Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp6707727imu; Mon, 3 Dec 2018 01:16:02 -0800 (PST) X-Google-Smtp-Source: AFSGD/W1O/pfigZwaP2xpEh7Mo1GJjaFSAXBQLUPxwTqSqJc5GwMj+V9pBr0tHqvSdxmttljs/Yc X-Received: by 2002:a17:902:b282:: with SMTP id u2mr15343958plr.89.1543828562857; Mon, 03 Dec 2018 01:16:02 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1543828562; cv=none; d=google.com; s=arc-20160816; b=RWRdV+DSNCiY0Swvu09DbJr6PNm+H9hy6L19uYFCKj+0jHf9pMXfBbLhlvuVxz/eaS OGVAbXgt3LvYEJK5E5N3CJs8esDKny2+AZcvYFG56wBJKLqisogRXGAv5k6n2jXZRzCF VP0vpRI2X6ZNPcpcxy1SICQrUebfyiKpnvyMbDiD/ArpmSRFprU/5l3sfs+g6hkAy4JP L3oyPolnQoUqtDm+7rg1jVovGEYnq86LlRFXvr5LLZwYU6AHiYIkSJNtHoERGcYpAVlK yAgQrg87kCT9JUAX8o+KRAiy+FKmMLMoYrY6N1nrWx5fV9tGuDv2LK3lTe76oU+CxA6O MkOA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:reply-to:message-id :subject:cc:to:from:date:dkim-signature; bh=Qpbfx09WsH0vUx9H/ZJVpKs7ntILqCAHmG4x4+GbK1E=; b=KnHNLXsMAzwiUOnwznTzYix5IftOUvIAt6x/n2+GJSaidkNXmyDtPdjAgyWTFaRVwI OziYCPP0siuc3Fo3Xn94Xaf7P4/pUwNpUYvYZPAFwBEI8sY7HK7VD3++HaSJmrfSchQi egwGcX5XoVjGGwBMnZPkkWHuoG9KWx4gPPfxrdfN57zl8WgGx3aXmesJh+k5H6efTbXX acRJdVe05sw9K7QEgz3yvvtXEBEDDr197nmov5uJ0aNYCVei+OnJl8Gh60raA1WHNz+5 JQmZOdidIn6Fx0fyBBhKB1pdhcsH+uA2Lchwydz64+vgnuodojt2flupVyFInQmGTpzN 6khQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@163.com header.s=s110527 header.b=pulffLmJ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id u202si12814061pgb.115.2018.12.03.01.15.47; Mon, 03 Dec 2018 01:16:02 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@163.com header.s=s110527 header.b=pulffLmJ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726016AbeLCJPK (ORCPT + 99 others); Mon, 3 Dec 2018 04:15:10 -0500 Received: from m12-12.163.com ([220.181.12.12]:46139 "EHLO m12-12.163.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725872AbeLCJPK (ORCPT ); Mon, 3 Dec 2018 04:15:10 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=163.com; s=s110527; h=Date:From:Subject:Message-ID:MIME-Version; bh=Qpbfx 09WsH0vUx9H/ZJVpKs7ntILqCAHmG4x4+GbK1E=; b=pulffLmJJjzQNiSl0ODUd GlelITUZbC3ZJbxi5YLcVIfTGKHvCozRVmOKeyVTk096WFEUkyn2MYxOdsF1mb8D i/OMFbyLHrY+SnbNDq5n0bepkU7PWEQDqFLTuX3wnVX8sd11x8OXiqh/y7tshx52 2tvqpqRpD/qtw+PxXqXADM= Received: from bp (unknown [106.120.213.96]) by smtp8 (Coremail) with SMTP id DMCowAAHHtIO9ARcclOlDA--.48858S2; Mon, 03 Dec 2018 17:14:54 +0800 (CST) Date: Mon, 3 Dec 2018 17:14:55 +0800 From: PanBian To: Ryusuke Konishi Cc: linux-nilfs@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] nilfs2: fix potential use after free Message-ID: <20181203091455.GA9038@bp> Reply-To: PanBian References: <1543201709-53191-1-git-send-email-bianpan2016@163.com> <20181203.181051.1348099310050315226.konishi.ryusuke@lab.ntt.co.jp> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20181203.181051.1348099310050315226.konishi.ryusuke@lab.ntt.co.jp> User-Agent: Mutt/1.5.24 (2015-08-30) X-CM-TRANSID: DMCowAAHHtIO9ARcclOlDA--.48858S2 X-Coremail-Antispam: 1Uf129KBjvJXoW7tryUKF48Xr1UtFy5Zw43KFg_yoW8Ar1rpr WfK3W3CanYqa4vgF1Igr15Zw1Fqa9rtr4DGFyDG3WFyr43t3Z7KFyxKrnF9a4UAr93CrZY vrWjgF9F9wn5JaDanT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDUYxBIdaVFxhVjvjDU0xZFpf9x07jPKsUUUUUU= X-Originating-IP: [106.120.213.96] X-CM-SenderInfo: held01tdqsiiqw6rljoofrz/1tbiVA4SclUMGPz94AAAsa Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Dec 03, 2018 at 06:10:51PM +0900, Ryusuke Konishi wrote: > Hi, Pan Bian > > Thank you for feeding back this patch. > I reviewed this and am thinking this must be sent to upstream. > > Did you see any kernel oops on this bug ? Not yet. In fact, I found it with a static method. Best regards, Pan Bian > > Regards, > Ryusuke Konishi > > On Mon, 26 Nov 2018 11:08:29 +0800, Pan Bian wrote: > > brelse(bh) is called to drop the reference count of bh when the call > > to nilfs_dat_translate fails. If the reference count hits 0, bh may be > > freed. However, bh->b_page is unlocked and put after that, which may > > result in a use-after-free bug. This patch moves the release operation > > after unlocking and putting the page. > > > > Signed-off-by: Pan Bian > > --- > > fs/nilfs2/gcinode.c | 6 +++--- > > 1 file changed, 3 insertions(+), 3 deletions(-) > > > > diff --git a/fs/nilfs2/gcinode.c b/fs/nilfs2/gcinode.c > > index aa3c328..a24bb29 100644 > > --- a/fs/nilfs2/gcinode.c > > +++ b/fs/nilfs2/gcinode.c > > @@ -73,10 +73,8 @@ int nilfs_gccache_submit_read_data(struct inode *inode, sector_t blkoff, > > struct the_nilfs *nilfs = inode->i_sb->s_fs_info; > > > > err = nilfs_dat_translate(nilfs->ns_dat, vbn, &pbn); > > - if (unlikely(err)) { /* -EIO, -ENOMEM, -ENOENT */ > > - brelse(bh); > > + if (unlikely(err)) /* -EIO, -ENOMEM, -ENOENT */ > > goto failed; > > - } > > } > > > > lock_buffer(bh); > > @@ -102,6 +100,8 @@ int nilfs_gccache_submit_read_data(struct inode *inode, sector_t blkoff, > > failed: > > unlock_page(bh->b_page); > > put_page(bh->b_page); > > + if (unlikely(err)) > > + brelse(bh); > > return err; > > } > > > > -- > > 2.7.4 > > > >