[PATCH 5.0 19/25] staging: erofs: compressed_pages should not be accessed again after freed

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, Gao Xiang <gaoxiang25@huawei.com>,
	Chao Yu <yuchao0@huawei.com>
Subject: [PATCH 5.0 19/25] staging: erofs: compressed_pages should not be accessed again after freed
Date: Tue, 12 Mar 2019 10:08:57 -0700	[thread overview]
Message-ID: <20190312170404.975178350@linuxfoundation.org> (raw)
In-Reply-To: <20190312170403.643852550@linuxfoundation.org>

5.0-stable review patch.  If anyone has any objections, please let me know.

------------------

From: Gao Xiang <gaoxiang25@huawei.com>

commit af692e117cb8cd9d3d844d413095775abc1217f9 upstream.

This patch resolves the following page use-after-free issue,
z_erofs_vle_unzip:
    ...
    for (i = 0; i < nr_pages; ++i) {
        ...
        z_erofs_onlinepage_endio(page);  (1)
    }

    for (i = 0; i < clusterpages; ++i) {
        page = compressed_pages[i];

        if (page->mapping == mngda)      (2)
            continue;
        /* recycle all individual staging pages */
        (void)z_erofs_gather_if_stagingpage(page_pool, page); (3)
        WRITE_ONCE(compressed_pages[i], NULL);
    }
    ...

After (1) is executed, page is freed and could be then reused, if
compressed_pages is scanned after that, it could fall info (2) or
(3) by mistake and that could finally be in a mess.

This patch aims to solve the above issue only with little changes
as much as possible in order to make the fix backport easier.

Fixes: 3883a79abd02 ("staging: erofs: introduce VLE decompression support")
Cc: <stable@vger.kernel.org> # 4.19+
Signed-off-by: Gao Xiang <gaoxiang25@huawei.com>
Reviewed-by: Chao Yu <yuchao0@huawei.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>


---
 drivers/staging/erofs/unzip_vle.c     |   38 +++++++++++++++++-----------------
 drivers/staging/erofs/unzip_vle.h     |    3 --
 drivers/staging/erofs/unzip_vle_lz4.c |   19 +++++++----------
 3 files changed, 29 insertions(+), 31 deletions(-)

--- a/drivers/staging/erofs/unzip_vle.c
+++ b/drivers/staging/erofs/unzip_vle.c
@@ -1017,11 +1017,10 @@ repeat:
 	if (llen > grp->llen)
 		llen = grp->llen;
 
-	err = z_erofs_vle_unzip_fast_percpu(compressed_pages,
-		clusterpages, pages, llen, work->pageofs,
-		z_erofs_onlinepage_endio);
+	err = z_erofs_vle_unzip_fast_percpu(compressed_pages, clusterpages,
+					    pages, llen, work->pageofs);
 	if (err != -ENOTSUPP)
-		goto out_percpu;
+		goto out;
 
 	if (sparsemem_pages >= nr_pages)
 		goto skip_allocpage;
@@ -1042,8 +1041,25 @@ skip_allocpage:
 	erofs_vunmap(vout, nr_pages);
 
 out:
+	/* must handle all compressed pages before endding pages */
+	for (i = 0; i < clusterpages; ++i) {
+		page = compressed_pages[i];
+
+#ifdef EROFS_FS_HAS_MANAGED_CACHE
+		if (page->mapping == MNGD_MAPPING(sbi))
+			continue;
+#endif
+		/* recycle all individual staging pages */
+		(void)z_erofs_gather_if_stagingpage(page_pool, page);
+
+		WRITE_ONCE(compressed_pages[i], NULL);
+	}
+
 	for (i = 0; i < nr_pages; ++i) {
 		page = pages[i];
+		if (!page)
+			continue;
+
 		DBG_BUGON(!page->mapping);
 
 		/* recycle all individual staging pages */
@@ -1056,20 +1072,6 @@ out:
 		z_erofs_onlinepage_endio(page);
 	}
 
