Received: by 2002:a25:4158:0:0:0:0:0 with SMTP id o85csp4728878yba; Wed, 8 May 2019 01:34:52 -0700 (PDT) X-Google-Smtp-Source: APXvYqzqiQvBUfmwLp+3nGUtIeajNiUk0iHhbYGUCj2Y/pApuskJk1l7rDMujwsmWN86RSttLqcp X-Received: by 2002:a62:414a:: with SMTP id o71mr46775589pfa.240.1557304492241; Wed, 08 May 2019 01:34:52 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1557304492; cv=none; d=google.com; s=arc-20160816; b=xEcJJ9tSy/o+NJ5kL9OkcaM4Png8tGb8kXpMplXrw3A061S/yuHEwiaV+d0msIi2Bu Frej2IQvRlQQ+XJeOEzPraE12A9f3maOAyB3jbfchvGaYE68R5QiJB4f3OWJ1i3VJf2S WY281ntngMbXtxRl8sPHjomfXvLkNhG4WxtG1OZysnWepX+sGbvx3FLfFR3MckH44JvI 78usmaf50w3VpHRyQuolpBy5p7s5qiM5BHsHUZINzcPhWAEnKV170uuD++T81DnUbSWr UhRjITViEbcbkW33LsCcu+vq18Knrd3RMP6xZPuTaUp8PvKvwFSLvaAbKM0OnVXXJ4DG 0MRg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dmarc-filter:dkim-signature:dkim-signature; bh=9aIsVODOzsHBfmV7dgxIfHeWqSYzEwoCzDwMuqA6O4Y=; b=uMdAophMGo80L45RK5CTfGs33y7H4bLpPNC7IYYGCJeNY/qeb0/2/4owSMgtohT2fA W5+My2AmOqivJUf6b00qPtUQL8Pdm1OSMqCYB3xM5DpJMR9LE2d8Zc70laKMnabOm1zD BAUK1kGR5qO29aAMtzhgOA4F202wx0b9y/zCzP7WpG2AQ8y5SmwtRjlkYPju9hRcfxtf uTPpHvph8MDHsrFc/SFiWQi2t0bRKMocs5bsen/VkCImCbZRFYlZWLqX9lFvqFXuAp2y yy3FQZzTTOra3XHEo7kYzbaYna5H6lPl2aFdURJJczOhFCYMzYiwGr4QcLySaZDCIMWx Jr6g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@codeaurora.org header.s=default header.b=D0WY4XC8; dkim=pass header.i=@codeaurora.org header.s=default header.b=D0WY4XC8; spf=pass (google.com: best guess record for domain of linux-ext4-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id s36si23474238pld.439.2019.05.08.01.34.21; Wed, 08 May 2019 01:34:52 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-ext4-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@codeaurora.org header.s=default header.b=D0WY4XC8; dkim=pass header.i=@codeaurora.org header.s=default header.b=D0WY4XC8; spf=pass (google.com: best guess record for domain of linux-ext4-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726534AbfEHI3e (ORCPT + 99 others); Wed, 8 May 2019 04:29:34 -0400 Received: from smtp.codeaurora.org ([198.145.29.96]:46776 "EHLO smtp.codeaurora.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725889AbfEHI3d (ORCPT ); Wed, 8 May 2019 04:29:33 -0400 Received: by smtp.codeaurora.org (Postfix, from userid 1000) id DF7FF60AA2; Wed, 8 May 2019 08:29:32 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=codeaurora.org; s=default; t=1557304172; bh=JL+KL9NDzZtsBMK7FH7QU5ffLKSntazKn+sY+Xh+/Ps=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=D0WY4XC8/Rt0I4zxcl9ODg5P2Q8r0yT8uSsBPSTcxH66MRfmzWHmJjdLP7wjnzuGo uVwjSzYj8xnTFGufo6JL4sP8DkZDdA/tqJZZK80MECVTy779iOHZ7OZ6FjUi8rIp/2 twNSQ7zfI2qB818Oij+axyPX2VJrAKDTaq0RyQsM= X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on pdx-caf-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.7 required=2.0 tests=ALL_TRUSTED,BAYES_00, DKIM_INVALID,DKIM_SIGNED autolearn=no autolearn_force=no version=3.4.0 Received: from codeaurora.org (blr-c-bdr-fw-01_globalnat_allzones-outside.qualcomm.com [103.229.19.19]) (using TLSv1.2 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (No client certificate requested) (Authenticated sender: stummala@smtp.codeaurora.org) by smtp.codeaurora.org (Postfix) with ESMTPSA id 4480260364; Wed, 8 May 2019 08:29:29 