fuse: fix use-after-free in fuse_direct_IO()

In async IO blocking case the additional reference to the io is taken for
it to survive fuse_aio_complete(). In non blocking case this additional
reference is not needed, however we still reference io to figure out
whether to wait for completion or not. This is wrong and will lead to
use-after-free. Fix it by storing blocking information in separate
variable.

This was spotted by KASAN when running generic/208 fstest.

Signed-off-by: Lukas Czerner <[email protected]>
Reported-by: Zorro Lang <[email protected]>
Signed-off-by: Miklos Szeredi <[email protected]>
Fixes: 744742d692e3 ("fuse: Add reference counting for fuse_io_priv")
Cc: <[email protected]> # v4.6

diff --git a/fs/fuse/file.c b/fs/fuse/file.c
index cc2121b37bf5f7d3bb0a57398a2abfc6948ad321..b52f9baaa3e7b9c98478a8c115748ae71fb7b0e1 100644 (file)
--- a/fs/fuse/file.c
+++ b/fs/fuse/file.c
@@ -2924,10 +2924,12 @@ fuse_direct_IO(struct kiocb *iocb, struct iov_iter *iter)
        }
 
        if (io->async) {
+               bool blocking = io->blocking;
+
                fuse_aio_complete(io, ret < 0 ? ret : 0, -1);
 
                /* we have a non-extending, async request, so return */
-               if (!io->blocking)
+               if (!blocking)
                        return -EIOCBQUEUED;
 
                wait_for_completion(&wait);