From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Sahitya Tummala <stummala@codeaurora.org>,
Theodore Tso <tytso@mit.edu>, Andreas Dilger <adilger@dilger.ca>,
stable@kernel.org
Subject: [PATCH 5.0 104/123] ext4: fix use-after-free in dx_release()
Date: Mon, 20 May 2019 14:14:44 +0200 [thread overview]
Message-ID: <20190520115251.954691616@linuxfoundation.org> (raw)
In-Reply-To: <20190520115245.439864225@linuxfoundation.org>
From: Sahitya Tummala <stummala@codeaurora.org>
commit 08fc98a4d6424af66eb3ac4e2cedd2fc927ed436 upstream.
The buffer_head (frames[0].bh) and it's corresping page can be
potentially free'd once brelse() is done inside the for loop
but before the for loop exits in dx_release(). It can be free'd
in another context, when the page cache is flushed via
drop_caches_sysctl_handler(). This results into below data abort
when accessing info->indirect_levels in dx_release().
Unable to handle kernel paging request at virtual address ffffffc17ac3e01e
Call trace:
dx_release+0x70/0x90
ext4_htree_fill_tree+0x2d4/0x300
ext4_readdir+0x244/0x6f8
iterate_dir+0xbc/0x160
SyS_getdents64+0x94/0x174
Signed-off-by: Sahitya Tummala <stummala@codeaurora.org>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Reviewed-by: Andreas Dilger <adilger@dilger.ca>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/namei.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
--- a/fs/ext4/namei.c
+++ b/fs/ext4/namei.c
@@ -871,12 +871,15 @@ static void dx_release(struct dx_frame *
{
struct dx_root_info *info;
int i;
+ unsigned int indirect_levels;
if (frames[0].bh == NULL)
return;
info = &((struct dx_root *)frames[0].bh->b_data)->info;
- for (i = 0; i <= info->indirect_levels; i++) {
+ /* save local copy, "info" may be freed after brelse() */
+ indirect_levels = info->indirect_levels;
+ for (i = 0; i <= indirect_levels; i++) {
if (frames[i].bh == NULL)
break;
brelse(frames[i].bh);
next prev parent reply other threads:[~2019-05-20 12:42 UTC|newest]
Thread overview: 130+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-20 12:13 [PATCH 5.0 000/123] 5.0.18-stable review Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 5.0 001/123] locking/rwsem: Prevent decrement of reader count before increment Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 5.0 002/123] x86/speculation/mds: Revert CPU buffer clear on double fault exit Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 5.0 003/123] x86/speculation/mds: Improve CPU buffer clear documentation Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 5.0 004/123] objtool: Fix function fallthrough detection Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 5.0 005/123] arm64: dts: rockchip: fix IO domain voltage setting of APIO5 on rockpro64 Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 5.0 006/123] arm64: dts: rockchip: Disable DCMDs on RK3399s eMMC controller Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 5.0 007/123] ARM: dts: qcom: ipq4019: enlarge PCIe BAR range Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 5.0 008/123] ARM: dts: exynos: Fix interrupt for shared EINTs on Exynos5260 Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 5.0 009/123] ARM: dts: exynos: Fix audio (microphone) routing on Odroid XU3 Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 5.0 010/123] mmc: sdhci-of-arasan: Add DTS property to disable DCMDs Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 5.0 011/123] ARM: exynos: Fix a leaked reference by adding missing of_node_put Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 5.0 012/123] power: supply: axp288_charger: Fix unchecked return value Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 5.0 013/123] power: supply: axp288_fuel_gauge: Add ACEPC T8 and T11 mini PCs to the blacklist Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 5.0 014/123] arm64: mmap: Ensure file offset is treated as unsigned Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 5.0 015/123] arm64: arch_timer: Ensure counter register reads occur with seqlock held Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 5.0 016/123] arm64: compat: Reduce address limit Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 5.0 017/123] arm64: Clear OSDLR_EL1 on CPU boot Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 5.0 018/123] arm64: Save and restore OSDLR_EL1 across suspend/resume Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 5.0 019/123] sched/x86: Save [ER]FLAGS on context switch Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 5.0 020/123] x86/MCE: Add an MCE-record filtering function Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 5.0 021/123] x86/MCE/AMD: Turn off MC4_MISC thresholding on all family 0x15 models Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 5.0 022/123] x86/MCE/AMD: Carve out the MC4_MISC thresholding quirk Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 5.0 023/123] x86/MCE: Group AMD function prototypes in <asm/mce.h> Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 5.0 024/123] x86/MCE/AMD: Dont report L1 BTB MCA errors on some family 17h models Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 5.0 025/123] crypto: crypto4xx - fix ctr-aes missing output IV Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 5.0 026/123] crypto: crypto4xx - fix cfb and ofb "overran dst buffer" issues Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 5.0 027/123] crypto: salsa20 - dont access already-freed walk.iv Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 5.0 028/123] crypto: lrw " Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 