• Miklos Szeredi's avatar
    locks: use file_inode() · a1f678e5
    Miklos Szeredi authored
    [ Upstream commit 6343a212 ]
    
    (Another one for the f_path debacle.)
    
    ltp fcntl33 testcase caused an Oops in selinux_file_send_sigiotask.
    
    The reason is that generic_add_lease() used filp->f_path.dentry->inode
    while all the others use file_inode().  This makes a difference for files
    opened on overlayfs since the former will point to the overlay inode the
    latter to the underlying inode.
    
    So generic_add_lease() added the lease to the overlay inode and
    generic_delete_lease() removed it from the underlying inode.  When the file
    was released the lease remained on the overlay inode's lock list, resulting
    in use after free.
    Reported-by: default avatarEryu Guan <eguan@redhat.com>
    Fixes: 4bacc9c9 ("overlayfs: Make f_path always point to the overlay and f_inode to the underlay")
    Cc: <stable@vger.kernel.org>
    Signed-off-by: default avatarMiklos Szeredi <mszeredi@redhat.com>
    Reviewed-by: default avatarJeff Layton <jlayton@redhat.com>
    Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
    Signed-off-by: default avatarSasha Levin <sasha.levin@oracle.com>
    a1f678e5
locks.c 69.9 KB