summaryrefslogtreecommitdiffstats
path: root/include/linux/fs.h
diff options
context:
space:
mode:
authorXiubo Li <xiubli@redhat.com>2022-11-17 10:57:53 +0800
committerIlya Dryomov <idryomov@gmail.com>2023-01-02 12:27:25 +0100
commit8e1858710d9a71d88acd922f2e95d1eddb90eea0 (patch)
tree478a0dfc7713b89e895ea5ac7e8ed5020b782107 /include/linux/fs.h
parent461ab10ef7e6ea9b41a0571a7fc6a72af9549a3c (diff)
downloadlinux-8e1858710d9a71d88acd922f2e95d1eddb90eea0.tar.gz
linux-8e1858710d9a71d88acd922f2e95d1eddb90eea0.tar.bz2
linux-8e1858710d9a71d88acd922f2e95d1eddb90eea0.zip
ceph: avoid use-after-free in ceph_fl_release_lock()
When ceph releasing the file_lock it will try to get the inode pointer from the fl->fl_file, which the memory could already be released by another thread in filp_close(). Because in VFS layer the fl->fl_file doesn't increase the file's reference counter. Will switch to use ceph dedicate lock info to track the inode. And in ceph_fl_release_lock() we should skip all the operations if the fl->fl_u.ceph.inode is not set, which should come from the request file_lock. And we will set fl->fl_u.ceph.inode when inserting it to the inode lock list, which is when copying the lock. Link: https://tracker.ceph.com/issues/57986 Signed-off-by: Xiubo Li <xiubli@redhat.com> Reviewed-by: Jeff Layton <jlayton@kernel.org> Reviewed-by: Ilya Dryomov <idryomov@gmail.com> Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Diffstat (limited to 'include/linux/fs.h')
-rw-r--r--include/linux/fs.h3
1 files changed, 3 insertions, 0 deletions
diff --git a/include/linux/fs.h b/include/linux/fs.h
index 066555ad1bf8..c1769a2c5d70 100644
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -1119,6 +1119,9 @@ struct file_lock {
int state; /* state of grant or error if -ve */
unsigned int debug_id;
} afs;
+ struct {
+ struct inode *inode;
+ } ceph;
} fl_u;
} __randomize_layout;