From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.5 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_PASS,USER_AGENT_MUTT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id E46A5C43387 for ; Thu, 17 Jan 2019 21:27:02 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id B49BE20855 for ; Thu, 17 Jan 2019 21:27:02 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728853AbfAQV1B (ORCPT ); Thu, 17 Jan 2019 16:27:01 -0500 Received: from ipmail03.adl6.internode.on.net ([150.101.137.143]:12557 "EHLO ipmail03.adl6.internode.on.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726905AbfAQV1B (ORCPT ); Thu, 17 Jan 2019 16:27:01 -0500 Received: from ppp59-167-129-252.static.internode.on.net (HELO dastard) ([59.167.129.252]) by ipmail03.adl6.internode.on.net with ESMTP; 18 Jan 2019 07:57:00 +1030 Received: from dave by dastard with local (Exim 4.80) (envelope-from ) id 1gkFBi-0004Wo-Rp; Fri, 18 Jan 2019 08:26:58 +1100 Date: Fri, 18 Jan 2019 08:26:58 +1100 From: Dave Chinner To: Christoph Hellwig Cc: linux-xfs@vger.kernel.org, linux-fsdevel@vger.kernel.org, Chandan Rajendra , "Darrick J . Wong" Subject: Re: [PATCH] iomap: fix a use after free in iomap_dio_rw Message-ID: <20190117212658.GD6173@dastard> References: <20190117075707.8640-1-hch@lst.de> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20190117075707.8640-1-hch@lst.de> User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-fsdevel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-fsdevel@vger.kernel.org On Thu, Jan 17, 2019 at 08:57:07AM +0100, Christoph Hellwig wrote: > Introduce a local wait_for_completion variable to avoid an access to the > potentially freed dio struture after dropping the last reference count. > > Also use the chance to document the completion behavior to make the > refcounting clear to the reader of the code. > > Fixes: ff6a9292e6 ("iomap: implement direct I/O") > Reported-by: Chandan Rajendra > Reported-by: Darrick J. Wong > Signed-off-by: Christoph Hellwig > Tested-by: Chandan Rajendra > Tested-by: Darrick J. Wong > --- > fs/iomap.c | 28 +++++++++++++++++++++------- > 1 file changed, 21 insertions(+), 7 deletions(-) Looks good, minor comment cleanup needed, though. maybe Darrick can do it on commit? Reviewed-by: Dave Chinner > @@ -1925,8 +1925,24 @@ iomap_dio_rw(struct kiocb *iocb, struct iov_iter *iter, > if (dio->flags & IOMAP_DIO_WRITE_FUA) > dio->flags &= ~IOMAP_DIO_NEED_SYNC; > > + /* > + * We are about to drop our additional submission reference, which > + * might be the last reference to the dio. There are three three > + * different ways we can progress here: > + * > + * (a) If this is the last reference we will always complete and free > + * the dio ourselves. right here. s/ right here.// -Dave. -- Dave Chinner david@fromorbit.com