Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp3468105imu; Sun, 11 Nov 2018 15:47:54 -0800 (PST) X-Google-Smtp-Source: AJdET5cez6XJkSg1fAa16W26Untu/er93gmCcqJNEXzY0PbR8XKzWIEt4bknR8kfNtG59aVfBuCW X-Received: by 2002:a17:902:6185:: with SMTP id u5-v6mr17555832plj.41.1541980074510; Sun, 11 Nov 2018 15:47:54 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1541980074; cv=none; d=google.com; s=arc-20160816; b=00HNnSJtyCPKBJECZ0+6go6txkrDzYipJ63LwIwrPJRMBc9T/zcQPGus8vgU+32ZyU RbDzbS9rxHjatNs1kdWi7/7ogBo3xcVTP38wGKw/LgvbdwCSdVrE+Lt/TU7Qt2cZzr0R EmrGb8rVSFfjnVSREaWH9Ol4YUFauqHyIXlkxRXG175+c+SneJT4xHafftS0zuhimDZX TzeoyJaI1V3z+VzTnu/wyV8KPwjoKVTxq03YQdE18EQX6WUGnAizc36cSQq3nIOIulAI YhO23mAcjsFI3G8EQyO6Fw3IWC4rlept7g7yxi41aTAskO44qJ4lxxDTJ+7Ci0D9nx78 s39g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=08oSFcmUFF9aaWvFksvp3qHbxBjoFMfiKcdV2Ds3qtY=; b=ioFjnE3eeHZcl9Dyh0GvmGWc/NyWzKf0MASoKL9kOKeOmn1tXGJZ5rIunGJ2+KtSjx 7IiJ32Otznjva74uxv4T3F3NrvHtARiF3mVYJPFYvV4wP6GpZ9YH4WFT4wE1VV0EKk36 AH8vwcK6Ct5UCx37LGo2CcJXJds3F0ldiPxcQYLYscwwcbJ89hTap09+/KtYpZIwq4OM hb3ML6dQtOw1i6UEqPQ8EQXNqNWxnYUQg7r9VCmcwTbxh2ly4Ar5qoFueqxTonU/zQqY sNkoFwFM0dmL1RH8TjiKc49u+8zpZXdV1ebVm6ztPpPXen7E9mOsNofueECwflKCrVKa FqHQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=wgOZxtg0; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v64-v6si18398769pfj.167.2018.11.11.15.47.39; Sun, 11 Nov 2018 15:47:54 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=wgOZxtg0; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2387622AbeKLJg0 (ORCPT + 99 others); Mon, 12 Nov 2018 04:36:26 -0500 Received: from mail.kernel.org ([198.145.29.99]:39776 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1733287AbeKLITD (ORCPT ); Mon, 12 Nov 2018 03:19:03 -0500 Received: from localhost (unknown [206.108.79.134]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 1458B21508; Sun, 11 Nov 2018 22:29:07 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1541975347; bh=t5yhJs0bKTIUPKjqJU7rMie4sBwpCIm6LZtyu5QZ/nE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=wgOZxtg0kM7JrO6wKVS7qgOT2PCOyPGO5N467jhO1PFfucZf59dYHnxJR4fXbr0bw exs7ZSRpoqxz2hFgNjya/YDAB/8KgWVrrN0kEhF+9IIxiKkjmrEVay1jQEVk05JLLj c98FaCHWw/P2yAo9fHLimffF/M1uDC4XUqmbarXI= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Qu Wenruo , Filipe Manana , David Sterba Subject: [PATCH 4.19 355/361] Btrfs: fix use-after-free during inode eviction Date: Sun, 11 Nov 2018 14:21:42 -0800 Message-Id: <20181111221701.865262704@linuxfoundation.org> X-Mailer: git-send-email 2.19.1 In-Reply-To: <20181111221619.915519183@linuxfoundation.org> References: <20181111221619.915519183@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.19-stable review patch. If anyone has any objections, please let me know. ------------------ From: Filipe Manana commit 421f0922a2cfb0c75acd9746454aaa576c711a65 upstream. At inode.c:evict_inode_truncate_pages(), when we iterate over the inode's extent states, we access an extent state record's "state" field after we unlocked the inode's io tree lock. This can lead to a use-after-free issue because after we unlock the io tree that extent state record might have been freed due to being merged into another adjacent extent state record (a previous inflight bio for a read operation finished in the meanwhile which unlocked a range in the io tree and cause a merge of extent state records, as explained in the comment before the while loop added in commit 6ca0709756710 ("Btrfs: fix hang during inode eviction due to concurrent readahead")). Fix this by keeping a copy of the extent state's flags in a local variable and using it after unlocking the io tree. Bugzilla: https://bugzilla.kernel.org/show_bug.cgi?id=201189 Fixes: b9d0b38928e2 ("btrfs: Add handler for invalidate page") CC: stable@vger.kernel.org # 4.4+ Reviewed-by: Qu Wenruo Signed-off-by: Filipe Manana Reviewed-by: David Sterba Signed-off-by: David Sterba Signed-off-by: Greg Kroah-Hartman --- fs/btrfs/inode.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) --- a/fs/btrfs/inode.c +++ b/fs/btrfs/inode.c @@ -5283,11 +5283,13 @@ static void evict_inode_truncate_pages(s struct extent_state *cached_state = NULL; u64 start; u64 end; + unsigned state_flags; node = rb_first(&io_tree->state); state = rb_entry(node, struct extent_state, rb_node); start = state->start; end = state->end; + state_flags = state->state; spin_unlock(&io_tree->lock); lock_extent_bits(io_tree, start, end, &cached_state); @@ -5300,7 +5302,7 @@ static void evict_inode_truncate_pages(s * * Note, end is the bytenr of last byte, so we need + 1 here. */ - if (state->state & EXTENT_DELALLOC) + if (state_flags & EXTENT_DELALLOC) btrfs_qgroup_free_data(inode, NULL, start, end - start + 1); clear_extent_bit(io_tree, start, end,