Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp5526937imu; Mon, 26 Nov 2018 01:32:50 -0800 (PST) X-Google-Smtp-Source: AJdET5eCEXoIMakaXjBW+6JBKt8ONOeA/TlWPftxIHzkpjElLcYNV0gXZKUiwcjSGflczElSFJBE X-Received: by 2002:a62:848d:: with SMTP id k135mr26523167pfd.47.1543224770413; Mon, 26 Nov 2018 01:32:50 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1543224770; cv=none; d=google.com; s=arc-20160816; b=qlrKd0jurRfblAeZavtJaCapxbmUk0ziz7F6lLZqnkXS6S16wS40t8pM5J0x1bmEU9 by1d2M1OGLyK0ULLJUwy496BHID4RvgfiJMYHvWRukYgGIgWph/mPe9bwEkhzlRSu/Mx ayizZlvCKT3lnAk+o52iBc+7CzGIDaDGztxVtJ48Tup4QaMz58uThGsOZOQCQBqKbB6x Jw0llgLNHnUVNSxbrlktE/mI46iccAu9lAmMJHXURNbL7qaGdGER4PTUUj2XHvPDs8l6 Pd+tq4N8DMu5NlL33zinQi45dKX38Gckz6D7Sb7g2fJGj3KfZHJc0x5zuZc+uYx4HTc3 rICg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:mail-followup-to :message-id:subject:cc:to:from:date; bh=uL7bgYzARgyTxVflDQBrnEwkDPt+c8BtMRqKstMHjRA=; b=erlWGq8K8MafYhtdzXPqYE1Q593oHLhFjuCau4siJodd/WaH7j6KzBfTeoBi8Tv42Z Ee0KRJinKdCi1oEA+YAQ1bayNSJAE6GH9KyXUH03GHhD71E0yjzXw65HAfFs1TTwoiIl uIxUPn0/KoRa2ihiKm3XcCVXdhI1YtqmwN6T+3e7hfPmwgfpu4+g7qe5wA4mBZO49/8P znxCc7XXaBkwlcbtffJ/fyvMY2nUWl/3bPlSYgx4ZEG+Cq79qL1s3cPOlD8d779pZAxD m1U7wQxbEl4kSeKhRs3q1NmFJW3O1iYr4uaXZ4GexSVWQxo2ENU7XPVpWapmuW0PDz8L Drhg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f5si25146796pfn.259.2018.11.26.01.32.34; Mon, 26 Nov 2018 01:32:50 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726289AbeKZUZP (ORCPT + 99 others); Mon, 26 Nov 2018 15:25:15 -0500 Received: from mail-wr1-f65.google.com ([209.85.221.65]:37811 "EHLO mail-wr1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726165AbeKZUZP (ORCPT ); Mon, 26 Nov 2018 15:25:15 -0500 Received: by mail-wr1-f65.google.com with SMTP id j10so18084947wru.4 for ; Mon, 26 Nov 2018 01:31:43 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id :mail-followup-to:references:mime-version:content-disposition :in-reply-to:user-agent; bh=uL7bgYzARgyTxVflDQBrnEwkDPt+c8BtMRqKstMHjRA=; b=bcCLtQU+S1IxIUgec4cUbRgr5xyYkhiYko1bxNjL9pIv9IET1eCBDnzkaG0+JTjaCQ +XqZgTI/juAJr49sdulY8vS4LEvFELRLWDj+CHVXBvaUU6ttHQdK9HWth2vDKXFUMp2p Z3tWRAcXINOX4BHWNOefgDWu86ozt/V5zCw+DE9MTKhh8Wmz49NyJ16WQs9NWJkAeDUW w1AF6vNBuES1I/SyOyajlIcCtdUcE6XRrQqqgAbqZN6l9hvtcFiDAq3VgTxlBdCbzaA6 J3rLDK1PDmp319bwMLjszW4SWqWpazhMa7BK3wnbWxghbj8zfC3H5rpGhQ3L0HaUR9MW t7WQ== X-Gm-Message-State: AA+aEWakmj4uQ7t3FkmO3l49nprZMjqwXtgPdxF0pTms9569kAdcZefo 071I+6k2BaSgsim6P2E/HAHRlA== X-Received: by 2002:adf:dec4:: with SMTP id i4mr22019329wrn.307.1543224702478; Mon, 26 Nov 2018 01:31:42 -0800 (PST) Received: from hades.usersys.redhat.com (nat-pool-brq-t.redhat.com. [213.175.37.10]) by smtp.gmail.com with ESMTPSA id 60sm38143230wrb.81.2018.11.26.01.31.41 (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256); Mon, 26 Nov 2018 01:31:41 -0800 (PST) Date: Mon, 26 Nov 2018 10:31:39 +0100 From: Carlos Maiolino To: Pan Bian Cc: "Darrick J. Wong" , linux-xfs@vger.kernel.org, Brian Foster , Dave Chinner , linux-kernel@vger.kernel.org Subject: Re: [PATCH] xfs: libxfs: move xfs_perag_put late Message-ID: <20181126093139.cgojlmtubzuzdb23@hades.usersys.redhat.com> Mail-Followup-To: Pan Bian , "Darrick J. Wong" , linux-xfs@vger.kernel.org, Brian Foster , Dave Chinner , linux-kernel@vger.kernel.org References: <1543052660-58625-1-git-send-email-bianpan2016@163.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1543052660-58625-1-git-send-email-bianpan2016@163.com> User-Agent: NeoMutt/20180716 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, Nov 24, 2018 at 05:44:20PM +0800, Pan Bian wrote: > The function xfs_alloc_get_freelist calls xfs_perag_put to drop the > reference. In this case, pag may be released. However, > pag->pagf_btreeblks is read and write after the put operation. This may > result in a use-after-free bug. This patch moves the put operation late. > The patch looks reasonable, can you detail more how did you find it? Via code inspection of you hit this user-after-free in some way? Cheers > Signed-off-by: Pan Bian > --- > fs/xfs/libxfs/xfs_alloc.c | 2 +- > 1 file changed, 1 insertion(+), 1 deletion(-) > > diff --git a/fs/xfs/libxfs/xfs_alloc.c b/fs/xfs/libxfs/xfs_alloc.c > index e1c0c0d..4be387d 100644 > --- a/fs/xfs/libxfs/xfs_alloc.c > +++ b/fs/xfs/libxfs/xfs_alloc.c > @@ -2435,7 +2435,6 @@ xfs_alloc_get_freelist( > be32_add_cpu(&agf->agf_flcount, -1); > xfs_trans_agflist_delta(tp, -1); > pag->pagf_flcount--; > - xfs_perag_put(pag); > > logflags = XFS_AGF_FLFIRST | XFS_AGF_FLCOUNT; > if (btreeblk) { > @@ -2443,6 +2442,7 @@ xfs_alloc_get_freelist( > pag->pagf_btreeblks++; > logflags |= XFS_AGF_BTREEBLKS; > } > + xfs_perag_put(pag); > > xfs_alloc_log_agf(tp, agbp, logflags); > *bnop = bno; > -- > 2.7.4 > > -- Carlos