On Mon, Apr 27, 2020 at 10:58:02AM +0800, Gao Xiang wrote:
> On Mon, Apr 27, 2020 at 08:24:55AM +1000, Dave Chinner wrote:
> > On Sun, Apr 26, 2020 at 11:49:24PM +0200, Guoqing Jiang wrote:
> > > Since the new pair function is introduced, we can call them to clean the
> > > code in orangefs.
> > >
> > > Cc: Mike Marshall <hubcap@xxxxxxxxxxxx>
> > > Cc: Martin Brandenburg <martin@xxxxxxxxxxxx>
> > > Cc: devel@xxxxxxxxxxxxxxxxxx
> > > Signed-off-by: Guoqing Jiang <guoqing.jiang@xxxxxxxxxxxxxxx>
> > > ---
> > > fs/orangefs/inode.c | 24 ++++++------------------
> > > 1 file changed, 6 insertions(+), 18 deletions(-)
> > >
> > > diff --git a/fs/orangefs/inode.c b/fs/orangefs/inode.c
> > > index 12ae630fbed7..893099d36e20 100644
> > > --- a/fs/orangefs/inode.c
> > > +++ b/fs/orangefs/inode.c
> > > @@ -64,9 +64,7 @@ static int orangefs_writepage_locked(struct page *page,
> > > }
> > > if (wr) {
> > > kfree(wr);
> > > - set_page_private(page, 0);
> > > - ClearPagePrivate(page);
> > > - put_page(page);
> > > + clear_fs_page_private(page);
> >
> > THis is a pre-existing potential use-after-free vector. The wr
> > pointer held in the page->private needs to be cleared from the page
> > before it is freed.
>
> I'm not familar with orangefs. In my opinion, generally all temporary
> page->private access (r/w) should be properly protected by some locks,
... page->private pointers (there may be some other uses rather than
as references). sorry about that...
> most of time I think it could be at least page lock since .migratepage,
> .invalidatepage, .releasepage, .. (such paths) are already called with
> page locked (honestly I'm interested in this topic, please correct me
> if I'm wrong).
>
> I agree that the suggested modification is more clear and easy to read.
>
> Thanks,
> Gao Xiang
>
>