5.0 029/123] crypto: chacha-generic - fix use as arm64 no-NEON fallback Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 5.0 030/123] crypto: chacha20poly1305 - set cra_name correctly Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 5.0 031/123] crypto: ccp - Do not free psp_master when PLATFORM_INIT fails Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 5.0 032/123] crypto: vmx - fix copy-paste error in CTR mode Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 5.0 033/123] crypto: skcipher - dont WARN on unprocessed data after slow walk step Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 5.0 034/123] crypto: crct10dif-generic - fix use via crypto_shash_digest() Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 5.0 035/123] crypto: x86/crct10dif-pcl " Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 5.0 036/123] crypto: arm64/gcm-aes-ce - fix no-NEON fallback code Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 5.0 037/123] crypto: gcm - fix incompatibility between "gcm" and "gcm_base" Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 5.0 038/123] crypto: rockchip - update IV buffer to contain the next IV Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 5.0 039/123] crypto: caam/qi2 - fix zero-length buffer DMA mapping Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 5.0 040/123] crypto: caam/qi2 - fix DMA mapping of stack memory Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 5.0 041/123] crypto: caam/qi2 - generate hash keys in-place Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 5.0 042/123] crypto: arm/aes-neonbs - dont access already-freed walk.iv Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 5.0 043/123] crypto: arm64/aes-neonbs " Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 5.0 044/123] mmc: tegra: fix ddr signaling for non-ddr modes Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 5.0 045/123] mmc: core: Fix tag set memory leak Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 5.0 046/123] mmc: sdhci-pci: Fix BYT OCP setting Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 5.0 047/123] ALSA: line6: toneport: Fix broken usage of timer for delayed execution Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 5.0 048/123] ALSA: usb-audio: Fix a memory leak bug Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 5.0 049/123] ALSA: hda/hdmi - Read the pin sense from register when repolling Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 5.0 050/123] ALSA: hda/hdmi - Consider eld_valid when reporting jack event Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 5.0 051/123] ALSA: hda/realtek - EAPD turn on later Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 5.0 052/123] ALSA: hdea/realtek - Headset fixup for System76 Gazelle (gaze14) Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 5.0 053/123] ASoC: max98090: Fix restore of DAPM Muxes Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 5.0 054/123] ASoC: RT5677-SPI: Disable 16Bit SPI Transfers Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 5.0 055/123] ASoC: fsl_esai: Fix missing break in switch statement Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 5.0 056/123] ASoC: codec: hdac_hdmi add device_link to card device Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 5.0 057/123] bpf, arm64: remove prefetch insn in xadd mapping Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 5.0 058/123] crypto: ccree - remove special handling of chained sg Greg Kroah-Hartman
2019-05-20 12:13 ` [PATCH 5.0 059/123] crypto: ccree - fix mem leak on error path Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 5.0 060/123] crypto: ccree - dont map MAC key on stack Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 5.0 061/123] crypto: ccree - use correct internal state sizes for export Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 5.0 062/123] crypto: ccree - dont map AEAD key and IV on stack Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 5.0 063/123] crypto: ccree - pm resume first enable the source clk Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 5.0 064/123] crypto: ccree - HOST_POWER_DOWN_EN should be the last CC access during suspend Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 5.0 065/123] crypto: ccree - add function to handle cryptocell tee fips error Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 5.0 066/123] crypto: ccree - handle tee fips error during power management resume Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 5.0 067/123] mm/mincore.c: make mincore() more conservative Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 5.0 068/123] mm/huge_memory: fix vmf_insert_pfn_{pmd, pud}() crash, handle unaligned addresses Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 5.0 069/123] mm/hugetlb.c: dont put_page in lock of hugetlb_lock Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 5.0 070/123] hugetlb: use same fault hash key for shared and private mappings Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 5.0 071/123] ocfs2: fix ocfs2 read inode data panic in ocfs2_iget Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 5.0 072/123] userfaultfd: use RCU to free the task struct when fork fails Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 5.0 073/123] ACPI: PM: Set enable_for_wake for wakeup GPEs during suspend-to-idle Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 5.0 074/123] mfd: da9063: Fix OTP control register names to match datasheets for DA9063/63L Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 