From 35aed32e0ced7a1dcfde61c84a4a3cf2bec312b3 Mon Sep 17 00:00:00 2001 From: Qiheng Lin Date: Tue, 17 Jan 2023 11:46:07 +0800 Subject: [PATCH] hmdfs: fix UAF of mdi(or d_fsdata) merge_lookup_async() adds the lookup works, and merge_lookup_work_func() consumes the works. The mdi->work_lock should protect the mdi->work_count to avoid d_release_merge free the mdi(or d_fsdata). Signed-off-by: Qiheng Lin Change-Id: I31a688940ee710467a6350a51f986ad40bb615cb --- fs/hmdfs/inode_merge.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/hmdfs/inode_merge.c b/fs/hmdfs/inode_merge.c index c020c8c201fa..c5cd7bdc4905 100644 --- a/fs/hmdfs/inode_merge.c +++ b/fs/hmdfs/inode_merge.c @@ -408,6 +408,7 @@ static void merge_lookup_work_func(struct work_struct *work) comrade = merge_lookup_comrade(ml_work->sbi, ml_work->name, ml_work->devid, ml_work->flags); if (IS_ERR(comrade)) { + mutex_lock(&mdi->work_lock); goto out; } @@ -504,6 +505,7 @@ static int lookup_merge_normal(struct dentry *dentry, unsigned int flags) goto out_ppath; } + mutex_lock(&mdi->work_lock); mutex_lock(&sbi->connections.node_lock); if (mdi->type != DT_REG || devid == 0) { snprintf(cpath, PATH_MAX, "device_view/local%s/%s", ppath, @@ -524,6 +526,7 @@ static int lookup_merge_normal(struct dentry *dentry, unsigned int flags) hmdfs_err("failed to create remote lookup work"); } mutex_unlock(&sbi->connections.node_lock); + mutex_unlock(&mdi->work_lock); wait_event(mdi->wait_queue, is_merge_lookup_end(mdi)); -- Gitee