From mboxrd@z Thu Jan 1 00:00:00 1970 From: Darrick J. Wong Date: Tue, 30 Apr 2019 08:23:25 -0700 Subject: [Cluster-devel] [PATCH v7 3/5] iomap: Fix use-after-free error in page_done callback In-Reply-To: <20190429220934.10415-4-agruenba@redhat.com> References: <20190429220934.10415-1-agruenba@redhat.com> <20190429220934.10415-4-agruenba@redhat.com> Message-ID: <20190430152325.GD5200@magnolia> List-Id: To: cluster-devel.redhat.com MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit On Tue, Apr 30, 2019 at 12:09:32AM +0200, Andreas Gruenbacher wrote: > In iomap_write_end, we're not holding a page reference anymore when > calling the page_done callback, but the callback needs that reference to > access the page. To fix that, move the put_page call in > __generic_write_end into the callers of __generic_write_end. Then, in > iomap_write_end, put the page after calling the page_done callback. > > Reported-by: Jan Kara > Fixes: 63899c6f8851 ("iomap: add a page_done callback") > Signed-off-by: Andreas Gruenbacher > Reviewed-by: Jan Kara > Reviewed-by: Christoph Hellwig Looks ok, Reviewed-by: Darrick J. Wong --D > --- > fs/buffer.c | 2 +- > fs/iomap.c | 1 + > 2 files changed, 2 insertions(+), 1 deletion(-) > > diff --git a/fs/buffer.c b/fs/buffer.c > index e0d4c6a5e2d2..0faa41fb4c88 100644 > --- a/fs/buffer.c > +++ b/fs/buffer.c > @@ -2104,7 +2104,6 @@ void __generic_write_end(struct inode *inode, loff_t pos, unsigned copied, > } > > unlock_page(page); > - put_page(page); > > if (old_size < pos) > pagecache_isize_extended(inode, old_size, pos); > @@ -2160,6 +2159,7 @@ int generic_write_end(struct file *file, struct address_space *mapping, > { > copied = block_write_end(file, mapping, pos, len, copied, page, fsdata); > __generic_write_end(mapping->host, pos, copied, page); > + put_page(page); > return copied; > } > EXPORT_SYMBOL(generic_write_end); > diff --git a/fs/iomap.c b/fs/iomap.c > index f8c9722d1a97..62e3461704ce 100644 > --- a/fs/iomap.c > +++ b/fs/iomap.c > @@ -780,6 +780,7 @@ iomap_write_end(struct inode *inode, loff_t pos, unsigned len, > __generic_write_end(inode, pos, ret, page); > if (iomap->page_done) > iomap->page_done(inode, pos, copied, page, iomap); > + put_page(page); > > if (ret < len) > iomap_write_failed(inode, pos, len); > -- > 2.20.1 >