[Cluster-devel] [gfs2:for-next.mmap-fault 6/9] fs/iomap/direct-io.c:134 iomap_dio_complete() error: dereferencing freed memory 'dio'

cluster-devel.redhat.com archive mirror
 help / color / mirror / Atom feed

From: Dan Carpenter <dan.carpenter@oracle.com>
To: cluster-devel.redhat.com
Subject: [Cluster-devel] [gfs2:for-next.mmap-fault 6/9] fs/iomap/direct-io.c:134 iomap_dio_complete() error: dereferencing freed memory 'dio'
Date: Tue, 27 Jul 2021 12:51:48 +0300	[thread overview]
Message-ID: <202107270528.U5UdYp9I-lkp@intel.com> (raw)

tree:   https://git.kernel.org/pub/scm/linux/kernel/git/gfs2/linux-gfs2.git for-next.mmap-fault
head:   1e32783802dce0f79d3b25e800ac86bd24512e10
commit: cbbd26b20cafc8f40d495be172ba807dc260845c [6/9] iomap: Add done_before argument to iomap_dio_rw
config: x86_64-randconfig-m001-20210726 (attached as .config)
compiler: gcc-10 (Ubuntu 10.3.0-1ubuntu1~20.04) 10.3.0

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>

smatch warnings:
fs/iomap/direct-io.c:134 iomap_dio_complete() error: dereferencing freed memory 'dio'

