From: Gao Xiang <hsiangkao@aol.com>
To: Dave Chinner <david@fromorbit.com>
Cc: Guoqing Jiang <guoqing.jiang@cloud.ionos.com>,
linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
hch@infradead.org, willy@infradead.org,
Mike Marshall <hubcap@omnibond.com>,
Martin Brandenburg <martin@omnibond.com>,
devel@lists.orangefs.org
Subject: Re: [RFC PATCH 8/9] orangefs: use set/clear_fs_page_private
Date: Mon, 27 Apr 2020 10:58:02 +0800 [thread overview]
Message-ID: <20200427025752.GA3979@hsiangkao-HP-ZHAN-66-Pro-G1> (raw)
In-Reply-To: <20200426222455.GB2005@dread.disaster.area>
On Mon, Apr 27, 2020 at 08:24:55AM +1000, Dave Chinner wrote:
> On Sun, Apr 26, 2020 at 11:49:24PM +0200, Guoqing Jiang wrote:
> > Since the new pair function is introduced, we can call them to clean the
> > code in orangefs.
> >
> > Cc: Mike Marshall <hubcap@omnibond.com>
> > Cc: Martin Brandenburg <martin@omnibond.com>
> > Cc: devel@lists.orangefs.org
> > Signed-off-by: Guoqing Jiang <guoqing.jiang@cloud.ionos.com>
> > ---
> > fs/orangefs/inode.c | 24 ++++++------------------
> > 1 file changed, 6 insertions(+), 18 deletions(-)
> >
> > diff --git a/fs/orangefs/inode.c b/fs/orangefs/inode.c
> > index 12ae630fbed7..893099d36e20 100644
> > --- a/fs/orangefs/inode.c
> > +++ b/fs/orangefs/inode.c
> > @@ -64,9 +64,7 @@ static int orangefs_writepage_locked(struct page *page,
> > }
> > if (wr) {
> > kfree(wr);
> > - set_page_private(page, 0);
> > - ClearPagePrivate(page);
> > - put_page(page);
> > + clear_fs_page_private(page);
>
> THis is a pre-existing potential use-after-free vector. The wr
> pointer held in the page->private needs to be cleared from the page
> before it is freed.
I'm not familar with orangefs. In my opinion, generally all temporary
page->private access (r/w) should be properly protected by some locks,
most of time I think it could be at least page lock since .migratepage,
.invalidatepage, .releasepage, .. (such paths) are already called with
page locked (honestly I'm interested in this topic, please correct me
if I'm wrong).
I agree that the suggested modification is more clear and easy to read.
Thanks,
Gao Xiang
next prev parent reply other threads:[~2020-04-27 3:00 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-26 21:49 [RFC PATCH 0/9] Introduce set/clear_fs_page_private to cleanup code Guoqing Jiang
2020-04-26 21:49 ` [RFC PATCH 1/9] include/linux/pagemap.h: introduce set/clear_fs_page_private Guoqing Jiang
2020-04-27 5:52 ` Christoph Hellwig
2020-04-27 8:10 ` Guoqing Jiang
2020-04-26 21:49 ` [RFC PATCH 2/9] md: remove __clear_page_buffers and use set/clear_fs_page_private Guoqing Jiang
2020-04-26 21:49 ` [RFC PATCH 3/9] btrfs: " Guoqing Jiang
2020-04-26 22:20 ` Dave Chinner
2020-04-27 5:54 ` Christoph Hellwig
2020-04-27 12:27 ` David Sterba
2020-04-27 8:14 ` Guoqing Jiang
2020-04-26 21:49 ` [RFC PATCH 4/9] fs/buffer.c: " Guoqing Jiang
2020-04-26 21:49 ` [RFC PATCH 5/9] f2fs: " Guoqing Jiang
2020-04-27 2:22 ` Chao Yu
2020-04-27 8:10 ` Guoqing Jiang
2020-04-26 21:49 ` [RFC PATCH 6/9] iomap: " Guoqing Jiang
2020-04-27 0:26 ` Matthew Wilcox
2020-04-27 5:55 ` Christoph Hellwig
2020-04-27 8:15 ` Guoqing Jiang
2020-04-27 8:15 ` Guoqing Jiang
2020-04-27 5:57 ` Christoph Hellwig
2020-04-27 8:12 ` Guoqing Jiang
2020-04-26 21:49 ` [RFC PATCH 7/9] ntfs: replace attach_page_buffers with set_fs_page_private Guoqing Jiang
2020-04-26 21:49 ` [RFC PATCH 8/9] orangefs: use set/clear_fs_page_private Guoqing Jiang
2020-04-26 22:24 ` Dave Chinner
2020-04-27 0:12 ` Matthew Wilcox
2020-04-27 2:27 ` Dave Chinner
2020-04-27 8:18 ` Guoqing Jiang
2020-04-27 2:58 ` Gao Xiang [this message]
2020-04-27 3:27 ` Gao Xiang
2020-04-26 21:49 ` [RFC PATCH 9/9] buffer_head.h: remove attach_page_buffers Guoqing Jiang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200427025752.GA3979@hsiangkao-HP-ZHAN-66-Pro-G1 \
--to=hsiangkao@aol.com \
--cc=david@fromorbit.com \
--cc=devel@lists.orangefs.org \
--cc=guoqing.jiang@cloud.ionos.com \
--cc=hch@infradead.org \
--cc=hubcap@omnibond.com \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=martin@omnibond.com \
--cc=willy@infradead.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).