Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp3426004imu; Sun, 11 Nov 2018 14:49:42 -0800 (PST) X-Google-Smtp-Source: AJdET5eOXO+xcRpmWehg9XF2Z8b+TIMCrY08/SUahvPNHv8e5RVjQYyK3t9RgyCZAPYXekOcg/4S X-Received: by 2002:a62:1dd5:: with SMTP id d204-v6mr17454814pfd.157.1541976582264; Sun, 11 Nov 2018 14:49:42 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1541976582; cv=none; d=google.com; s=arc-20160816; b=M/xFYcLrxSd0tqPCZeFooydFA7yb5h9pk29nZmbYXi4QL60hp1Sko/o4E6UYYItxnE upgFvKjNqmLlDfHaFtlr39rlPfjpq3GLiQl2Mp6oqvvGdbQJEYYxQPDLC5kk83fTBJeY Bd+RysckP39Qt8PC7xYlluS+2VI99d+f9vvy1+qXW8Gqx9CWyCK5P4S753ZxQbqbRrMG q9DPppO39+KY2l0gv/XLxeB8lp/luQrqB5chauV6EMAnrUF5mXDmsimrSpE/Gr2pIMxJ 9DdLSaHcxteSAESEa/SxR17tGmEv/PtsOc2sYvV6tNyIq+bzlZDJmTHIeRElP5WTrQRi 1X8A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=w0redIvzTtpph0l/ZIXFY6t+Jc9pVXX8ibGG1eNeaJQ=; b=xnHymtLrQogMV0t1Cil1CIldT2s5fKLL9gLSloJYUPK0Ts9XehpnUTdq96yfkmy2gX PKNZ+kumJpobisKemYacT26ugCXbArVhIf3R68ITWFTXD7d4bcJ6T56FIadzgIcwECIz Qu/wBiea8BptimW1NRlJefxfMRhPu8U/7IuXc7o1qc4RN6HwDdRJrt3xq8clYmdMr02K aXCtwwlXs2dTOUgKDvV417QZsQKQCAZ1uDNgJAjyDBDnFfiCvo0Bxm74vV+mP8yQmOda y/QiChXibDtZzEv+/TdWUSLZh8JxxZJIyZJr+eEiEiQiQrDs3AVinl9k50faFxM9Ppf5 kLYQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=1bjjvWY1; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id n32si14373926pgm.439.2018.11.11.14.49.27; Sun, 11 Nov 2018 14:49:42 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=1bjjvWY1; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2390906AbeKLIjJ (ORCPT + 99 others); Mon, 12 Nov 2018 03:39:09 -0500 Received: from mail.kernel.org ([198.145.29.99]:56662 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2404346AbeKLIXT (ORCPT ); Mon, 12 Nov 2018 03:23:19 -0500 Received: from localhost (unknown [206.108.79.134]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id CC29421707; Sun, 11 Nov 2018 22:33:21 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1541975601; bh=hlZRh9cDKVNkcgo4IMS/BtCtzR+lOCdxsZrvb8bgKZA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=1bjjvWY1BeQu9WDM7ISSgtgQO56K8lkbHhVDmXTBlYL1VwqKZWGL7v/h2Dlxn6cJF I3vQuxGXHv56rETte6QhB4DLSTAWLxLqZ7aE1mw7V4z6DlVPqdncf69NmZsPyUQaJl kBS94RyjJMDuNOKtSa0TylcdidbW4LVMkmsJ2Ytw= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Qu Wenruo , Filipe Manana , David Sterba Subject: [PATCH 4.14 218/222] Btrfs: fix use-after-free during inode eviction Date: Sun, 11 Nov 2018 14:25:15 -0800 Message-Id: <20181111221705.807946462@linuxfoundation.org> X-Mailer: git-send-email 2.19.1 In-Reply-To: <20181111221647.665769131@linuxfoundation.org> References: <20181111221647.665769131@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.14-stable review patch. If anyone has any objections, please let me know. ------------------ From: Filipe Manana commit 421f0922a2cfb0c75acd9746454aaa576c711a65 upstream. At inode.c:evict_inode_truncate_pages(), when we iterate over the inode's extent states, we access an extent state record's "state" field after we unlocked the inode's io tree lock. This can lead to a use-after-free issue because after we unlock the io tree that extent state record might have been freed due to being merged into another adjacent extent state record (a previous inflight bio for a read operation finished in the meanwhile which unlocked a range in the io tree and cause a merge of extent state records, as explained in the comment before the while loop added in commit 6ca0709756710 ("Btrfs: fix hang during inode eviction due to concurrent readahead")). Fix this by keeping a copy of the extent state's flags in a local variable and using it after unlocking the io tree. Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=201189 Fixes: b9d0b38928e2 ("btrfs: Add handler for invalidate page") CC: stable@vger.kernel.org # 4.4+ Reviewed-by: Qu Wenruo Signed-off-by: Filipe Manana Reviewed-by: David Sterba Signed-off-by: David Sterba Signed-off-by: Greg Kroah-Hartman --- fs/btrfs/inode.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) --- a/fs/btrfs/inode.c +++ b/fs/btrfs/inode.c @@ -5335,11 +5335,13 @@ static void evict_inode_truncate_pages(s struct extent_state *cached_state = NULL; u64 start; u64 end; + unsigned state_flags; node = rb_first(&io_tree->state); state = rb_entry(node, struct extent_state, rb_node); start = state->start; end = state->end; + state_flags = state->state; spin_unlock(&io_tree->lock); lock_extent_bits(io_tree, start, end, &cached_state); @@ -5352,7 +5354,7 @@ static void evict_inode_truncate_pages(s * * Note, end is the bytenr of last byte, so we need + 1 here. */ - if (state->state & EXTENT_DELALLOC) + if (state_flags & EXTENT_DELALLOC) btrfs_qgroup_free_data(inode, NULL, start, end - start + 1); clear_extent_bit(io_tree, start, end,