Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp4207304imu; Mon, 24 Dec 2018 19:08:03 -0800 (PST) X-Google-Smtp-Source: AFSGD/WFcpl7ayAUu8U+jY0LqzwFKaz+WUM1QnbU2ey19sFSi8O3S0ftP3Aa+ZXjbH/Pd4WWtkVH X-Received: by 2002:a62:5486:: with SMTP id i128mr14891363pfb.215.1545707283215; Mon, 24 Dec 2018 19:08:03 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1545707283; cv=none; d=google.com; s=arc-20160816; b=OkPUVB6HBl+38OTl+QtmhNrNQcuryF3sILM+jcMQ3WkkmTnWobT2++HPiylgKOVzHZ 1rxh4Bn5zCSlEgivsoemd3EYnwBUN4tUqZ8DjmdPaRgHqqGyyh+FFq70eyBa6G99B9OB 4XzFefFDzbWl+/qUGOKqh/3sQ5bguhT7tVHghEoZW0SW9AZ3rusGwqCgOSLF6TT8BZE0 L8jD6Dr0bT1SCOxNt/L2RFnLzuBIYZGrzhSLWBbjqx1VzrW0H4PRhW31NcsijjO2Z6Tq JdPjhEUDCDEX8+dPg7KcFKVC5CsLfJqK175RygGYnBVdEQM+HcwaSHFY7po8URO4I1Pm NShw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject; bh=E+cL4bUjaJAePd4VhBnNSKpP8Yd7IFBuzymQRXndSL8=; b=gFi+4B1v0GrV/ts9sATWWQPsNnmc+ZcNk/1AC0Bm0k7HuqkVt4bNn1AIxGPlRFhAVN 0CAq6j0yn908fpNWy5OPAju34ZPxW57/7TDZAPH5ifGluxqkX+fDMbJe84s0X1MXGHXq O75MqMZbDFR1/azhqLX2SlBMIii3jvoGgOmYCTHrvA63QR4ktxB88qPsq9XUjERYNOGs JFghyYWrb1YPMFq76F4dICrYlCnYwJReCpZhuzJSP5KO8dWePYIAk/oPAQ+8Xyvd/yM3 4NnFTOo3rhXgKATt1BztcArr71wEZE0faG3ylV2cgb6M4fxhKKYp+Lgm0cd0NvMUMF8O VABQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id i5si29670532pfo.189.2018.12.24.19.07.46; Mon, 24 Dec 2018 19:08:03 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1725849AbeLYDGx (ORCPT + 99 others); Mon, 24 Dec 2018 22:06:53 -0500 Received: from szxga05-in.huawei.com ([45.249.212.191]:16659 "EHLO huawei.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1725816AbeLYDGw (ORCPT ); Mon, 24 Dec 2018 22:06:52 -0500 Received: from DGGEMS411-HUB.china.huawei.com (unknown [172.30.72.58]) by Forcepoint Email with ESMTP id 766518D1600D1; Tue, 25 Dec 2018 11:06:49 +0800 (CST) Received: from [127.0.0.1] (10.134.22.195) by DGGEMS411-HUB.china.huawei.com (10.3.19.211) with Microsoft SMTP Server id 14.3.408.0; Tue, 25 Dec 2018 11:06:45 +0800 Subject: Re: [PATCH] f2fs: fix use-after-free issue with sbi->stat_info To: Sahitya Tummala , Jaegeuk Kim , CC: References: <1545656812-14695-1-git-send-email-stummala@codeaurora.org> From: Chao Yu Message-ID: <0938f41e-53ed-6290-9b79-d221b1e64db6@huawei.com> Date: Tue, 25 Dec 2018 11:06:45 +0800 User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.9.1 MIME-Version: 1.0 In-Reply-To: <1545656812-14695-1-git-send-email-stummala@codeaurora.org> Content-Type: text/plain; charset="windows-1252" Content-Language: en-US Content-Transfer-Encoding: 7bit X-Originating-IP: [10.134.22.195] X-CFilter-Loop: Reflected Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2018/12/24 21:06, Sahitya Tummala wrote: > iput() on sbi->node_inode can update sbi->stat_info > in the below context, if the f2fs_write_checkpoint() > has failed with error. > > f2fs_balance_fs_bg+0x1ac/0x1ec > f2fs_write_node_pages+0x4c/0x260 > do_writepages+0x80/0xbc > __writeback_single_inode+0xdc/0x4ac > writeback_single_inode+0x9c/0x144 > write_inode_now+0xc4/0xec > iput+0x194/0x22c > f2fs_put_super+0x11c/0x1e8 > generic_shutdown_super+0x70/0xf4 > kill_block_super+0x2c/0x5c > kill_f2fs_super+0x44/0x50 > deactivate_locked_super+0x60/0x8c > deactivate_super+0x68/0x74 > cleanup_mnt+0x40/0x78 > > Fix this by moving f2fs_destroy_stats() further below iput(). > > Signed-off-by: Sahitya Tummala > --- > fs/f2fs/super.c | 9 ++++++--- > 1 file changed, 6 insertions(+), 3 deletions(-) > > diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c > index e184ad4e..df41a3a 100644 > --- a/fs/f2fs/super.c > +++ b/fs/f2fs/super.c > @@ -1058,9 +1058,6 @@ static void f2fs_put_super(struct super_block *sb) > f2fs_write_checkpoint(sbi, &cpc); > } > > - /* f2fs_write_checkpoint can update stat informaion */ > - f2fs_destroy_stats(sbi); The code order in error path of fill_super is almost the same as the one of put_super, could you please check that as well? Thanks, > - > /* > * normally superblock is clean, so we need to release this. > * In addition, EIO will skip do checkpoint, we need this as well. > @@ -1080,6 +1077,12 @@ static void f2fs_put_super(struct super_block *sb) > iput(sbi->node_inode); > iput(sbi->meta_inode); > > + /* > + * iput() can update stat information, if f2fs_write_checkpoint() > + * above failed with error. > + */ > + f2fs_destroy_stats(sbi); > + > /* destroy f2fs internal modules */ > f2fs_destroy_node_manager(sbi); > f2fs_destroy_segment_manager(sbi); >