Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp3591130imu; Mon, 24 Dec 2018 05:08:18 -0800 (PST) X-Google-Smtp-Source: ALg8bN5V36E+6V9QNeH8hRKfQ6wJBL+k+cEFu461SqyCUJIhqkJdM/EsSw6BbFRC2Ev9Jun/NHel X-Received: by 2002:a63:de46:: with SMTP id y6mr12265401pgi.198.1545656898292; Mon, 24 Dec 2018 05:08:18 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1545656898; cv=none; d=google.com; s=arc-20160816; b=BNbG8XgLL6NA28NkI8NJ6EVsmzEHftKdyyuN7Xe1Rc7SyEU6dtzCnudNqOjTDb70lN ne8hhMZ5tP5Lx/xoa8OANmapww6GY5ldQyA3V7kgkNydgkU/l3YUi+JQPWILBt8ScguP JNfQXi6MTZn0LSS/98UUsBdyQXaOn9eUk5Est/phqRSydcB9FSDiezzQPyKDIrodSAaX PXWb4fCr/nCj34pvk8bEa7IWaX4llVZY7Z6Ix9mwVIAZd7PkVCkNST17s3SB/8PTkmfn G+5wIcsIG4HT8wY1Cf8Aplu5l6uLFBXFYLaVg8dmriHZ8Vo+sgrUFNu8beIgAhvEC2CS QjsQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dmarc-filter:dkim-signature:dkim-signature; bh=50OQYjoPsOsyblrgZSQKIX63ZEuFL8HsEe/603cgRBE=; b=PHIvKUj9O/WZ/b0mV3JKrndSCy1y3oXrlvXF0CMmEOYBOyxYJr0pn/dtmE1SCldyaB 0gnAaZGAED2vEMpcyltOmH5NPKNXj6aXSJ7vuLml4ytZYkGIdGv+C14x8yeydrPIh3UU RMFHPHno5i7TvJIlAaOY296j/1MRQq/DTKeipQ+i+O8DUR/Og6EnJzi7FIVhob3YRYnd hmuqc2FHkb0AvelTQV6M4V5rYaKXkbItsrD2fKYaxeLtqlzD0535IpEKbawIMTs7+/CZ GKTNHzoTarlN8maLdE2ibBQ8XffXOcDtmkAS8KX3bNn+4cnyaA6B8JJAh+UNlA5uZazn JAqQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@codeaurora.org header.s=default header.b="d+91/6R+"; dkim=pass header.i=@codeaurora.org header.s=default header.b="d+91/6R+"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l5si26347266plt.5.2018.12.24.05.08.01; Mon, 24 Dec 2018 05:08:18 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@codeaurora.org header.s=default header.b="d+91/6R+"; dkim=pass header.i=@codeaurora.org header.s=default header.b="d+91/6R+"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725910AbeLXNHD (ORCPT + 99 others); Mon, 24 Dec 2018 08:07:03 -0500 Received: from smtp.codeaurora.org ([198.145.29.96]:45028 "EHLO smtp.codeaurora.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725497AbeLXNHD (ORCPT ); Mon, 24 Dec 2018 08:07:03 -0500 Received: by smtp.codeaurora.org (Postfix, from userid 1000) id C986B605A5; Mon, 24 Dec 2018 13:07:02 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=codeaurora.org; s=default; t=1545656822; bh=sIfV891+hw517QaoppaUN0xrQwbhK4uwlQ2erLrWpEs=; h=From:To:Cc:Subject:Date:From; b=d+91/6R+UGj9DcZreclAIt19cMFjWZ1X74jrdS22QjiG1uoKdxig08n/KjKIeogDz QTz6EgesoRclm9x+F+pTQKX1Q2lclJKc0g2VHwA4zI2CGw6ZTehOHL8xiAOYlQzHuP W4CoiQeD9PMKn/02td+lt8a3c50us6owObtre5Hs= X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on pdx-caf-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.7 required=2.0 tests=ALL_TRUSTED,BAYES_00, DKIM_INVALID,DKIM_SIGNED autolearn=no autolearn_force=no version=3.4.0 Received: from codeaurora.org (blr-c-bdr-fw-01_globalnat_allzones-outside.qualcomm.com [103.229.19.19]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-SHA256 (128/128 bits)) (No client certificate requested) (Authenticated sender: stummala@smtp.codeaurora.org) by smtp.codeaurora.org (Postfix) with ESMTPSA id 61BE3607CA; Mon, 24 Dec 2018 13:07:00 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=codeaurora.org; s=default; t=1545656822; bh=sIfV891+hw517QaoppaUN0xrQwbhK4uwlQ2erLrWpEs=; h=From:To:Cc:Subject:Date:From; b=d+91/6R+UGj9DcZreclAIt19cMFjWZ1X74jrdS22QjiG1uoKdxig08n/KjKIeogDz QTz6EgesoRclm9x+F+pTQKX1Q2lclJKc0g2VHwA4zI2CGw6ZTehOHL8xiAOYlQzHuP W4CoiQeD9PMKn/02td+lt8a3c50us6owObtre5Hs= DMARC-Filter: OpenDMARC Filter v1.3.2 smtp.codeaurora.org 61BE3607CA Authentication-Results: pdx-caf-mail.web.codeaurora.org; dmarc=none (p=none dis=none) header.from=codeaurora.org Authentication-Results: pdx-caf-mail.web.codeaurora.org; spf=none smtp.mailfrom=stummala@codeaurora.org From: Sahitya Tummala To: Jaegeuk Kim , Chao Yu , linux-f2fs-devel@lists.sourceforge.net Cc: linux-kernel@vger.kernel.org, Sahitya Tummala Subject: [PATCH] f2fs: fix use-after-free issue with sbi->stat_info Date: Mon, 24 Dec 2018 18:36:52 +0530 Message-Id: <1545656812-14695-1-git-send-email-stummala@codeaurora.org> X-Mailer: git-send-email 1.9.1 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org iput() on sbi->node_inode can update sbi->stat_info in the below context, if the f2fs_write_checkpoint() has failed with error. f2fs_balance_fs_bg+0x1ac/0x1ec f2fs_write_node_pages+0x4c/0x260 do_writepages+0x80/0xbc __writeback_single_inode+0xdc/0x4ac writeback_single_inode+0x9c/0x144 write_inode_now+0xc4/0xec iput+0x194/0x22c f2fs_put_super+0x11c/0x1e8 generic_shutdown_super+0x70/0xf4 kill_block_super+0x2c/0x5c kill_f2fs_super+0x44/0x50 deactivate_locked_super+0x60/0x8c deactivate_super+0x68/0x74 cleanup_mnt+0x40/0x78 Fix this by moving f2fs_destroy_stats() further below iput(). Signed-off-by: Sahitya Tummala --- fs/f2fs/super.c | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c index e184ad4e..df41a3a 100644 --- a/fs/f2fs/super.c +++ b/fs/f2fs/super.c @@ -1058,9 +1058,6 @@ static void f2fs_put_super(struct super_block *sb) f2fs_write_checkpoint(sbi, &cpc); } - /* f2fs_write_checkpoint can update stat informaion */ - f2fs_destroy_stats(sbi); - /* * normally superblock is clean, so we need to release this. * In addition, EIO will skip do checkpoint, we need this as well. @@ -1080,6 +1077,12 @@ static void f2fs_put_super(struct super_block *sb) iput(sbi->node_inode); iput(sbi->meta_inode); + /* + * iput() can update stat information, if f2fs_write_checkpoint() + * above failed with error. + */ + f2fs_destroy_stats(sbi); + /* destroy f2fs internal modules */ f2fs_destroy_node_manager(sbi); f2fs_destroy_segment_manager(sbi); -- Qualcomm India Private Limited, on behalf of Qualcomm Innovation Center, Inc. Qualcomm Innovation Center, Inc. is a member of Code Aurora Forum, a Linux Foundation Collaborative Project.