| Message ID | 20230921141731.10073-1-konishi.ryusuke@gmail.com |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a05:612c:172:b0:3f2:4152:657d with SMTP id h50csp5054049vqi;
Thu, 21 Sep 2023 11:29:48 -0700 (PDT)
X-Google-Smtp-Source:
AGHT+IGv4O5bHgJltH9F4SbKlDQufpV3msST+swj8vMyzei3ZA2MqbL2kGMt0KloQFnT9tgHWnp2
X-Received: by 2002:a17:90b:17c3:b0:276:b87d:2324 with SMTP id
me3-20020a17090b17c300b00276b87d2324mr6539225pjb.38.1695320988533;
Thu, 21 Sep 2023 11:29:48 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1695320988; cv=none;
d=google.com; s=arc-20160816;
b=K6/VmHw/NQfbRYJYUUwP7bgzPzjNf9nCu6WWEa8/Wp+lUwnLykxB/max75bMuzo3VZ
emMUhJT1sKeiILLqLXIEmHVAfLr5I/Nb9phiszbBFku6l191SM7rC6PdFFVDmxhHWIGA
r2xxACeySfrG/cLgkSHsgzC8zCG25i7JVX9+hWhWPLs+iNhrvo6G9LWYAcswYahj4d7T
MxTbLqtMIccg+pFQIdqm/OKO9IukqjQOpoTimtpLtlSAWJFBTHbW6qEwl1L25eQ/BznX
L2yBh9k2vA5gsQ8CyMWc0o1rwLdhuNKn+aY2RwEZVdInOZpTqCROLGxb2LyqoUiM9yZK
vLFg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-transfer-encoding:mime-version
:message-id:date:subject:cc:to:from:dkim-signature;
bh=njolLyWGYw3vA9Xc4YsCkH7k9TvdmzjireB5CtmLsDw=;
fh=M4BPaMQ5Q3X2+FKbhXoDpy+/1kcj8JGJnMEJ6o+yvT4=;
b=WBDIIB3uGgA7MG9LtCChW9ChrJC8/u5SR+sMtfdRPdssrnj2hQ8aLqhwRLeQsCTHh+
51Na7VFqlQxMxiqMS4s9HTHYN+5o8MyLbP0ZdMmD0+TA7/MYHpDDYGkPR25xab3xIzzI
DJ056vN+OeWs1FnvKBLLsFEi5of9SX7GEWbpD1gznj1mH7Q6nNJ2Sswy14QFN80rjxx7
vMrlLG8tcECScpP+Z+9PpQjU3EuYVmpYOnkkH8B1CGL1sEB7Q03daAMPS+wdXxpy3qZ3
qXigyV5I0/RUdUigbU0PXfjMdbHAe5cQ/CPSUuWuy6Gwk9D+wabyAt3pTjmUBR+OkNDp
N0zg==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@gmail.com header.s=20230601 header.b=fWXNmgQB;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::3:3 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: from lipwig.vger.email (lipwig.vger.email. [2620:137:e000::3:3])
by mx.google.com with ESMTPS id
c11-20020a17090a8d0b00b002597ed3cc4fsi2039187pjo.189.2023.09.21.11.29.18
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Thu, 21 Sep 2023 11:29:48 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::3:3 as permitted sender)
client-ip=2620:137:e000::3:3;
Authentication-Results: mx.google.com;
dkim=pass header.i=@gmail.com header.s=20230601 header.b=fWXNmgQB;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::3:3 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
by lipwig.vger.email (Postfix) with ESMTP id C7E0582990EA;
Thu, 21 Sep 2023 10:12:22 -0700 (PDT)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.10 at lipwig.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S230310AbjIURL5 (ORCPT <rfc822;pwkd43@gmail.com> + 29 others);
Thu, 21 Sep 2023 13:11:57 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58182 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S231271AbjIURKT (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Thu, 21 Sep 2023 13:10:19 -0400
Received: from mail-qt1-x82b.google.com (mail-qt1-x82b.google.com
[IPv6:2607:f8b0:4864:20::82b])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 31AAE9026;
Thu, 21 Sep 2023 10:05:42 -0700 (PDT)
Received: by mail-qt1-x82b.google.com with SMTP id
d75a77b69052e-417e013061eso7372401cf.1;
Thu, 21 Sep 2023 10:05:42 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=gmail.com; s=20230601; t=1695315941; x=1695920741;
darn=vger.kernel.org;
h=content-transfer-encoding:mime-version:message-id:date:subject:cc
:to:from:from:to:cc:subject:date:message-id:reply-to;
bh=njolLyWGYw3vA9Xc4YsCkH7k9TvdmzjireB5CtmLsDw=;
b=fWXNmgQB8Eogrhj3SP+0GjBqEWe8MePSWeXlfjTVTtyfmzybRkY0RLsLX3xWccU+b2
Js2H5IMM6rqicMx/DuZYtuSp1arLlJkTkNYj2/7mXmF58gTF4xSxpExGhUunJVcz7YDH
L77ljqBJ3pk64rtDNU6nKYSl2AS0GXurwFd76w9OTdsRcA0Jme7xcpogHVnPv2SnLhTm
s5Ppg9AVr1Q6L9zOq4XruXlt+0W9Iy4f5e3hr3+1kguSxi/FMopzHbdSK1RwI4CT8iX6
pU/Qxzdyf1JZU2rL+9U6Qs20kWlQ7pwyIiZP1uiNrxEpqaaAW4QE7gLCOZVYdNU+OJCi
f51A==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=1e100.net; s=20230601; t=1695315941; x=1695920741;
h=content-transfer-encoding:mime-version:message-id:date:subject:cc
:to:from:x-gm-message-state:from:to:cc:subject:date:message-id
:reply-to;
bh=njolLyWGYw3vA9Xc4YsCkH7k9TvdmzjireB5CtmLsDw=;
