lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <20240324224720.1345309-613-sashal@kernel.org>
Date: Sun, 24 Mar 2024 18:45:38 -0400
From: Sasha Levin <sashal@...nel.org>
To: linux-kernel@...r.kernel.org,
	stable@...r.kernel.org
Cc: Mathias Krause <minipli@...ecurity.net>,
	Kent Overstreet <kent.overstreet@...ux.dev>,
	Greg Kroah-Hartman <gregkh@...uxfoundation.org>
Subject: [PATCH 6.7 612/713] bcachefs: install fd later to avoid race with close

From: Mathias Krause <minipli@...ecurity.net>

commit dd839f31d7cd5e04f4111a219024268c6f6973f0 upstream.

Calling fd_install() makes a file reachable for userland, including the
possibility to close the file descriptor, which leads to calling its
'release' hook. If that happens before the code had a chance to bump the
reference of the newly created task struct, the release callback will
call put_task_struct() too early, leading to the premature destruction
of the kernel thread.

Avoid that race by calling fd_install() later, after all the setup is
done.

Fixes: 1c6fdbd8f246 ("bcachefs: Initial commit")
Signed-off-by: Mathias Krause <minipli@...ecurity.net>
Signed-off-by: Kent Overstreet <kent.overstreet@...ux.dev>
Signed-off-by: Greg Kroah-Hartman <gregkh@...uxfoundation.org>
---
 fs/bcachefs/chardev.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/fs/bcachefs/chardev.c b/fs/bcachefs/chardev.c
index 4bb88aefed121..64000c8da5ee6 100644
--- a/fs/bcachefs/chardev.c
+++ b/fs/bcachefs/chardev.c
@@ -392,10 +392,9 @@ static long bch2_ioctl_data(struct bch_fs *c,
 		goto err;
 	}
 
-	fd_install(fd, file);
-
 	get_task_struct(ctx->thread);
 	wake_up_process(ctx->thread);
+	fd_install(fd, file);
 
 	return fd;
 err:
-- 
2.43.0

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