fuse: fix use after free issue in fuse_dev_do_read()

There is a potential race between fuse_dev_do_write()
and request_wait_answer() contexts as shown below:

TASK 1:
__fuse_request_send():
  |--spin_lock(&fiq->waitq.lock);
  |--queue_request();
  |--spin_unlock(&fiq->waitq.lock);
  |--request_wait_answer():
       |--if (test_bit(FR_SENT, &req->flags))
       <gets pre-empted after it is validated true>  TASK 2:
       						     fuse_dev_do_write():
						       |--clears bit FR_SENT,
						       |--request_end():
						          |--sets bit FR_FINISHED
							  |--spin_lock(&fiq->waitq.lock);
							  |--list_del_init(&req->intr_entry);
							  |--spin_unlock(&fiq->waitq.lock);
							  |--fuse_put_request();
       |--queue_interrupt();
       <request gets queued to interrupts list>
            |--wake_up_locked(&fiq->waitq);
       |--wait_event_freezable();
       <as FR_FINISHED is set, it returns and then
       the caller frees this request>

Now, the next fuse_dev_do_read(), see interrupts list is not empty
and then calls fuse_read_interrupt() which tries to access the request
which is already free'd and gets the below crash:

[11432.401266] Unable to handle kernel paging request at virtual address
6b6b6b6b6b6b6b6b
...
[11432.456168] PC is at __list_del_entry+0x6c/0xc4
[11432.463573] LR is at fuse_dev_do_read+0x1ac/0x474
...
[11432.679999] __list_del_entry+0x6c/0xc4
[11432.687794] fuse_dev_do_read+0x1ac/0x474
[11432.693180] fuse_dev_read+0x6c/0x78
[11432.699082] __vfs_read+0xc0/0xe8
[11432.704459] vfs_read+0x90/0x108

As FR_FINISHED bit is set before deleting the intr_entry with input
queue lock in request completion path, do the testing of this flag and
queueing atomically with the same lock in queue_interrupt().

Change-Id: I84232771cf09a809806568144441fd356b87d46c
Signed-off-by: Sahitya Tummala <stummala@codeaurora.org>

0 files changed, 0 insertions, 0 deletions