b=MqWARGQvlzQKLKcaZaXSbufRh02GQXnRAUxXkC4wigoMqx9bBBAXQ1rSRzAGL887ey
WYjPWCIL9RfrY/5dQeXYUUXs/6XOHhRlHiBjXDzXz4BZjEKRBUuUpRHMaE3qRtt43VJh
S5Qp+UH7dgClNeYDXio9gHBsVmp//pF3aakxpA9K42KdsHH93RqeoqKefDQGsZqa8U/j
cqAql4Cf3X/W8vzI2iVDVDskAkufWzfWDx56c1v9vcLrubNx6ogvmGOIXeOHdfYX4Asu
gb/LO5fcj5DhioRe8wLiVWgilcoVpoMK+YNKvi7eGSSpSalDzaNt7AUajMjrsErC4Lhu
lbmA==
X-Gm-Message-State: AOJu0YzN0Q1icWE1ke/Q8x6W1N0SirI/gkWyRCox46XBpslI3L22ZVch
AgJ6LCrtED64ksSayC0lNZvWHWA9Tc8=
X-Received: by 2002:a17:902:6b07:b0:1c3:29c4:c501 with SMTP id
o7-20020a1709026b0700b001c329c4c501mr4853684plk.14.1695305855162;
Thu, 21 Sep 2023 07:17:35 -0700 (PDT)
Received: from carrot.. (i114-180-53-6.s42.a014.ap.plala.or.jp.
[114.180.53.6])
by smtp.gmail.com with ESMTPSA id
k9-20020a170902c40900b001c56157f062sm1529686plk.227.2023.09.21.07.17.33
(version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
Thu, 21 Sep 2023 07:17:34 -0700 (PDT)
From: Ryusuke Konishi <konishi.ryusuke@gmail.com>
To: Andrew Morton <akpm@linux-foundation.org>
Cc: linux-nilfs@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: [PATCH] nilfs2: fix potential use after free in
nilfs_gccache_submit_read_data()
Date: Thu, 21 Sep 2023 23:17:31 +0900
Message-Id: <20230921141731.10073-1-konishi.ryusuke@gmail.com>
X-Mailer: git-send-email 2.34.1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test,
not delayed by milter-greylist-4.6.4 (lipwig.vger.email [0.0.0.0]);
Thu, 21 Sep 2023 10:12:22 -0700 (PDT)
X-Spam-Status: No, score=-0.6 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,
HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_HELO_NONE,
SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lipwig.vger.email
X-getmail-retrieved-from-mailbox: INBOX
X-GMAIL-THRID: 1777672900768060640
X-GMAIL-MSGID: 1777672900768060640
|
| Series |
nilfs2: fix potential use after free in nilfs_gccache_submit_read_data()
|
|
Commit Message
Ryusuke Konishi
Sept. 21, 2023, 2:17 p.m. UTC
From: Pan Bian <bianpan2016@163.com> In nilfs_gccache_submit_read_data(), brelse(bh) is called to drop the reference count of bh when the call to nilfs_dat_translate() fails. If the reference count hits 0 and its owner page gets unlocked, bh may be freed. However, bh->b_page is dereferenced to put the page after that, which may result in a use-after-free bug. This patch moves the release operation after unlocking and putting the page. NOTE: The function in question is only called in GC, and in combination with current userland tools, address translation using DAT does not occur in that function, so the code path that causes this issue will not be executed. However, it is possible to run that code path by intentionally modifying the userland GC library or by calling the GC ioctl directly. Link: https://lkml.kernel.org/r/1543201709-53191-1-git-send-email-bianpan2016@163.com Signed-off-by: Pan Bian <bianpan2016@163.com> Reported-by: Ferry Meng <mengferry@linux.alibaba.com> Closes: https://lkml.kernel.org/r/20230818092022.111054-1-mengferry@linux.alibaba.com Fixes: a3d93f709e89 ("nilfs2: block cache for garbage collection") [konishi.ryusuke@gmail.com: NOTE added to the commit log] Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com> Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com> Cc: <stable@vger.kernel.org> --- fs/nilfs2/gcinode.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/fs/nilfs2/gcinode.c b/fs/nilfs2/gcinode.c index 48fe71d309cb..8beb2730929d 100644 --- a/fs/nilfs2/gcinode.c +++ b/fs/nilfs2/gcinode.c @@ -73,10 +73,8 @@ int nilfs_gccache_submit_read_data(struct inode *inode, sector_t blkoff, struct the_nilfs *nilfs = inode->i_sb->s_fs_info; err = nilfs_dat_translate(nilfs->ns_dat, vbn, &pbn); - if (unlikely(err)) { /* -EIO, -ENOMEM, -ENOENT */ - brelse(bh); + if (unlikely(err)) /* -EIO, -ENOMEM, -ENOENT */ goto failed; - } } lock_buffer(bh); @@ -102,6 +100,8 @@ int nilfs_gccache_submit_read_data(struct inode *inode, sector_t blkoff, failed: unlock_page(bh->b_page); put_page(bh->b_page); + if (unlikely(err)) + brelse(bh); return err; }