ceph: avoid use-after-free in ceph_fl_release_lock()

mirror of https://github.com/lkl/linux.git synced 2025-12-19 16:13:19 +09:00

When ceph releasing the file_lock it will try to get the inode pointer
from the fl->fl_file, which the memory could already be released by
another thread in filp_close(). Because in VFS layer the fl->fl_file
doesn't increase the file's reference counter.

Will switch to use ceph dedicate lock info to track the inode.

And in ceph_fl_release_lock() we should skip all the operations if the
fl->fl_u.ceph.inode is not set, which should come from the request
file_lock. And we will set fl->fl_u.ceph.inode when inserting it to the
inode lock list, which is when copying the lock.

Link: https://tracker.ceph.com/issues/57986
Signed-off-by: Xiubo Li <xiubli@redhat.com>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>

This commit is contained in:

Xiubo Li

2022-11-17 10:57:53 +08:00

committed by

Ilya Dryomov

parent 461ab10ef7

commit 8e1858710d

2 changed files with 21 additions and 2 deletions

									
										3

include/linux/fs.h
									
												View File
												
				@@ -1119,6 +1119,9 @@ struct file_lock {

							int state;		/* state of grant or error if -ve */

							unsigned int	debug_id;

						} afs;

						struct {

							struct inode *inode;

						} ceph;

					} fl_u;

				} __randomize_layout;

ceph: avoid use-after-free in ceph_fl_release_lock()

3 include/linux/fs.h Unescape Escape View File

3

include/linux/fs.h

View File