Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp4059054imu;
        Sat, 24 Nov 2018 17:28:54 -0800 (PST)
X-Google-Smtp-Source: AFSGD/UBnti9KhQAiOu+iLfd9rmO+u/U9mlt4JeB0dOfU4jzGVHDt6cHdLkfBVVsWvgZ1oolqDYA
X-Received: by 2002:a63:4c4e:: with SMTP id m14mr19696559pgl.173.1543109334274;
        Sat, 24 Nov 2018 17:28:54 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1543109334; cv=none;
        d=google.com; s=arc-20160816;
        b=TQZrzkMlq3h/+K6ChEqoL5Sn3JzImp/F/fEe34aB07/oMKUmYMTOM2pvL0wDnhbxWV
         +SBlAonao/k/I3NBl4oUhepKEK4Ay6aK9LoD155QOiOS8aaIAd1AolymvIVzeEBhPpuh
         yhPwdfHykXbBaEOsshb5wFw34l/7LFhzLBNLv7asfwG4l0hM37e+Rn+Te6TGRAGxvwjG
         I6OAHXulPAZdNkGzdt37myyah2viYenMIhetx7MGsLinKlsA8Oss7hd2aRQxDM20yH6s
         LWRFhl89feVwOwRjtBOPdvo9IecHRxYd5g32qKmDrwmsMWs6onjhlfaZCf0AL2yS1hfD
         0ylg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:message-id:date:subject:cc:to:from
         :dkim-signature;
        bh=3zDafuTT6xnzkxZqfQZEO5Z4PSwIWXdNevZ7cyb3zdo=;
        b=1LqGGsQ4SobGZKKX3fC7kOhAKDHfA4DbQ1yY8leUcKNLrXpUctJyeLlzqI5JhE4ZeU
         F70cC0eLNJxIhgxFM4cffOym5VNLfwA3gsNlidstiAMU3McJI6K+AGVGebUbOGNaTatr
         Pu0Jcgidx7tJ/rAKp+lQ1RwtEyxnR/tRWgEcNfSSjOUVSW1+k4qE1dY1ZoNbmQj/IPcM
         Chd31nm4JJl7lXY3sQJWrCmGpLDu6HT59riQ8mBZGbEeRpoeHJ9dG28CDNRDc1IpGNgE
         nApplqMFXvQpVCsJhfyTLSnYbOPpBozVDJ795ltLAtM3jTZqeANnNvkJrETdNX2a4ptR
         gcKw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@163.com header.s=s110527 header.b=ivV162Ba;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id p80-v6si61234391pfk.275.2018.11.24.17.28.38;
        Sat, 24 Nov 2018 17:28:54 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@163.com header.s=s110527 header.b=ivV162Ba;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726893AbeKYMRt (ORCPT <rfc822;ablacktshirt@gmail.com>
        + 99 others); Sun, 25 Nov 2018 07:17:49 -0500
Received: from m12-16.163.com ([220.181.12.16]:60602 "EHLO m12-16.163.com"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726515AbeKYMRs (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Sun, 25 Nov 2018 07:17:48 -0500
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=163.com;
        s=s110527; h=From:Subject:Date:Message-Id; bh=3zDafuTT6xnzkxZqfQ
        ZEO5Z4PSwIWXdNevZ7cyb3zdo=; b=ivV162Ba+P+k2VpNihTA7fLnLHym/soRaz
        bNFPqlNWxnIOlUcaOjO4UcL++CUESp1JOPVNKlHBaNG3ufsjgi1ZLv8+glIJ1HRX
        xTDuVrTMR6jAP+typCIqTtWY9Sp1/hby94NCJIuEGxubL1r7WGuC2FzcBIPd85jW
        tP2x0a5c0=
Received: from bp.localdomain (unknown [106.120.213.96])
        by smtp12 (Coremail) with SMTP id EMCowABXakd0+vlb_XDLBg--.4563S3;
        Sun, 25 Nov 2018 09:27:18 +0800 (CST)
From:   Pan Bian <bianpan2016@163.com>
To:     Mark Fasheh <mark@fasheh.com>, Joel Becker <jlbec@evilplan.org>
Cc:     ocfs2-devel@oss.oracle.com, linux-kernel@vger.kernel.org,
        Tao Ma <boyu.mt@taobao.com>, Pan Bian <bianpan2016@163.com>
Subject: [PATCH] ocfs2: fix potential use after free
Date:   Sun, 25 Nov 2018 09:27:17 +0800
Message-Id: <1543109237-110227-1-git-send-email-bianpan2016@163.com>
X-Mailer: git-send-email 2.7.4
X-CM-TRANSID: EMCowABXakd0+vlb_XDLBg--.4563S3
X-Coremail-Antispam: 1Uf129KBjvdXoWrZrWkCr48Cr1Dtw17Wr1rWFg_yoWDGrbEkr
        4Utan2kw45Zrn7WFs8W3ySqFsa93WvgFn7GF1xKrn8K34jvFykXrn5XwnYvr97Wr13uF98
        Zw4kXFyDtw1a9jkaLaAFLSUrUUUUUb8apTn2vfkv8UJUUUU8Yxn0WfASr-VFAUDa7-sFnT
        9fnUUvcSsGvfC2KfnxnUUI43ZEXa7IUnbVy7UUUUU==
X-Originating-IP: [106.120.213.96]
X-CM-SenderInfo: held01tdqsiiqw6rljoofrz/1tbiQAwKclSIYSbodgAAsx
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

The function ocfs2_get_dentry calls iput(inode) to drop the reference
count of inode, and if the reference count hits 0, inode is freed.
However, in this function, it then reads inode->i_generation, which may
result in a use after free bug. This patch moves the put operation
later.

Fixes: 781f200cb7a("ocfs2: Remove masklog ML_EXPORT.")
Signed-off-by: Pan Bian <bianpan2016@163.com>
---
 fs/ocfs2/export.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/fs/ocfs2/export.c b/fs/ocfs2/export.c
index 9f88188..4bf8d58 100644
--- a/fs/ocfs2/export.c
+++ b/fs/ocfs2/export.c
@@ -125,10 +125,10 @@ static struct dentry *ocfs2_get_dentry(struct super_block *sb,
 
 check_gen:
 	if (handle->ih_generation != inode->i_generation) {
-		iput(inode);
 		trace_ocfs2_get_dentry_generation((unsigned long long)blkno,
 						  handle->ih_generation,
 						  inode->i_generation);
+		iput(inode);
 		result = ERR_PTR(-ESTALE);
 		goto bail;
 	}
-- 
2.7.4