-out_percpu:
-	for (i = 0; i < clusterpages; ++i) {
-		page = compressed_pages[i];
-
-#ifdef EROFS_FS_HAS_MANAGED_CACHE
-		if (page->mapping == MNGD_MAPPING(sbi))
-			continue;
-#endif
-		/* recycle all individual staging pages */
-		(void)z_erofs_gather_if_stagingpage(page_pool, page);
-
-		WRITE_ONCE(compressed_pages[i], NULL);
-	}
-
 	if (pages == z_pagemap_global)
 		mutex_unlock(&z_pagemap_global_lock);
 	else if (unlikely(pages != pages_onstack))
--- a/drivers/staging/erofs/unzip_vle.h
+++ b/drivers/staging/erofs/unzip_vle.h
@@ -218,8 +218,7 @@ extern int z_erofs_vle_plain_copy(struct
 
 extern int z_erofs_vle_unzip_fast_percpu(struct page **compressed_pages,
 	unsigned clusterpages, struct page **pages,
-	unsigned outlen, unsigned short pageofs,
-	void (*endio)(struct page *));
+	unsigned int outlen, unsigned short pageofs);
 
 extern int z_erofs_vle_unzip_vmap(struct page **compressed_pages,
 	unsigned clusterpages, void *vaddr, unsigned llen,
--- a/drivers/staging/erofs/unzip_vle_lz4.c
+++ b/drivers/staging/erofs/unzip_vle_lz4.c
@@ -125,8 +125,7 @@ int z_erofs_vle_unzip_fast_percpu(struct
 				  unsigned int clusterpages,
 				  struct page **pages,
 				  unsigned int outlen,
-				  unsigned short pageofs,
-				  void (*endio)(struct page *))
+				  unsigned short pageofs)
 {
 	void *vin, *vout;
 	unsigned int nr_pages, i, j;
@@ -148,19 +147,16 @@ int z_erofs_vle_unzip_fast_percpu(struct
 	ret = z_erofs_unzip_lz4(vin, vout + pageofs,
 				clusterpages * PAGE_SIZE, outlen);
 
-	if (ret >= 0) {
-		outlen = ret;
-		ret = 0;
-	}
+	if (ret < 0)
+		goto out;
+	ret = 0;
 
 	for (i = 0; i < nr_pages; ++i) {
 		j = min((unsigned int)PAGE_SIZE - pageofs, outlen);
 
 		if (pages[i]) {
-			if (ret < 0) {
-				SetPageError(pages[i]);
-			} else if (clusterpages == 1 &&
-				   pages[i] == compressed_pages[0]) {
+			if (clusterpages == 1 &&
+			    pages[i] == compressed_pages[0]) {
 				memcpy(vin + pageofs, vout + pageofs, j);
 			} else {
 				void *dst = kmap_atomic(pages[i]);
@@ -168,12 +164,13 @@ int z_erofs_vle_unzip_fast_percpu(struct
 				memcpy(dst + pageofs, vout + pageofs, j);
 				kunmap_atomic(dst);
 			}
-			endio(pages[i]);
 		}
 		vout += PAGE_SIZE;
 		outlen -= j;
 		pageofs = 0;
 	}
+
+out:
 	preempt_enable();
 
 	if (clusterpages == 1)

next prev parent reply	other threads:[~2019-03-12 17:11 UTC|newest]

