On Mon, Apr 27, 2020 at 08:24:55AM +1000, Dave Chinner wrote:
> On Sun, Apr 26, 2020 at 11:49:24PM +0200, Guoqing Jiang wrote:
> > Since the new pair function is introduced, we can call them to clean the
> > code in orangefs.
> >
> > Cc: Mike Marshall <hubcap@xxxxxxxxxxxx>
> > Cc: Martin Brandenburg <martin@xxxxxxxxxxxx>
> > Cc: devel@xxxxxxxxxxxxxxxxxx
> > Signed-off-by: Guoqing Jiang <guoqing.jiang@xxxxxxxxxxxxxxx>
> > ---
> > fs/orangefs/inode.c | 24 ++++++------------------
> > 1 file changed, 6 insertions(+), 18 deletions(-)
> >
> > diff --git a/fs/orangefs/inode.c b/fs/orangefs/inode.c
> > index 12ae630fbed7..893099d36e20 100644
> > --- a/fs/orangefs/inode.c
> > +++ b/fs/orangefs/inode.c
> > @@ -64,9 +64,7 @@ static int orangefs_writepage_locked(struct page *page,
> > }
> > if (wr) {
> > kfree(wr);
> > - set_page_private(page, 0);
> > - ClearPagePrivate(page);
> > - put_page(page);
> > + clear_fs_page_private(page);
>
> THis is a pre-existing potential use-after-free vector. The wr
> pointer held in the page->private needs to be cleared from the page
> before it is freed.
I'm not familar with orangefs. In my opinion, generally all temporary
page->private access (r/w) should be properly protected by some locks,
most of time I think it could be at least page lock since .migratepage,
.invalidatepage, .releasepage, .. (such paths) are already called with
page locked (honestly I'm interested in this topic, please correct me
if I'm wrong).
I agree that the suggested modification is more clear and easy to read.
Thanks,
Gao Xiang
