Received: by 2002:a05:6a10:9e8c:0:0:0:0 with SMTP id y12csp252061pxx; Thu, 29 Oct 2020 01:30:37 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwQJa4lcJ0fNBAlV15hfGsJtWknwAgR1Pk+M4Ln6Dxs5LfZDUwLYS69zFuDAAc7+ndmGTu7 X-Received: by 2002:a17:906:2b83:: with SMTP id m3mr2906990ejg.456.1603960237655; Thu, 29 Oct 2020 01:30:37 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1603960237; cv=none; d=google.com; s=arc-20160816; b=SCuKjm8rJFoU/oRMj0ztVZG47/R5gdCWUf/082XSTtrGGaWmVRi8G/lSD82VKfwcgy 2SEhuDQL+619lq9BarBoOk6U52IOZnNWXPvE9ok9ThIIQtrliqlD5WkO9qBYwheOizPa Tp4CHIg6xUYu5RP+0SpIRN7U5HyBPxAAUddPAATdNdyDfcQq05zu0JfMh+ShPf6pJUzs FWNpqs4EBKssmnlZ5v7HDSrBY0+KST0KY9M6du5D1kIm0mB3WJcYfnPewd6AbcCiMutB ohlPvP8Iv03MU5Pfhh8yCLgCPw/zhFEq85koKibLOeOiefnS38apk0TptYVdV8xd7LAr 1w/Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from; bh=mvcPbtC2PtqUkRP40qBvCwheNNCs5Lr/hOjx+LHbhWo=; b=jdueehDvpRYQ2+o/WYVyWlxE3iqxKyYWQCjFnzNXac962xGC4XRrIay72MzDixMO4t SyKeI4LVi0f95r7kvtnbpcUBW2rL2WkeNLtdSVQ3YX+nLdfG/pyfj2/jsv+NUDKG44c1 swfe+KI9oq23Aj4h755Y5MNJwuUCz/mjFWywOpLVrfFP6wDdG/oU4fnl5JCoCrzEbsMH k/kXCL6n55prPDbX/CeXOT1U2pT3AD+oxThdKw1pcByBqzYvrsQcPlBkkTIfHYFBJ+Ss +v0Qbn8yYE4HL9kQp7CC/8k8HJoKVso6WcLg1O5Z0TyJliGDyEa4Z74nZfc2FFBu8+7w /0yg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id h15si1674295ejq.475.2020.10.29.01.30.06; Thu, 29 Oct 2020 01:30:37 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728094AbgJ2AeQ (ORCPT + 99 others); Wed, 28 Oct 2020 20:34:16 -0400 Received: from szxga06-in.huawei.com ([45.249.212.32]:6983 "EHLO szxga06-in.huawei.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731713AbgJ1WUo (ORCPT ); Wed, 28 Oct 2020 18:20:44 -0400 Received: from DGGEMS414-HUB.china.huawei.com (unknown [172.30.72.59]) by szxga06-in.huawei.com (SkyGuard) with ESMTP id 4CLd586NyCzhchM; Wed, 28 Oct 2020 13:52:28 +0800 (CST) Received: from code-website.localdomain (10.175.127.227) by DGGEMS414-HUB.china.huawei.com (10.3.19.214) with Microsoft SMTP Server id 14.3.487.0; Wed, 28 Oct 2020 13:52:15 +0800 From: yangerkun To: , , CC: , Subject: [PATCH] ext4: do not use extent after put_bh Date: Wed, 28 Oct 2020 13:56:17 +0800 Message-ID: <20201028055617.2569255-1-yangerkun@huawei.com> X-Mailer: git-send-email 2.25.4 MIME-Version: 1.0 Content-Transfer-Encoding: 7BIT Content-Type: text/plain; charset=US-ASCII X-Originating-IP: [10.175.127.227] X-CFilter-Loop: Reflected Precedence: bulk List-ID: X-Mailing-List: linux-ext4@vger.kernel.org ext4_ext_search_right will read more extent block and call put_bh after we get the information we need. However ret_ex will break this and may cause use-after-free once pagecache has been freed. Fix it by dup the extent we need. Signed-off-by: yangerkun --- fs/ext4/extents.c | 30 +++++++++++++++--------------- 1 file changed, 15 insertions(+), 15 deletions(-) diff --git a/fs/ext4/extents.c b/fs/ext4/extents.c index 559100f3e23c..4ba8131a5629 100644 --- a/fs/ext4/extents.c +++ b/fs/ext4/extents.c @@ -1471,16 +1471,16 @@ static int ext4_ext_search_left(struct inode *inode, } /* - * search the closest allocated block to the right for *logical - * and returns it at @logical + it's physical address at @phys - * if *logical is the largest allocated block, the function - * returns 0 at @phys - * return value contains 0 (success) or error code + * Search the closest allocated block to the right for *logical + * and returns it at @logical + it's physical address at @phys. + * If not exists, return 0 and @phys is set to 0. We will return + * 1 which means we found that and ret_ex may be valid. Or return + * the error code. */ static int ext4_ext_search_right(struct inode *inode, struct ext4_ext_path *path, ext4_lblk_t *logical, ext4_fsblk_t *phys, - struct ext4_extent **ret_ex) + struct ext4_extent *ret_ex) { struct buffer_head *bh = NULL; struct ext4_extent_header *eh; @@ -1574,10 +1574,11 @@ static int ext4_ext_search_right(struct inode *inode, found_extent: *logical = le32_to_cpu(ex->ee_block); *phys = ext4_ext_pblock(ex); - *ret_ex = ex; + if (ret_ex) + *ret_ex = *ex; if (bh) put_bh(bh); - return 0; + return 1; } /* @@ -2868,8 +2869,8 @@ int ext4_ext_remove_space(struct inode *inode, ext4_lblk_t start, */ lblk = ex_end + 1; err = ext4_ext_search_right(inode, path, &lblk, &pblk, - &ex); - if (err) + NULL); + if (err < 0) goto out; if (pblk) { partial.pclu = EXT4_B2C(sbi, pblk); @@ -4039,7 +4040,7 @@ int ext4_ext_map_blocks(handle_t *handle, struct inode *inode, struct ext4_map_blocks *map, int flags) { struct ext4_ext_path *path = NULL; - struct ext4_extent newex, *ex, *ex2; + struct ext4_extent newex, *ex, ex2; struct ext4_sb_info *sbi = EXT4_SB(inode->i_sb); ext4_fsblk_t newblock = 0, pblk; int err = 0, depth, ret; @@ -4175,15 +4176,14 @@ int ext4_ext_map_blocks(handle_t *handle, struct inode *inode, if (err) goto out; ar.lright = map->m_lblk; - ex2 = NULL; err = ext4_ext_search_right(inode, path, &ar.lright, &ar.pright, &ex2); - if (err) + if (err < 0) goto out; /* Check if the extent after searching to the right implies a * cluster we can use. */ - if ((sbi->s_cluster_ratio > 1) && ex2 && - get_implied_cluster_alloc(inode->i_sb, map, ex2, path)) { + if ((sbi->s_cluster_ratio > 1) && err && + get_implied_cluster_alloc(inode->i_sb, map, &ex2, path)) { ar.len = allocated = map->m_len; newblock = map->m_pblk; goto got_allocated_blocks; -- 2.25.4