vim +/dio +134 fs/iomap/direct-io.c

c3d4ed1abecfcf Christoph Hellwig   2020-09-28   80  ssize_t iomap_dio_complete(struct iomap_dio *dio)
db074436f42196 Darrick J. Wong     2019-07-15   81  {
838c4f3d7515ef Christoph Hellwig   2019-09-19   82  	const struct iomap_dio_ops *dops = dio->dops;
db074436f42196 Darrick J. Wong     2019-07-15   83  	struct kiocb *iocb = dio->iocb;
db074436f42196 Darrick J. Wong     2019-07-15   84  	struct inode *inode = file_inode(iocb->ki_filp);
db074436f42196 Darrick J. Wong     2019-07-15   85  	loff_t offset = iocb->ki_pos;
838c4f3d7515ef Christoph Hellwig   2019-09-19   86  	ssize_t ret = dio->error;
db074436f42196 Darrick J. Wong     2019-07-15   87  
838c4f3d7515ef Christoph Hellwig   2019-09-19   88  	if (dops && dops->end_io)
838c4f3d7515ef Christoph Hellwig   2019-09-19   89  		ret = dops->end_io(iocb, dio->size, ret, dio->flags);
db074436f42196 Darrick J. Wong     2019-07-15   90  
db074436f42196 Darrick J. Wong     2019-07-15   91  	if (likely(!ret)) {
db074436f42196 Darrick J. Wong     2019-07-15   92  		ret = dio->size;
db074436f42196 Darrick J. Wong     2019-07-15   93  		/* check for short read */
db074436f42196 Darrick J. Wong     2019-07-15   94  		if (offset + ret > dio->i_size &&
db074436f42196 Darrick J. Wong     2019-07-15   95  		    !(dio->flags & IOMAP_DIO_WRITE))
db074436f42196 Darrick J. Wong     2019-07-15   96  			ret = dio->i_size - offset;
db074436f42196 Darrick J. Wong     2019-07-15   97  		iocb->ki_pos += ret;
db074436f42196 Darrick J. Wong     2019-07-15   98  	}
db074436f42196 Darrick J. Wong     2019-07-15   99  
db074436f42196 Darrick J. Wong     2019-07-15  100  	/*
db074436f42196 Darrick J. Wong     2019-07-15  101  	 * Try again to invalidate clean pages which might have been cached by
db074436f42196 Darrick J. Wong     2019-07-15  102  	 * non-direct readahead, or faulted in by get_user_pages() if the source
db074436f42196 Darrick J. Wong     2019-07-15  103  	 * of the write was an mmap'ed region of the file we're writing.  Either
db074436f42196 Darrick J. Wong     2019-07-15  104  	 * one is a pretty crazy thing to do, so we don't support it 100%.  If
db074436f42196 Darrick J. Wong     2019-07-15  105  	 * this invalidation fails, tough, the write still worked...
db074436f42196 Darrick J. Wong     2019-07-15  106  	 *
838c4f3d7515ef Christoph Hellwig   2019-09-19  107  	 * And this page cache invalidation has to be after ->end_io(), as some
838c4f3d7515ef Christoph Hellwig   2019-09-19  108  	 * filesystems convert unwritten extents to real allocations in
838c4f3d7515ef Christoph Hellwig   2019-09-19  109  	 * ->end_io() when necessary, otherwise a racing buffer read would cache
db074436f42196 Darrick J. Wong     2019-07-15  110  	 * zeros from unwritten extents.
db074436f42196 Darrick J. Wong     2019-07-15  111  	 */
c114bbc6c423a4 Andreas Gruenbacher 2020-09-10  112  	if (!dio->error && dio->size &&
db074436f42196 Darrick J. Wong     2019-07-15  113  	    (dio->flags & IOMAP_DIO_WRITE) && inode->i_mapping->nrpages) {
db074436f42196 Darrick J. Wong     2019-07-15  114  		int err;
db074436f42196 Darrick J. Wong     2019-07-15  115  		err = invalidate_inode_pages2_range(inode->i_mapping,
db074436f42196 Darrick J. Wong     2019-07-15  116  				offset >> PAGE_SHIFT,
db074436f42196 Darrick J. Wong     2019-07-15  117  				(offset + dio->size - 1) >> PAGE_SHIFT);
db074436f42196 Darrick J. Wong     2019-07-15  118  		if (err)
db074436f42196 Darrick J. Wong     2019-07-15  119  			dio_warn_stale_pagecache(iocb->ki_filp);
db074436f42196 Darrick J. Wong     2019-07-15  120  	}
db074436f42196 Darrick J. Wong     2019-07-15  121  
1a31182edd0083 Goldwyn Rodrigues   2020-09-28  122  	inode_dio_end(file_inode(iocb->ki_filp));
db074436f42196 Darrick J. Wong     2019-07-15  123  	/*
db074436f42196 Darrick J. Wong     2019-07-15  124  	 * If this is a DSYNC write, make sure we push it to stable storage now
db074436f42196 Darrick J. Wong     2019-07-15  125  	 * that we've written data.
db074436f42196 Darrick J. Wong     2019-07-15  126  	 */
db074436f42196 Darrick J. Wong     2019-07-15  127  	if (ret > 0 && (dio->flags & IOMAP_DIO_NEED_SYNC))
db074436f42196 Darrick J. Wong     2019-07-15  128  		ret = generic_write_sync(iocb, ret);
db074436f42196 Darrick J. Wong     2019-07-15  129  
db074436f42196 Darrick J. Wong     2019-07-15  130  	kfree(dio);
                                                        ^^^^^^^^^^
free

db074436f42196 Darrick J. Wong     2019-07-15  131  
cbbd26b20cafc8 Andreas Gruenbacher 2021-07-24  132  	if (ret < 0)
db074436f42196 Darrick J. Wong     2019-07-15  133  		return ret;
cbbd26b20cafc8 Andreas Gruenbacher 2021-07-24 @134  	return dio->done_before + ret;
                                                               ^^^^^^^^^^^^^^^^
use after free

db074436f42196 Darrick J. Wong     2019-07-15  135  }

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all at lists.01.org

                 reply	other threads:[~2021-07-27  9:51 UTC|newest]

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=202107270528.U5UdYp9I-lkp@intel.com \
    --to=dan.carpenter@oracle.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).