| Message ID | 20190426131127.19164-1-agruenba@redhat.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [v5,1/3] iomap: Fix use-after-free error in page_done callback | expand |
This looks ok to me, holding the page over the i_size update and mark_inode_dirty should be ok. But I think it would be a lot cleaner if rebased ontop of this cleanup, which you could add to the front of the series: --- From 908dbc5e7c26035f992fef84886976e0cda10b98 Mon Sep 17 00:00:00 2001 From: Christoph Hellwig <hch@lst.de> Date: Sat, 27 Apr 2019 08:13:38 +0200 Subject: iomap: cleanup __generic_write_end calling conventions Move the call to __generic_write_end into the common code flow instead of duplicating it in each of the three branches. This requires open coding the generic_write_end for the buffer_head case. Signed-off-by: Christoph Hellwig <hch@lst.de> --- fs/iomap.c | 18 ++++++++---------- 1 file changed, 8 insertions(+), 10 deletions(-) diff --git a/fs/iomap.c b/fs/iomap.c index abdd18e404f8..cfc8a10b3fd8 100644 --- a/fs/iomap.c +++ b/fs/iomap.c @@ -738,13 +738,11 @@ __iomap_write_end(struct inode *inode, loff_t pos, unsigned len, * uptodate page as a zero-length write, and force the caller to redo * the whole thing. */ - if (unlikely(copied < len && !PageUptodate(page))) { - copied = 0; - } else { - iomap_set_range_uptodate(page, offset_in_page(pos), len); - iomap_set_page_dirty(page); - } - return __generic_write_end(inode, pos, copied, page); + if (unlikely(copied < len && !PageUptodate(page))) + return 0; + iomap_set_range_uptodate(page, offset_in_page(pos), len); + iomap_set_page_dirty(page); + return copied; } static int @@ -761,7 +759,6 @@ iomap_write_end_inline(struct inode *inode, struct page *page, kunmap_atomic(addr); mark_inode_dirty(inode); - __generic_write_end(inode, pos, copied, page); return copied; } @@ -774,12 +771,13 @@ iomap_write_end(struct inode *inode, loff_t pos, unsigned len, if (iomap->type == IOMAP_INLINE) { ret = iomap_write_end_inline(inode, page, iomap, pos, copied); } else if (iomap->flags & IOMAP_F_BUFFER_HEAD) { - ret = generic_write_end(NULL, inode->i_mapping, pos, len, - copied, page, NULL); + ret = block_write_end(NULL, inode->i_mapping, pos, len, copied, + page, NULL); } else { ret = __iomap_write_end(inode, pos, len, copied, page, iomap); } + ret = __generic_write_end(inode, pos, ret, page); if (iomap->page_done) iomap->page_done(inode, pos, copied, page, iomap);
On Fri 26-04-19 15:11:25, Andreas Gruenbacher wrote: > In iomap_write_end, we are not holding a page reference anymore when > calling the page_done callback, but the callback needs that reference to > access the page. > > To fix that, move the put_page call in __generic_write_end into the > callers of __generic_write_end. Then, in iomap_write_end, put the page > after calling the page_done callback. > > Reported-by: Jan Kara <jack@suse.cz> > Fixes: 63899c6f8851 ("iomap: add a page_done callback") > Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com> The patch looks good to me. You can add: Reviewed-by: Jan Kara <jack@suse.cz> Honza > --- > fs/buffer.c | 5 +++-- > fs/iomap.c | 12 ++++++++++-- > 2 files changed, 13 insertions(+), 4 deletions(-) > > diff --git a/fs/buffer.c b/fs/buffer.c > index ce357602f471..6e2c95160ce3 100644 > --- a/fs/buffer.c > +++ b/fs/buffer.c > @@ -2104,7 +2104,6 @@ int __generic_write_end(struct inode *inode, loff_t pos, unsigned copied, > } > > unlock_page(page); > - put_page(page); > > if (old_size < pos) > pagecache_isize_extended(inode, old_size, pos); > @@ -2160,7 +2159,9 @@ int generic_write_end(struct file *file, struct address_space *mapping, > struct page *page, void *fsdata) > { > copied = block_write_end(file, mapping, pos, len, copied, page, fsdata); > - return __generic_write_end(mapping->host, pos, copied, page); > + copied = __generic_write_end(mapping->host, pos, copied, page); > + put_page(page); > + return