在 2020/10/30 0:08, Ritesh Harjani 写道:
On 10/28/20 11:26 AM, yangerkun wrote:
ext4_ext_search_right will read more extent block and call put_bh after
we get the information we need. However ret_ex will break this and may
cause use-after-free once pagecache has been freed. Fix it by dup the
extent we need.
It would be good if we have a test case to reproduce it. Do you?
Ideally it should go in fstests, if you have some way to forcefully
reproduce it/simulate it. Let me know, if needed, I can as well help to
get those into fstests.
Sorry for that. I found this bug while reading source code. Not with a
testcase.
And time leave for drop pagecache is so small(time between
get_implied_cluster_alloc and ext4_ext_search_right in
ext4_ext_map_blocks, other caller for ext4_ext_search_right won't use
@ret_ex). It may difficult to reproduce it expect a delay injection.
Thanks,
Kun.
-ritesh
.
