Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp3228014imu; Sat, 24 Nov 2018 00:34:46 -0800 (PST) X-Google-Smtp-Source: AFSGD/XLsvHbU06X1Zy09wvJ9qfIqz6TzuG2zDe0Cf/Wa9xcrbr+EMqPlPxZVivRA3as8S3wVjfI X-Received: by 2002:a62:bd0b:: with SMTP id a11-v6mr17079738pff.51.1543048485981; Sat, 24 Nov 2018 00:34:45 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1543048485; cv=none; d=google.com; s=arc-20160816; b=ZcMoJCT/T3Bcvo945qe76+ldLh5GJ63YgeSlDN+nU6kM6tQ+YnY0xZBIMz8Uwzgt9O hVI1Ku8seLkwZM9wd7ZMAZNku0gqjENOtB6fLTOuDw5mOEKDBkFQEFCs8O75mS7U9BVI KA8WHQNdA0QutGeD6GpV16fepMaubmVbicGqvCBJ0p5289ejqdzFiLSq8VAiwzWH6D9e 8AWmeYWVz+53WBVio6lfgqQ7qmpIjeO+n864Aa7QC1C1mnHrdGXXtYVq+VUA2c1CpdtG KdPk28/EvdII1cY4jABuzJzkfTxzymOhlIjP1sDNd4kiAVS1uvLgSc8+8DE4Kz+/4E9v e6sw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:date:cc:to:from:subject :message-id; bh=oS6K5KwAkPCeprrKIOPm8b5qycaE3S2G8eUxWrTiozE=; b=NqJWm1BrV7hf5yBATuJRN6uzfOraGcUigkQGyHiMyOxtU3hZk/UUoO3apt8B9O/oPl 5o9ve5sA3xVWcj9mmfmLMqth2TohWuUvX+PpH5ctjYS0kaHVOc/EWmhC6bmLL1v26D4w BBWvFMZqFcwBZQ8G2c7yVeVwFcWmU7riQlGDiqgNRPczCR8ASo9lLvWPM9q8Kk8VPTlT nb2zoOYcFCEB53dfXLNFc6VCSjvdJ1ngVIkZuTpjwtzlpDK2DSKhwny/U75f7dn6MF80 Ki118bZhb68KFpRHvOZphg9ZVw+cN7RGt6OsKRDzZpid6wHB645h34p3cUacqGrDV3q0 IWDQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 205si46042911pfa.199.2018.11.24.00.34.31; Sat, 24 Nov 2018 00:34:45 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2394728AbeKWXoD (ORCPT + 99 others); Fri, 23 Nov 2018 18:44:03 -0500 Received: from smtprelay0189.hostedemail.com ([216.40.44.189]:51414 "EHLO smtprelay.hostedemail.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1731971AbeKWXoC (ORCPT ); Fri, 23 Nov 2018 18:44:02 -0500 Received: from filter.hostedemail.com (clb03-v110.bra.tucows.net [216.40.38.60]) by smtprelay01.hostedemail.com (Postfix) with ESMTP id 28A56100E86C5; Fri, 23 Nov 2018 12:59:56 +0000 (UTC) X-Session-Marker: 6A6F6540706572636865732E636F6D X-Spam-Summary: 2,0,0,,d41d8cd98f00b204,joe@perches.com,:::::::::,RULES_HIT:41:355:379:599:800:960:965:966:967:973:988:989:1260:1277:1311:1313:1314:1345:1359:1431:1437:1515:1516:1518:1534:1541:1593:1594:1711:1730:1747:1777:1792:2196:2199:2393:2525:2553:2559:2563:2682:2685:2828:2859:2933:2937:2939:2942:2945:2947:2951:2954:3022:3138:3139:3140:3141:3142:3151:3353:3622:3865:3866:3867:3868:3870:3871:3872:3874:3934:3936:3938:3941:3944:3947:3950:3953:3956:3959:4250:4321:4385:4390:4395:5007:6119:7576:9025:9040:9121:10004:10400:10848:11026:11232:11233:11658:11914:12043:12219:12262:12296:12438:12555:12679:12740:12760:12895:12986:13069:13071:13095:13311:13357:13439:14180:14181:14659:14721:21060:21080:21365:21433:21451:21600:21627:21795:30034:30051:30054:30062:30090:30091,0,RBL:error,CacheIP:none,Bayesian:0.5,0.5,0.5,Netcheck:none,DomainCache:0,MSF:not bulk,SPF:fn,MSBL:0,DNSBL:neutral,Custom_rules:0:0:0,LFtime:27,LUA_SUMMARY:none X-HE-Tag: ducks30_90cacefbc5557 X-Filterd-Recvd-Size: 2822 Received: from XPS-9350.home (unknown [47.151.153.53]) (Authenticated sender: joe@perches.com) by omf10.hostedemail.com (Postfix) with ESMTPA; Fri, 23 Nov 2018 12:59:54 +0000 (UTC) Message-ID: <43e95b184b836a9e94a6f7dd09bd9c124c89ebef.camel@perches.com> Subject: Re: [PATCH] hfs: do not free node before using From: Joe Perches To: Pan Bian , "Ernesto A." =?ISO-8859-1?Q?Fern=E1ndez?= , Andrew Morton Cc: linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org Date: Fri, 23 Nov 2018 04:59:53 -0800 In-Reply-To: <1542963889-128825-1-git-send-email-bianpan2016@163.com> References: <1542963889-128825-1-git-send-email-bianpan2016@163.com> Content-Type: text/plain; charset="ISO-8859-1" User-Agent: Evolution 3.30.1-1build1 Mime-Version: 1.0 Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, 2018-11-23 at 17:04 +0800, Pan Bian wrote: > The function hfs_bmap_free frees node via hfs_bnode_put(node). However, > it then reads node->this when dumping error message on an error path, > which may result in a use-after-free bug. This patch frees node only > when it is never used. > > Fixes: d614267329f("hfs/hfsplus: convert printks to pr_") Hi. While this may indeed be a defect, and the "/* panic */" comment may be unwarranted, this isn't really a fix of a printk conversion. This dereference goes back to 2004, the printk(KERN_CRIT to pr_crit( conversion did not introduce it. So this patch is only a possible use after free fix. From a full history git tree: (similar to https://archive.org/details/git-history-of-linux) commit a1185ffa2fc491e23f3107a39f66ee703d102153 Author: Andrew Morton Date: Wed Feb 25 16:17:36 2004 -0800 [PATCH] HFS rewrite From: Roman Zippel This is a complete rewrite of the HFS driver, it gets rid of a all the special conversion options, which belong in user space. The driver uses now a btree support very similiar to HFS+, so that both could be merged at some point. Thanks to Ethan Benson for a number of patches to make the driver more compliant with the spec and Christoph Hellwig for fixing up the documentation. > diff --git a/fs/hfs/btree.c b/fs/hfs/btree.c [] > @@ -338,13 +338,14 @@ void hfs_bmap_free(struct hfs_bnode *node) > > nidx -= len * 8; > i = node->next; > - hfs_bnode_put(node); > if (!i) { > /* panic */; > pr_crit("unable to free bnode %u. bmap not found!\n", > node->this); > + hfs_bnode_put(node); > return; > } > + hfs_bnode_put(node); > node = hfs_bnode_find(tree, i); > if (IS_ERR(node)) > return;