kernel_optimize_test

Go to file

Sahitya Tummala 6ba4d2722d fuse: fix use after free issue in fuse_dev_do_read() There is a potential race between fuse_dev_do_write() and request_wait_answer() contexts as shown below: TASK 1: __fuse_request_send(): \|--spin_lock(&fiq->waitq.lock); \|--queue_request(); \|--spin_unlock(&fiq->waitq.lock); \|--request_wait_answer(): \|--if (test_bit(FR_SENT, &req->flags)) <gets pre-empted after it is validated true> TASK 2: fuse_dev_do_write(): \|--clears bit FR_SENT, \|--request_end(): \|--sets bit FR_FINISHED \|--spin_lock(&fiq->waitq.lock); \|--list_del_init(&req->intr_entry); \|--spin_unlock(&fiq->waitq.lock); \|--fuse_put_request(); \|--queue_interrupt(); <request gets queued to interrupts list> \|--wake_up_locked(&fiq->waitq); \|--wait_event_freezable(); <as FR_FINISHED is set, it returns and then the caller frees this request> Now, the next fuse_dev_do_read(), see interrupts list is not empty and then calls fuse_read_interrupt() which tries to access the request which is already free'd and gets the below crash: [11432.401266] Unable to handle kernel paging request at virtual address 6b6b6b6b6b6b6b6b ... [11432.418518] Kernel BUG at ffffff80083720e0 [11432.456168] PC is at __list_del_entry+0x6c/0xc4 [11432.463573] LR is at fuse_dev_do_read+0x1ac/0x474 ... [11432.679999] [<ffffff80083720e0>] __list_del_entry+0x6c/0xc4 [11432.687794] [<ffffff80082c65e0>] fuse_dev_do_read+0x1ac/0x474 [11432.693180] [<ffffff80082c6b14>] fuse_dev_read+0x6c/0x78 [11432.699082] [<ffffff80081d5638>] __vfs_read+0xc0/0xe8 [11432.704459] [<ffffff80081d5efc>] vfs_read+0x90/0x108 [11432.709406] [<ffffff80081d67f0>] SyS_read+0x58/0x94 As FR_FINISHED bit is set before deleting the intr_entry with input queue lock in request completion path, do the testing of this flag and queueing atomically with the same lock in queue_interrupt(). Signed-off-by: Sahitya Tummala <stummala@codeaurora.org> Signed-off-by: Miklos Szeredi <mszeredi@redhat.com> Fixes: `fd22d62ed0` ("fuse: no fc->lock for iqueue parts") Cc: <stable@vger.kernel.org> # 4.2+		2017-02-15 10:28:24 +01:00
arch	Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip	2017-02-11 10:31:46 -08:00
block	block: don't try Write Same from __blkdev_issue_zeroout	2017-02-06 09:34:46 -07:00
certs	certs: Add a secondary system keyring that can be added to dynamically	2016-04-11 22:48:09 +01:00
crypto	crypto: algif_aead - Fix kernel panic on list_del	2017-02-03 17:45:48 +08:00
Documentation	media fixes for v4.10-rc8	2017-02-06 14:37:55 -08:00
drivers	Merge branch 'irq-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip	2017-02-11 10:14:24 -08:00
firmware
fs	fuse: fix use after free issue in fuse_dev_do_read()	2017-02-15 10:28:24 +01:00
include	Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net	2017-02-10 14:44:49 -08:00
init	kbuild: modversions: add infrastructure for emitting relative CRCs	2017-02-03 08:28:25 -08:00
ipc	ipc/sem.c: fix incorrect sem_lock pairing	2017-01-10 18:31:55 -08:00
kernel	Merge branch 'timers-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip	2017-02-11 10:24:16 -08:00
lib	mm: do not export ioremap_page_range symbol for external module	2017-01-24 16:26:14 -08:00
mm	mm/slub.c: fix random_seq offset destruction	2017-02-08 15:41:43 -08:00
net	l2tp: do not use udp_ioctl()	2017-02-10 15:57:34 -05:00
samples	bpf: fix samples xdp_tx_iptunnel and tc_l2_redirect with fake KBUILD_MODNAME	2017-01-20 12:04:07 -05:00
scripts	kbuild: modversions: add infrastructure for emitting relative CRCs	2017-02-03 08:28:25 -08:00
security	selinux: fix off-by-one in setprocattr	2017-02-08 19:09:53 +11:00
sound	ALSA: hda - adding a new NV HDMI/DP codec ID in the driver	2017-02-09 08:57:47 +01:00
tools	perf/urgent fixes:	2017-02-03 20:42:30 +01:00
usr	kbuild: initramfs cleanup, set target from Kconfig	2017-01-05 09:40:16 -08:00
virt	KVM/ARM updates for 4.10-rc4	2017-01-17 15:04:59 +01:00
.cocciconfig	scripts: add Linux .cocciconfig for coccinelle	2016-07-22 12:13:39 +02:00
.get_maintainer.ignore
.gitattributes	.gitattributes: set git diff driver for C source code files	2016-10-07 18:46:30 -07:00
.gitignore	Merge branch 'misc' of git://git.kernel.org/pub/scm/linux/kernel/git/mmarek/kbuild	2016-08-02 16:48:52 -04:00
.mailmap	mailmap: add codeaurora.org names for nameless email commits	2017-01-10 18:31:55 -08:00
COPYING
CREDITS	CREDITS: Remove outdated address information	2016-12-21 15:21:29 -08:00
Kbuild	scripts/gdb: provide linux constants	2016-05-23 17:04:14 -07:00
Kconfig
MAINTAINERS	ARM: SoC fixes for v4.10	2017-02-08 10:01:39 -08:00
Makefile	Linux 4.10-rc8	2017-02-12 13:03:20 -08:00
README	README: add a new README file, pointing to the Documentation/	2016-10-24 08:12:35 -02:00

README

Linux kernel
============

This file was moved to Documentation/admin-guide/README.rst

Please notice that there are several guides for kernel developers and users.
These guides can be rendered in a number of formats, like HTML and PDF.

In order to build the documentation, use ``make htmldocs`` or
``make pdfdocs``.

There are various text files in the Documentation/ subdirectory,
several of them using the Restructured Text markup notation.
See Documentation/00-INDEX for a list of what is contained in each file.

Please read the Documentation/process/changes.rst file, as it contains the
requirements for building and running the kernel, and information about
the problems which may result by upgrading your kernel.