All of lore.kernel.org
 help / color / mirror / Atom feed
From: "Theodore Ts'o" <tytso@mit.edu>
To: Jan Kara <jack@suse.cz>
Cc: Pan Bian <bianpan2016@163.com>,
	Andreas Dilger <adilger.kernel@dilger.ca>,
	linux-ext4@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: ext4: avoid drop reference to iloc.bh twice
Date: Thu, 25 Apr 2019 11:48:49 -0400	[thread overview]
Message-ID: <20190425154849.GA4739@mit.edu> (raw)
In-Reply-To: <20190418123519.GJ28541@quack2.suse.cz>

On Thu, Apr 18, 2019 at 02:35:19PM +0200, Jan Kara wrote:
> On Thu 18-04-19 16:31:18, Pan Bian wrote:
> > The reference to iloc.bh has been dropped in ext4_mark_iloc_dirty.
> > However, the reference is dropped again if error occurs during
> > ext4_handle_dirty_metadata, which may result in use-after-free bugs.
> > 
> > Fixes: fb265c9cb49e("ext4: add ext4_sb_bread() to disambiguate ENOMEM
> > cases")
> > 
> > Signed-off-by: Pan Bian <bianpan2016@163.com>
> 
> Thanks for the patch! Good spotting. You can add:
> 
> Reviewed-by: Jan Kara <jack@suse.cz>

Applied, thanks.

> I'm just wondering: Ted, shouldn't we make ext4_mark_iloc_dirty() clear the
> iloc.bh pointer on it's own? I believe this is not the first time we had a
> bug like this and it would also catch possible use-after-free issues in
> case someone tried to use iloc.bh after the reference has been dropped.
> 
> Generally the scheme around ext4_get_inode_loc() and
> ext4_mark_iloc_dirty() seems to be somewhat error prone. E.g. a quick audit
> shows that there's bh leak in ext4_orphan_del() in one of the error paths.
> I'll send patches.

Good suggestion!

I agree, the interface is error-prone.  Clearing inode.bh afterwards
makes sense.

After we do this, we should also scan the call sites, since there are
some places where we have been calling get_bh(iloc.bh) before-hand, so
that the brelse(iloc.bh) in the cleanup path will work.  Other call
paths add iloc.bh = NULL afterwards so that the brelse() will work
correctly.  So we'll be able to clean up all of this afterwards.

		       	     	     - Ted

      reply	other threads:[~2019-04-25 15:49 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-04-18  8:31 ext4: avoid drop reference to iloc.bh twice Pan Bian
2019-04-18 12:35 ` Jan Kara
2019-04-25 15:48   ` Theodore Ts'o [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190425154849.GA4739@mit.edu \
    --to=tytso@mit.edu \
    --cc=adilger.kernel@dilger.ca \
    --cc=bianpan2016@163.com \
    --cc=jack@suse.cz \
    --cc=linux-ext4@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.