)]}'
{
  "commit": "46865618af6d18cb5b4a19f5df65fa9c9c17c4ac",
  "tree": "5eb8abaa9c78bcde7e997f5440631597c5e2c69d",
  "parents": [
    "6b2c6b8982d31221e8d60d2a71c51eba92ce4dc2"
  ],
  "author": {
    "name": "Baokun Li",
    "email": "libaokun1@huawei.com",
    "time": "Fri Jul 19 21:43:37 2024 +0800"
  },
  "committer": {
    "name": "Arnav Kansal",
    "email": "rnv@google.com",
    "time": "Fri Aug 30 17:35:57 2024 +0000"
  },
  "message": "cachefiles: fix slab-use-after-free in fscache_withdraw_volume()\n\n[ Upstream commit 522018a0de6b6fcce60c04f86dfc5f0e4b6a1b36 ]\n\nWe got the following issue in our fault injection stress test:\n\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\nBUG: KASAN: slab-use-after-free in fscache_withdraw_volume+0x2e1/0x370\nRead of size 4 at addr ffff88810680be08 by task ondemand-04-dae/5798\n\nCPU: 0 PID: 5798 Comm: ondemand-04-dae Not tainted 6.8.0-dirty #565\nCall Trace:\n kasan_check_range+0xf6/0x1b0\n fscache_withdraw_volume+0x2e1/0x370\n cachefiles_withdraw_volume+0x31/0x50\n cachefiles_withdraw_cache+0x3ad/0x900\n cachefiles_put_unbind_pincount+0x1f6/0x250\n cachefiles_daemon_release+0x13b/0x290\n __fput+0x204/0xa00\n task_work_run+0x139/0x230\n\nAllocated by task 5820:\n __kmalloc+0x1df/0x4b0\n fscache_alloc_volume+0x70/0x600\n __fscache_acquire_volume+0x1c/0x610\n erofs_fscache_register_volume+0x96/0x1a0\n erofs_fscache_register_fs+0x49a/0x690\n erofs_fc_fill_super+0x6c0/0xcc0\n vfs_get_super+0xa9/0x140\n vfs_get_tree+0x8e/0x300\n do_new_mount+0x28c/0x580\n [...]\n\nFreed by task 5820:\n kfree+0xf1/0x2c0\n fscache_put_volume.part.0+0x5cb/0x9e0\n erofs_fscache_unregister_fs+0x157/0x1b0\n erofs_kill_sb+0xd9/0x1c0\n deactivate_locked_super+0xa3/0x100\n vfs_get_super+0x105/0x140\n vfs_get_tree+0x8e/0x300\n do_new_mount+0x28c/0x580\n [...]\n\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\u003d\n\nFollowing is the process that triggers the issue:\n\n        mount failed         |         daemon exit\n------------------------------------------------------------\n deactivate_locked_super        cachefiles_daemon_release\n  erofs_kill_sb\n   erofs_fscache_unregister_fs\n    fscache_relinquish_volume\n     __fscache_relinquish_volume\n      fscache_put_volume(fscache_volume, fscache_volume_put_relinquish)\n       zero \u003d __refcount_dec_and_test(\u0026fscache_volume-\u003eref, \u0026ref);\n                                 cachefiles_put_unbind_pincount\n                                  cachefiles_daemon_unbind\n                                   cachefiles_withdraw_cache\n                                    cachefiles_withdraw_volumes\n                                     list_del_init(\u0026volume-\u003ecache_link)\n       fscache_free_volume(fscache_volume)\n        cache-\u003eops-\u003efree_volume\n         cachefiles_free_volume\n          list_del_init(\u0026cachefiles_volume-\u003ecache_link);\n        kfree(fscache_volume)\n                                     cachefiles_withdraw_volume\n                                      fscache_withdraw_volume\n                                       fscache_volume-\u003en_accesses\n                                       // fscache_volume UAF !!!\n\nThe fscache_volume in cache-\u003evolumes must not have been freed yet, but its\nreference count may be 0. So use the new fscache_try_get_volume() helper\nfunction try to get its reference count.\n\nIf the reference count of fscache_volume is 0, fscache_put_volume() is\nfreeing it, so wait for it to be removed from cache-\u003evolumes.\n\nIf its reference count is not 0, call cachefiles_withdraw_volume() with\nreference count protection to avoid the above issue.\n\nBUG\u003db/361524362\nTEST\u003dpresubmit\nRELEASE_NOTE\u003dFixes CVE-2024-41058 in the Linux kernel\n\ncos-patch: security-high\nFixes: fe2140e2f57f (\"cachefiles: Implement volume support\")\nChange-Id: Id1a1150e74adccaa769e5ed34d39e369fd22c4b1\nSigned-off-by: Baokun Li \u003clibaokun1@huawei.com\u003e\nLink: https://lore.kernel.org/r/20240628062930.2467993-3-libaokun@huaweicloud.com\nSigned-off-by: Christian Brauner \u003cbrauner@kernel.org\u003e\nSigned-off-by: Baokun Li \u003clibaokun1@huawei.com\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\nSigned-off-by: Arnav Kansal \u003crnv@google.com\u003e\nReviewed-on: https://cos-review.googlesource.com/c/third_party/kernel/+/79222\nReviewed-by: Oleksandr Tymoshenko \u003covt@google.com\u003e\nReviewed-by: Kevin Berry \u003ckpberry@google.com\u003e\nTested-by: Cusky Presubmit Bot \u003cpresubmit@cos-infra-prod.iam.gserviceaccount.com\u003e\n",
  "tree_diff": [
    {
      "type": "modify",
      "old_id": "f449f7340aad0811ae2cea3134731e1a2111f5ff",
      "old_mode": 33188,
      "old_path": "fs/cachefiles/cache.c",
      "new_id": "56ef519a36a09d4697e92db9e6a057613c110939",
      "new_mode": 33188,
      "new_path": "fs/cachefiles/cache.c"
    },
    {
      "type": "modify",
      "old_id": "a6190aa1b4060fa6c9be11732280133f31c09035",
      "old_mode": 33188,
      "old_path": "include/trace/events/fscache.h",
      "new_id": "f1a73aa83fbbfbf454e13256156abee735ed213f",
      "new_mode": 33188,
      "new_path": "include/trace/events/fscache.h"
    }
  ]
}