From: "Darrick J. Wong" <darrick.wong@oracle.com>
To: Lukas Czerner <lczerner@redhat.com>
Cc: linux-ext4@vger.kernel.org, tytso@mit.edu, stable@vger.kernel.org
Subject: Re: [PATCH] ext4: Fix possible use after free of buffer head
Date: Thu, 29 Nov 2012 11:02:39 -0800 [thread overview]
Message-ID: <20121129190239.GA2888@blackbox.djwong.org> (raw)
In-Reply-To: <1354185828-28545-1-git-send-email-lczerner@redhat.com>
On Thu, Nov 29, 2012 at 11:43:48AM +0100, Lukas Czerner wrote:
> Commit fa77dcfafeaa6bc73293c646bfc3d5192dcf0be2 introduces block bitmap
> checksum calculation into ext4_new_inode() in the case that block group
> was uninitialized. However we brelse() the bitmap buffer before we
> attempt to checksum it so we have no guarantee that the buffer is still
> there.
>
> Fix this by releasing the buffer after the possible checksum
> computation.
Looks ok, so:
Acked-by: Darrick J. Wong <darrick.wong@oracle.com>
That IBM fellow is gone. ;)
--D
>
> Signed-off-by: Lukas Czerner <lczerner@redhat.com>
> Cc: Darrick J. Wong <djwong@us.ibm.com>
> Cc: stable@vger.kernel.org
> ---
> fs/ext4/ialloc.c | 2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/fs/ext4/ialloc.c b/fs/ext4/ialloc.c
> index 3a100e7..c7efa88 100644
> --- a/fs/ext4/ialloc.c
> +++ b/fs/ext4/ialloc.c
> @@ -762,7 +762,6 @@ got:
>
> BUFFER_TRACE(block_bitmap_bh, "dirty block bitmap");
> err = ext4_handle_dirty_metadata(handle, NULL, block_bitmap_bh);
> - brelse(block_bitmap_bh);
>
> /* recheck and clear flag under lock if we still need to */
> ext4_lock_group(sb, group);
> @@ -775,6 +774,7 @@ got:
> ext4_group_desc_csum_set(sb, group, gdp);
> }
> ext4_unlock_group(sb, group);
> + brelse(block_bitmap_bh);
>
> if (err)
> goto fail;
> --
> 1.7.7.6
>
> --
> To unsubscribe from this list: send the line "unsubscribe linux-ext4" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
next prev parent reply other threads:[~2012-11-29 19:02 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-11-29 10:43 [PATCH] ext4: Fix possible use after free of buffer head Lukas Czerner
2012-11-29 19:02 ` Darrick J. Wong [this message]
2012-11-30 2:21 ` Theodore Ts'o
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20121129190239.GA2888@blackbox.djwong.org \
--to=darrick.wong@oracle.com \
--cc=lczerner@redhat.com \
--cc=linux-ext4@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).