Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp5213606imu; Sun, 25 Nov 2018 19:09:46 -0800 (PST) X-Google-Smtp-Source: AFSGD/V/H0fCVpGPO8j2P/ATnUID3A9MZN/IDek3x653Ma91yf9aRcbUKrNt/Y7waLbpeEmvolMO X-Received: by 2002:a17:902:4025:: with SMTP id b34mr25933348pld.181.1543201786344; Sun, 25 Nov 2018 19:09:46 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1543201786; cv=none; d=google.com; s=arc-20160816; b=WCMBTW3zoH9fUTLF6c1QunFkgjST7WVPRjlpQ6HUh6OqwZIULjfBV2RzRnKzHdeWE5 YgqiLYsFV+eocpB3JRD4jBpY8xN2tBqno22nP8iq6EzZ0rkiessu5hgabYo/bUhL5TPm D4Y0SEwFssA18sT8UkCStGYb57Xy4+MzujoBwC3W0GdnYtNz73jrscyQuruMBC/WbrI+ IGh8dIR9WrHgmWdf5yLN+nexK0TEkKcsY/TKQW4pqjZ9bnwlCWPvDEOcEyl7/EyUa9hu 1hy5siFKEi5t/tg3Hz1FQUuCuwPCZcuGeqVuvY3XIUfYSiRl6l0SHP5tcf0AP5Iknh8h RD9Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature; bh=sZHw3HwZvqhwcBwOFjMO9QS8Qu4C+xqi4pUgXqgre/Q=; b=VwV6jfikLBvGHK0OTrP1FbGsEQ4o3aVIJsJs1TDD76MdkChrNrPcj4CsE81aA8JYhk 14NtKjIQ49apfc4SPiAwr7Vu7PBqPS3401OzEj8u5MOkGUwQWkY9K1tdQzX3xrzlAMVS +yw001aJr0zLToC+x+F1rQ4QL5IDp8IIyrWWbmoCedkwFiFPwBqi1dcU5+31qc7W74I+ xocOFijG3GTAFZyH+rRS6ckwKIdltmn1PIdFiCHjitOVZkd6OInlb14OcNl0B9k11EsJ iGoLPL9t5XHemtWJFePC1it3tfunJmQ6IWovN7843GFjPpv9sMlOtfj4cwlarMJM5J1G 8hZA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@163.com header.s=s110527 header.b=bgoZpqFN; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t6si63102965pgn.258.2018.11.25.19.09.31; Sun, 25 Nov 2018 19:09:46 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@163.com header.s=s110527 header.b=bgoZpqFN; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726274AbeKZOBT (ORCPT + 99 others); Mon, 26 Nov 2018 09:01:19 -0500 Received: from m12-12.163.com ([220.181.12.12]:37470 "EHLO m12-12.163.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726079AbeKZOBT (ORCPT ); Mon, 26 Nov 2018 09:01:19 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=163.com; s=s110527; h=From:Subject:Date:Message-Id; bh=sZHw3HwZvqhwcBwOFj MO9QS8Qu4C+xqi4pUgXqgre/Q=; b=bgoZpqFNaiXTDqx/DhRlXR4zLrLYQYeMSA ri9Egs+UGoOIcPk0BIOOFcbgyEYtVaVvs19gvfAnEtqXKg8hiblp8DyUSnoBkV61 Rhs0+RqJb5gMMP3JGvmVcjeriVqr1Cxzjx8Af+MgeRJfermvClgMh2wQEsW06UrC kl9E4H9vg= Received: from bp.localdomain (unknown [106.120.213.96]) by smtp8 (Coremail) with SMTP id DMCowACHx0OuY_tbmdfiBw--.64245S3; Mon, 26 Nov 2018 11:08:33 +0800 (CST) From: Pan Bian To: Ryusuke Konishi Cc: linux-nilfs@vger.kernel.org, linux-kernel@vger.kernel.org, Pan Bian Subject: [PATCH] nilfs2: fix potential use after free Date: Mon, 26 Nov 2018 11:08:29 +0800 Message-Id: <1543201709-53191-1-git-send-email-bianpan2016@163.com> X-Mailer: git-send-email 2.7.4 X-CM-TRANSID: DMCowACHx0OuY_tbmdfiBw--.64245S3 X-Coremail-Antispam: 1Uf129KBjvdXoW7JrWDCrW7XF1kury8Jw4xZwb_yoWktwc_WF ykta48K3yqgws3Ja1DJry3trWDZ3ZrKwn5ur1xtFW7GFWqyF4DZF1kXanavFWUXayxu3s8 WFnrC3Z3tryjgjkaLaAFLSUrUUUUUb8apTn2vfkv8UJUUUU8Yxn0WfASr-VFAUDa7-sFnT 9fnUUvcSsGvfC2KfnxnUUI43ZEXa7IU0ByxtUUUUU== X-Originating-IP: [106.120.213.96] X-CM-SenderInfo: held01tdqsiiqw6rljoofrz/xtbBURILclaD0T68gAAAs8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org brelse(bh) is called to drop the reference count of bh when the call to nilfs_dat_translate fails. If the reference count hits 0, bh may be freed. However, bh->b_page is unlocked and put after that, which may result in a use-after-free bug. This patch moves the release operation after unlocking and putting the page. Signed-off-by: Pan Bian --- fs/nilfs2/gcinode.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/fs/nilfs2/gcinode.c b/fs/nilfs2/gcinode.c index aa3c328..a24bb29 100644 --- a/fs/nilfs2/gcinode.c +++ b/fs/nilfs2/gcinode.c @@ -73,10 +73,8 @@ int nilfs_gccache_submit_read_data(struct inode *inode, sector_t blkoff, struct the_nilfs *nilfs = inode->i_sb->s_fs_info; err = nilfs_dat_translate(nilfs->ns_dat, vbn, &pbn); - if (unlikely(err)) { /* -EIO, -ENOMEM, -ENOENT */ - brelse(bh); + if (unlikely(err)) /* -EIO, -ENOMEM, -ENOENT */ goto failed; - } } lock_buffer(bh); @@ -102,6 +100,8 @@ int nilfs_gccache_submit_read_data(struct inode *inode, sector_t blkoff, failed: unlock_page(bh->b_page); put_page(bh->b_page); + if (unlikely(err)) + brelse(bh); return err; } -- 2.7.4