[PATCH v5 1/3] iomap: Fix use-after-free error in page_done callback

Andreas Gruenbacher <agruenba@xxxxxxxxxx> · Fri, 26 Apr 2019 15:11:25 +0200

In iomap_write_end, we are not holding a page reference anymore when
calling the page_done callback, but the callback needs that reference to
access the page.

To fix that, move the put_page call in __generic_write_end into the
callers of __generic_write_end.  Then, in iomap_write_end, put the page
after calling the page_done callback.

Reported-by: Jan Kara <jack@xxxxxxx>
Fixes: 63899c6f8851 ("iomap: add a page_done callback")
Signed-off-by: Andreas Gruenbacher <agruenba@xxxxxxxxxx>
---
 fs/buffer.c |  5 +++--
 fs/iomap.c  | 12 ++++++++++--
 2 files changed, 13 insertions(+), 4 deletions(-)

diff --git a/fs/buffer.c b/fs/buffer.c
index ce357602f471..6e2c95160ce3 100644
--- a/fs/buffer.c
+++ b/fs/buffer.c
@@ -2104,7 +2104,6 @@ int __generic_write_end(struct inode *inode, loff_t pos, unsigned copied,
 	}
 
 	unlock_page(page);
-	put_page(page);
 
 	if (old_size < pos)
 		pagecache_isize_extended(inode, old_size, pos);
@@ -2160,7 +2159,9 @@ int generic_write_end(struct file *file, struct address_space *mapping,
 			struct page *page, void *fsdata)
 {
 	copied = block_write_end(file, mapping, pos, len, copied, page, fsdata);
-	return __generic_write_end(mapping->host, pos, copied, page);
+	copied = __generic_write_end(mapping->host, pos, copied, page);
+	put_page(page);
+	return copied;
 }
 EXPORT_SYMBOL(generic_write_end);
 
diff --git a/fs/iomap.c b/fs/iomap.c
index 97cb9d486a7d..3e4652dac9d9 100644
--- a/fs/iomap.c
+++ b/fs/iomap.c
@@ -765,6 +765,14 @@ iomap_write_end_inline(struct inode *inode, struct page *page,
 	return copied;
 }
 
+static int
+buffer_write_end(struct address_space *mapping, loff_t pos, loff_t len,
+		unsigned copied, struct page *page)
+{
+	copied = block_write_end(NULL, mapping, pos, len, copied, page, NULL);
+	return __generic_write_end(mapping->host, pos, copied, page);
+}
+
 static int
 iomap_write_end(struct inode *inode, loff_t pos, unsigned len,
 		unsigned copied, struct page *page, struct iomap *iomap)
@@ -774,14 +782,14 @@ iomap_write_end(struct inode *inode, loff_t pos, unsigned len,
 	if (iomap->type == IOMAP_INLINE) {
 		ret = iomap_write_end_inline(inode, page, iomap, pos, copied);
 	} else if (iomap->flags & IOMAP_F_BUFFER_HEAD) {
-		ret = generic_write_end(NULL, inode->i_mapping, pos, len,
-				copied, page, NULL);
+		ret = buffer_write_end(inode->i_mapping, pos, len, copied, page);
 	} else {
 		ret = __iomap_write_end(inode, pos, len, copied, page, iomap);
 	}
 
 	if (iomap->page_done)
 		iomap->page_done(inode, pos, copied, page, iomap);
+	put_page(page);
 
 	if (ret < len)
 		iomap_write_failed(inode, pos, len);
-- 
2.20.1







