Hi Andrew, Can you please take this patch up and get it merged into mainline? Despite Vyacheslav's lamentations this patch is obviously correct. __hfs_bnode_create() is called in two places from the driver and the pages it returned are kmap()-ed and used (both read and write) so it is quite obvious they cannot be page_cache_release()-d until after they are kunmap()-ed instead of before they are even kmap()-ed as happens without this patch and this patch fixes exactly this by moving the page_cache_release() calls to after the pages are kunmap()-ed. Feel free to add: Reviewed-by: Anton Altaparmakov <anton@xxxxxxxxxx> Thanks a lot in advance! Best regards, Anton > On 7 Jun 2015, at 03:42, Sergei Antonov <saproj@xxxxxxxxx> wrote: > > Fix this bugreport by Sasha Levin: > http://lkml.org/lkml/2015/2/20/85 ("use after free") > Make sure mapped pages are available for the entire lifetime of hfs_bnode. > > Cc: Al Viro <viro@xxxxxxxxxxxxxxxxxx> > Cc: Christoph Hellwig <hch@xxxxxxxxxxxxx> > Cc: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx> > Cc: Vyacheslav Dubeyko <slava@xxxxxxxxxxx> > Cc: Hin-Tak Leung <htl10@xxxxxxxxxxxxxxxxxxxxx> > Cc: Sougata Santra <sougata@xxxxxxxxxx> > Reported-by: Sasha Levin <sasha.levin@xxxxxxxxxx> > Signed-off-by: Sergei Antonov <saproj@xxxxxxxxx> > --- > fs/hfsplus/bnode.c | 6 ++---- > 1 file changed, 2 insertions(+), 4 deletions(-) > > diff --git a/fs/hfsplus/bnode.c b/fs/hfsplus/bnode.c > index 759708f..5af50fb 100644 > --- a/fs/hfsplus/bnode.c > +++ b/fs/hfsplus/bnode.c > @@ -454,7 +454,6 @@ static struct hfs_bnode *__hfs_bnode_create(struct hfs_btree *tree, u32 cnid) > page_cache_release(page); > goto fail; > } > - page_cache_release(page); > node->page[i] = page; > } > > @@ -566,13 +565,12 @@ node_error: > > void hfs_bnode_free(struct hfs_bnode *node) > { > -#if 0 > int i; > > - for (i = 0; i < node->tree->pages_per_bnode; i++) > + for (i = 0; i < node->tree->pages_per_bnode; i++) { > if (node->page[i]) > page_cache_release(node->page[i]); > -#endif > + } > kfree(node); > } > > -- > 2.3.0 > > -- > To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html -- Anton Altaparmakov <anton at tuxera.com> (replace at with @) Lead in File System Development, Tuxera Inc., http://www.tuxera.com/ Linux NTFS maintainer -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