copied; > } > EXPORT_SYMBOL(generic_write_end); > > diff --git a/fs/iomap.c b/fs/iomap.c > index 97cb9d486a7d..3e4652dac9d9 100644 > --- a/fs/iomap.c > +++ b/fs/iomap.c > @@ -765,6 +765,14 @@ iomap_write_end_inline(struct inode *inode, struct page *page, > return copied; > } > > +static int > +buffer_write_end(struct address_space *mapping, loff_t pos, loff_t len, > + unsigned copied, struct page *page) > +{ > + copied = block_write_end(NULL, mapping, pos, len, copied, page, NULL); > + return __generic_write_end(mapping->host, pos, copied, page); > +} > + > static int > iomap_write_end(struct inode *inode, loff_t pos, unsigned len, > unsigned copied, struct page *page, struct iomap *iomap) > @@ -774,14 +782,14 @@ iomap_write_end(struct inode *inode, loff_t pos, unsigned len, > if (iomap->type == IOMAP_INLINE) { > ret = iomap_write_end_inline(inode, page, iomap, pos, copied); > } else if (iomap->flags & IOMAP_F_BUFFER_HEAD) { > - ret = generic_write_end(NULL, inode->i_mapping, pos, len, > - copied, page, NULL); > + ret = buffer_write_end(inode->i_mapping, pos, len, copied, page); > } else { > ret = __iomap_write_end(inode, pos, len, copied, page, iomap); > } > > if (iomap->page_done) > iomap->page_done(inode, pos, copied, page, iomap); > + put_page(page); > > if (ret < len) > iomap_write_failed(inode, pos, len); > -- > 2.20.1 >
diff --git a/fs/buffer.c b/fs/buffer.c index ce357602f471..6e2c95160ce3 100644 --- a/fs/buffer.c +++ b/fs/buffer.c @@ -2104,7 +2104,6 @@ int __generic_write_end(struct inode *inode, loff_t pos, unsigned copied, } unlock_page(page); - put_page(page); if (old_size < pos) pagecache_isize_extended(inode, old_size, pos); @@ -2160,7 +2159,9 @@ int generic_write_end(struct file *file, struct address_space *mapping, struct page *page, void *fsdata) { copied = block_write_end(file, mapping, pos, len, copied, page, fsdata); - return __generic_write_end(mapping->host, pos, copied, page); + copied = __generic_write_end(mapping->host, pos, copied, page); + put_page(page); + return copied; } EXPORT_SYMBOL(generic_write_end); diff --git a/fs/iomap.c b/fs/iomap.c index 97cb9d486a7d..3e4652dac9d9 100644 --- a/fs/iomap.c +++ b/fs/iomap.c @@ -765,6 +765,14 @@ iomap_write_end_inline(struct inode *inode, struct page *page, return copied; } +static int +buffer_write_end(struct address_space *mapping, loff_t pos, loff_t len, + unsigned copied, struct page *page) +{ + copied = block_write_end(NULL, mapping, pos, len, copied, page, NULL); + return __generic_write_end(mapping->host, pos, copied, page); +} + static int iomap_write_end(struct inode *inode, loff_t pos, unsigned len, unsigned copied, struct page *page, struct iomap *iomap) @@ -774,14 +782,14 @@ iomap_write_end(struct inode *inode, loff_t pos, unsigned len, if (iomap->type == IOMAP_INLINE) { ret = iomap_write_end_inline(inode, page, iomap, pos, copied); } else if (iomap->flags & IOMAP_F_BUFFER_HEAD) { - ret = generic_write_end(NULL, inode->i_mapping, pos, len, - copied, page, NULL); + ret = buffer_write_end(inode->i_mapping, pos, len, copied, page); } else { ret = __iomap_write_end(inode, pos, len, copied, page, iomap); } if (iomap->page_done) iomap->page_done(inode, pos, copied, page, iomap); + put_page(page); if (ret < len) iomap_write_failed(inode, pos, len);
In iomap_write_end, we are not holding a page reference anymore when calling the page_done callback, but the callback needs that reference to access the page. To fix that, move the put_page call in __generic_write_end into the callers of __generic_write_end. Then, in iomap_write_end, put the page after calling the page_done callback. Reported-by: Jan Kara <jack@suse.cz> Fixes: 63899c6f8851 ("iomap: add a page_done callback") Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com> --- fs/buffer.c | 5 +++-- fs/iomap.c | 12 ++++++++++-- 2 files changed, 13 insertions(+), 4 deletions(-)