Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp6704128imu; Mon, 3 Dec 2018 01:11:52 -0800 (PST) X-Google-Smtp-Source: AFSGD/VRev9toSfH1WlAh2iQomAB6b4n4UkjKV4wOIFntKKfJ4DJjwZ97kRk1fYdl95OOIr7cBz1 X-Received: by 2002:a63:5a08:: with SMTP id o8mr11329451pgb.185.1543828312299; Mon, 03 Dec 2018 01:11:52 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1543828312; cv=none; d=google.com; s=arc-20160816; b=rRwwjaCPKoKrbebiqZXHeKvfCds1FI6wop/KB6iLoivhGs4AyX2rVWVh+ALn/Dd1hB lfcNwt7zEYeKpEyy5IZZ6vrOGBBRwWGHM7LkGPhtXYVNK1sg5n9+/1DzBB0ARd20qzQO xsQB92P3ZfMvOh20blHB/0NlsAg+LNSJDZgPmUBp/M8PxB2iE8V+upGYR4cWQghH6xhV C9h5aS2pphxC1JdEE0MoXV/F7frgua+NVbOcpgDhltRlg8dlGyfuOyqjcAeDkwK+TQZk c7Lp2U6yegcLr6l8moSjE6Ixy88kr6lE3oWjuggcfvQyCG9fF6cfte4eEICKdVvi4KV7 92dQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:from:subject:cc:to:message-id:date :dkim-signature; bh=ET+v1lzht47p7Ea8q9aJOOOusSYukUsS1WfvO9DhXZ8=; b=SyfBObeNHcaYVZa2DlJNjD/gPV+46x2mXaVW7lfHkd0tts+ORN8dWrJgr58ABCopsF r/eqhWck935E4nmQ00WaHAgOHyQidoSW5vwsBdFB2kcwN/uXMY5x0PnYWsMcTMjzpFmF 6kFZRGha9zqMFNJgDT2wDGWlm7m0j4GNqdwprBQTTOJN2T4UFHlCdnPsUrBzGel18lUC WEROavJ9GJwp7S5rppDPR2kegrpOUP0YfSj6ltlbpx0DlTr0ILd4+ktlkaaP8BvI40IG wUakECGWG+dWHyG1x6PVqruXdbMh/jbwvpG+eReLceYj+NGWDlCCHmfQJAleNYSD4qEN 0xqA== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=CUfExPYx; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p4si14677493pli.432.2018.12.03.01.11.37; Mon, 03 Dec 2018 01:11:52 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=CUfExPYx; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725969AbeLCJLG (ORCPT + 99 others); Mon, 3 Dec 2018 04:11:06 -0500 Received: from mail-pl1-f195.google.com ([209.85.214.195]:42745 "EHLO mail-pl1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725849AbeLCJLG (ORCPT ); Mon, 3 Dec 2018 04:11:06 -0500 Received: by mail-pl1-f195.google.com with SMTP id y1so1323590plp.9; Mon, 03 Dec 2018 01:10:57 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:date:message-id:to:cc:subject:from:in-reply-to:references :mime-version:content-transfer-encoding; bh=ET+v1lzht47p7Ea8q9aJOOOusSYukUsS1WfvO9DhXZ8=; b=CUfExPYxnTrJ8sESNBEWQbpwMuSGPFuEp9UNLK39UC6BJv8islcBUmKcrrQXHz2q7L 2RrWE7nwhhW0zu7S7+JsOPtPyHXRe4x//JEb9QtUQRuF9KOgaF/bF7jpMRv1yKzJbNy1 kl1eBnVZDPrOCXRHNcMros+ZpOAcd3kEdbiUzHBNAwW/pzrWjCr+oPB1HHi2Q2qPNYtg 4jAa0fBixgqIvfL1avwuUb7qw2ZZIHDApX3b8EOEQVD23AHVJ+WMeB0m8P9QErrOOTHw Dd3w0tXVp5oY+0PAx1lTFJR+vvwLLBYDmSBSRgtGOJgLwh/+cn48j7/H5ThxfvqqasSZ lz5A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:date:message-id:to:cc:subject:from :in-reply-to:references:mime-version:content-transfer-encoding; bh=ET+v1lzht47p7Ea8q9aJOOOusSYukUsS1WfvO9DhXZ8=; b=Qx2bp7alngNHoDBoBeITcR2a/EcPMQeJrPOnfyY9QddsTkEulgc1mAtG2ZJKvq1kkn