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=codeaurora.org; s=default; t=1557304172; bh=JL+KL9NDzZtsBMK7FH7QU5ffLKSntazKn+sY+Xh+/Ps=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=D0WY4XC8/Rt0I4zxcl9ODg5P2Q8r0yT8uSsBPSTcxH66MRfmzWHmJjdLP7wjnzuGo uVwjSzYj8xnTFGufo6JL4sP8DkZDdA/tqJZZK80MECVTy779iOHZ7OZ6FjUi8rIp/2 twNSQ7zfI2qB818Oij+axyPX2VJrAKDTaq0RyQsM= DMARC-Filter: OpenDMARC Filter v1.3.2 smtp.codeaurora.org 4480260364 Authentication-Results: pdx-caf-mail.web.codeaurora.org; dmarc=none (p=none dis=none) header.from=codeaurora.org Authentication-Results: pdx-caf-mail.web.codeaurora.org; spf=none smtp.mailfrom=stummala@codeaurora.org Date: Wed, 8 May 2019 13:59:26 +0530 From: Sahitya Tummala To: Andreas Dilger Cc: Theodore Ts'o , linux-ext4@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] ext4: fix use-after-free in dx_release() Message-ID: <20190508082926.GC19198@codeaurora.org> References: <1557295997-13377-1-git-send-email-stummala@codeaurora.org> <9EA5FF19-6602-46AC-AD1A-A2E5B7209040@dilger.ca> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <9EA5FF19-6602-46AC-AD1A-A2E5B7209040@dilger.ca> User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-ext4-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-ext4@vger.kernel.org On Wed, May 08, 2019 at 01:09:47AM -0600, Andreas Dilger wrote: > On May 8, 2019, at 12:13 AM, Sahitya Tummala wrote: > > > > The buffer_head (frames[0].bh) and it's corresping page can be > > potentially free'd once brelse() is done inside the for loop > > but before the for loop exits in dx_release(). It can be free'd > > in another context, when the page cache is flushed via > > drop_caches_sysctl_handler(). This results into below data abort > > when accessing info->indirect_levels in dx_release(). > > > > Unable to handle kernel paging request at virtual address ffffffc17ac3e01e > > Call trace: > > dx_release+0x70/0x90 > > ext4_htree_fill_tree+0x2d4/0x300 > > ext4_readdir+0x244/0x6f8 > > iterate_dir+0xbc/0x160 > > SyS_getdents64+0x94/0x174 > > > > Signed-off-by: Sahitya Tummala > > The patch looks reasonable, but there is a danger that it may be > "optimized" back to the pre-patch form again. It probably makes > sense to include a comment like: > > /* save local copy, "info" may be freed after brelse() */ Thanks for reviewing it. Sure, I will add the comment. > > Looks fine otherwise. > > Reviewed-by: Andreas Dilger > > > --- > > fs/ext4/namei.c | 4 +++- > > 1 file changed, 3 insertions(+), 1 deletion(-) > > > > diff --git a/fs/ext4/namei.c b/fs/ext4/namei.c > > index 4181c9c..7e6c298 100644 > > --- a/fs/ext4/namei.c > > +++ b/fs/ext4/namei.c > > @@ -871,12 +871,14 @@ static void dx_release(struct dx_frame *frames) > > { > > struct dx_root_info *info; > > int i; > > + unsigned int indirect_levels; > > > > if (frames[0].bh == NULL) > > return; > > > > info = &((struct dx_root *)frames[0].bh->b_data)->info; > > - for (i = 0; i <= info->indirect_levels; i++) { > > + indirect_levels = info->indirect_levels; > > + for (i = 0; i <= indirect_levels; i++) { > > if (frames[i].bh == NULL) > > break; > > brelse(frames[i].bh); > > -- > > Qualcomm India Private Limited, on behalf of Qualcomm Innovation Center, Inc. > > Qualcomm Innovation Center, Inc. is a member of Code Aurora Forum, a Linux Foundation Collaborative Project. > > > > > Cheers, Andreas > > > > > -- -- Sent by a consultant of the Qualcomm Innovation Center, Inc. The Qualcomm Innovation Center, Inc. is a member of the Code Aurora Forum.