Thread overview: 34+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-03-12 17:08 [PATCH 5.0 00/25] 5.0.2-stable review Greg Kroah-Hartman
2019-03-12 17:08 ` [PATCH 5.0 01/25] media: uvcvideo: Fix type check leading to overflow Greg Kroah-Hartman
2019-03-12 17:08 ` [PATCH 5.0 02/25] Input: wacom_serial4 - add support for Wacom ArtPad II tablet Greg Kroah-Hartman
2019-03-12 17:08 ` [PATCH 5.0 03/25] Input: elan_i2c - add id for touchpad found in Lenovo s21e-20 Greg Kroah-Hartman
2019-03-12 17:08 ` [PATCH 5.0 04/25] iscsi_ibft: Fix missing break in switch statement Greg Kroah-Hartman
2019-03-12 17:08 ` [PATCH 5.0 05/25] scsi: aacraid: " Greg Kroah-Hartman
2019-03-12 17:08 ` [PATCH 5.0 06/25] x86/PCI: Fixup RTIT_BAR of Intel Denverton Trace Hub Greg Kroah-Hartman
2019-03-12 17:08 ` [PATCH 5.0 07/25] arm64: dts: zcu100-revC: Give wifi some time after power-on Greg Kroah-Hartman
2019-03-12 17:08 ` [PATCH 5.0 08/25] arm64: dts: hikey: " Greg Kroah-Hartman
2019-03-12 17:08 ` [PATCH 5.0 09/25] arm64: dts: hikey: Revert "Enable HS200 mode on eMMC" Greg Kroah-Hartman
2019-03-12 17:08   ` Greg Kroah-Hartman
2019-03-12 17:08   ` Greg Kroah-Hartman
2019-03-12 17:08 ` [PATCH 5.0 10/25] ARM: dts: exynos: Fix pinctrl definition for eMMC RTSN line on Odroid X2/U3 Greg Kroah-Hartman
2019-03-12 17:08 ` [PATCH 5.0 11/25] ARM: dts: exynos: Add minimal clkout parameters to Exynos3250 PMU Greg Kroah-Hartman
2019-03-12 17:08 ` [PATCH 5.0 12/25] ARM: dts: exynos: Fix max voltage for buck8 regulator on Odroid XU3/XU4 Greg Kroah-Hartman
2019-03-12 17:08 ` [PATCH 5.0 13/25] drm: disable uncached DMA optimization for ARM and arm64 Greg Kroah-Hartman
2019-03-12 17:08   ` Greg Kroah-Hartman
2019-03-12 17:08 ` [PATCH 5.0 14/25] media: Revert "media: rc: some events are dropped by userspace" Greg Kroah-Hartman
2019-03-12 17:08 ` [PATCH 5.0 15/25] Revert "PCI/PME: Implement runtime PM callbacks" Greg Kroah-Hartman
2019-03-12 17:08 ` [PATCH 5.0 16/25] bpf: Stop the psock parser before canceling its work Greg Kroah-Hartman
2019-03-12 17:08 ` [PATCH 5.0 17/25] gfs2: Fix missed wakeups in find_insert_glock Greg Kroah-Hartman
2019-03-12 17:08 ` [PATCH 5.0 18/25] staging: erofs: keep corrupted fs from crashing kernel in erofs_namei() Greg Kroah-Hartman
2019-03-12 17:08 ` Greg Kroah-Hartman [this message]
2019-03-12 17:08 ` [PATCH 5.0 20/25] scripts/gdb: replace flags (MS_xyz -> SB_xyz) Greg Kroah-Hartman
2019-03-12 17:08 ` [PATCH 5.0 21/25] ath9k: Avoid OF no-EEPROM quirks without qca,no-eeprom Greg Kroah-Hartman
2019-03-12 17:09 ` [PATCH 5.0 22/25] perf/x86/intel: Make cpuc allocations consistent Greg Kroah-Hartman
2019-03-12 17:09 ` [PATCH 5.0 23/25] perf/x86/intel: Generalize dynamic constraint creation Greg Kroah-Hartman
2019-03-12 17:09 ` [PATCH 5.0 24/25] x86: Add TSX Force Abort CPUID/MSR Greg Kroah-Hartman
2019-03-12 17:09 ` [PATCH 5.0 25/25] perf/x86/intel: Implement support for TSX Force Abort Greg Kroah-Hartman
2019-03-13  8:57 ` [PATCH 5.0 00/25] 5.0.2-stable review Naresh Kamboju
2019-03-13 17:37 ` Jon Hunter
2019-03-13 17:37   ` Jon Hunter
2019-03-13 20:36 ` Guenter Roeck
2019-03-13 20:59   ` Greg Kroah-Hartman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190312170404.975178350@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=gaoxiang25@huawei.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=yuchao0@huawei.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.