cHRYD1P0y25ZM5k0W1ZO/anUr/psnYi34Ybsuj4SQW1UipgwkrpLWPzyy21xCmV5PMI3 1eGeruD9qAg53nsOAQRpWszNAEKbX06Lncl1B3FdUwfQPjFOaQj8ynBqz1KxNca6zm8q iJ+F8ZF7ZKFy6dn7yo4EgXJG8PrEolT76qr6OT00nWWNJUjleSdP8AFfRnB93fyadI7Z SF6+CgYSniXTQAa3LzgcnPw1W9ekWdmcposfrgQ1jN4NlLJ5ZTLVW6ObL2dNgUDcyI99 whKQ== X-Gm-Message-State: AA+aEWbT3igsVpsZ09zlpvTZy3ZcV+APqSeZSUenQcu5P8jFZ6C6Cd5L NNDOG8ojnLYr6LQzfDIrCoQ7e46s X-Received: by 2002:a17:902:2aaa:: with SMTP id j39mr15535922plb.335.1543828256474; Mon, 03 Dec 2018 01:10:56 -0800 (PST) Received: from localhost (77.255.149.210.rev.vmobile.jp. [210.149.255.77]) by smtp.gmail.com with ESMTPSA id p7sm16489083pfa.22.2018.12.03.01.10.53 (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 03 Dec 2018 01:10:55 -0800 (PST) Date: Mon, 03 Dec 2018 18:10:51 +0900 (JST) Message-Id: <20181203.181051.1348099310050315226.konishi.ryusuke@lab.ntt.co.jp> To: Pan Bian Cc: linux-nilfs@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] nilfs2: fix potential use after free From: Ryusuke Konishi In-Reply-To: <1543201709-53191-1-git-send-email-bianpan2016@163.com> References: <1543201709-53191-1-git-send-email-bianpan2016@163.com> X-Mailer: Mew version 6.6 on Emacs 24.3 / Mule 6.0 (HANACHIRUSATO) Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi, Pan Bian Thank you for feeding back this patch. I reviewed this and am thinking this must be sent to upstream. Did you see any kernel oops on this bug ? Regards, Ryusuke Konishi On Mon, 26 Nov 2018 11:08:29 +0800, Pan Bian wrote: > brelse(bh) is called to drop the reference count of bh when the call > to nilfs_dat_translate fails. If the reference count hits 0, bh may be > freed. However, bh->b_page is unlocked and put after that, which may > result in a use-after-free bug. This patch moves the release operation > after unlocking and putting the page. > > Signed-off-by: Pan Bian > --- > fs/nilfs2/gcinode.c | 6 +++--- > 1 file changed, 3 insertions(+), 3 deletions(-) > > diff --git a/fs/nilfs2/gcinode.c b/fs/nilfs2/gcinode.c > index aa3c328..a24bb29 100644 > --- a/fs/nilfs2/gcinode.c > +++ b/fs/nilfs2/gcinode.c > @@ -73,10 +73,8 @@ int nilfs_gccache_submit_read_data(struct inode *inode, sector_t blkoff, > struct the_nilfs *nilfs = inode->i_sb->s_fs_info; > > err = nilfs_dat_translate(nilfs->ns_dat, vbn, &pbn); > - if (unlikely(err)) { /* -EIO, -ENOMEM, -ENOENT */ > - brelse(bh); > + if (unlikely(err)) /* -EIO, -ENOMEM, -ENOENT */ > goto failed; > - } > } > > lock_buffer(bh); > @@ -102,6 +100,8 @@ int nilfs_gccache_submit_read_data(struct inode *inode, sector_t blkoff, > failed: > unlock_page(bh->b_page); > put_page(bh->b_page); > + if (unlikely(err)) > + brelse(bh); > return err; > } > > -- > 2.7.4 > >