8OJvZ3KgdRix7Ex2Ix50ZBNB26ajyiV6yyOc+a7FT7OaiFwwV+Q5mjbmHSrRYhI6/ 5d0dMiF/XBIovg+lNpak/80qFLsVKgPmt0sJvJ90kyJf7wa3LbobTnVMWOQffFU/9aq3 msm67Tir5VGoz5moem2QRBQDUrenmVWr0nJlLI4VZHGgpkRZQUIyK6UXiAxM17Q/mjh8 agdw== X-Gm-Message-State: ALyK8tI6Mg91thQTx8H6f3ICGjaC5bBQArVIfAScAJGKHxeaiR9r3fkvhIQv/hRjnl2q3i8w X-Received: by 10.194.201.73 with SMTP id jy9mr4065663wjc.150.1467377770389; Fri, 01 Jul 2016 05:56:10 -0700 (PDT) Received: from veci.piliscsaba.szeredi.hu (4E5CF12E.dsl.pool.telekom.hu. [78.92.241.46]) by smtp.gmail.com with ESMTPSA id kc8sm1984141wjb.0.2016.07.01.05.56.08 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 01 Jul 2016 05:56:09 -0700 (PDT) From: Miklos Szeredi To: Al Viro Cc: linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org, linux-unionfs@vger.kernel.org, , Jeff Layton , "J. Bruce Fields" Subject: [PATCH] locks: use file_inode() Date: Fri, 1 Jul 2016 14:56:07 +0200 Message-Id: <1467377767-12845-1-git-send-email-mszeredi@redhat.com> X-Mailer: git-send-email 2.5.5 Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP (Another one for the f_path debacle.) ltp fcntl33 testcase caused an Oops in selinux_file_send_sigiotask. The reason is that generic_add_lease() used filp->f_path.dentry->inode while all the others use file_inode(). This makes a difference for files opened on overlayfs since the former will point to the overlay inode the latter to the underlying inode. So generic_add_lease() added the lease to the overlay inode and generic_delete_lease() removed it from the underlying inode. When the file was released the lease remained on the overlay inode's lock list, resulting in use after free. Reported-by: Eryu Guan Signed-off-by: Miklos Szeredi Fixes: 4bacc9c9234c ("overlayfs: Make f_path always point to the overlay and f_inode to the underlay") Cc: Cc: Jeff Layton Cc: "J. Bruce Fields" --- fs/locks.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/locks.c b/fs/locks.c index 7c5f91be9b65..ee1b15f6fc13 100644 --- a/fs/locks.c +++ b/fs/locks.c @@ -1628,7 +1628,7 @@ generic_add_lease(struct file *filp, long arg, struct file_lock **flp, void **pr { struct file_lock *fl, *my_fl = NULL, *lease; struct dentry *dentry = filp->f_path.dentry; - struct inode *inode = dentry->d_inode; + struct inode *inode = file_inode(filp); struct file_lock_context *ctx; bool is_deleg = (*flp)->fl_flags & FL_DELEG; int error;