5.0 075/123] mfd: max77620: Fix swapped FPS_PERIOD_MAX_US values Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 5.0 076/123] mtd: spi-nor: intel-spi: Avoid crossing 4K address boundary on read/write Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 5.0 077/123] mtd: maps: physmap: Store gpio_values correctly Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 5.0 078/123] mtd: maps: Allow MTD_PHYSMAP with MTD_RAM Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 5.0 079/123] tty: vt.c: Fix TIOCL_BLANKSCREEN console blanking if blankinterval == 0 Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 5.0 080/123] tty/vt: fix write/write race in ioctl(KDSKBSENT) handler Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 5.0 081/123] jbd2: check superblock mapped prior to committing Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 5.0 082/123] ext4: make sanity check in mballoc more strict Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 5.0 083/123] ext4: protect journal inodes blocks using block_validity Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 5.0 084/123] ext4: ignore e_value_offs for xattrs with value-in-ea-inode Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 5.0 085/123] ext4: avoid drop reference to iloc.bh twice Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 5.0 086/123] ext4: fix use-after-free race with debug_want_extra_isize Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 5.0 087/123] ext4: actually request zeroing of inode table after grow Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 5.0 088/123] ext4: fix ext4_show_options for file systems w/o journal Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 5.0 089/123] btrfs: Check the first key and level for cached extent buffer Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 5.0 090/123] btrfs: Correctly free extent buffer in case btree_read_extent_buffer_pages fails Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 5.0 091/123] btrfs: Honour FITRIM range constraints during free space trim Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 5.0 092/123] Btrfs: send, flush dellaloc in order to avoid data loss Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 5.0 093/123] Btrfs: do not start a transaction during fiemap Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 5.0 094/123] Btrfs: do not start a transaction at iterate_extent_inodes() Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 5.0 095/123] Btrfs: fix race between send and deduplication that lead to failures and crashes Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 5.0 096/123] bcache: fix a race between cache register and cacheset unregister Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 5.0 097/123] bcache: never set KEY_PTRS of journal key to 0 in journal_reclaim() Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 5.0 098/123] ipmi:ssif: compare block number correctly for multi-part return messages Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 5.0 099/123] crypto: ccm - fix incompatibility between "ccm" and "ccm_base" Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 5.0 100/123] fs/writeback.c: use rcu_barrier() to wait for inflight wb switches going into workqueue when umount Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 5.0 101/123] tty: Dont force RISCV SBI console as preferred console Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 5.0 102/123] ext4: zero out the unused memory region in the extent tree block Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 5.0 103/123] ext4: fix data corruption caused by overlapping unaligned and aligned IO Greg Kroah-Hartman
2019-05-20 12:14 ` Greg Kroah-Hartman [this message]
2019-05-20 12:14 ` [PATCH 5.0 105/123] ext4: avoid panic during forced reboot due to aborted journal Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 5.0 106/123] ALSA: hda/realtek - Corrected fixup for System76 Gazelle (gaze14) Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 5.0 107/123] ALSA: hda/realtek - Fixup headphone noise via runtime suspend Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 5.0 108/123] ALSA: hda/realtek - Fix for Lenovo B50-70 inverted internal microphone bug Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 5.0 109/123] jbd2: fix potential double free Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 5.0 110/123] KVM: Fix the bitmap range to copy during clear dirty Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 5.0 111/123] KVM: x86: Skip EFER vs. guest CPUID checks for host-initiated writes Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 5.0 112/123] KVM: lapic: Busy wait for timer to expire when using hv_timer Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 5.0 113/123] kbuild: turn auto.conf.cmd into a mandatory include file Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 5.0 114/123] xen/pvh: set xen_domain_type to HVM in xen_pvh_init Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 5.0 115/123] xen/pvh: correctly setup the PV EFI interface for dom0 Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 5.0 116/123] libnvdimm/namespace: Fix label tracking error Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 5.0 117/123] iov_iter: optimize page_copy_sane() Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 5.0 118/123] s390/mm: make the pxd_offset functions more robust Greg Kroah-Hartman
2019-05-20 12:14 ` [PATCH 5.0 119/123] s390/mm: convert to the generic get_user_pages_fast code Greg Kroah-Hartman
2019-05-22 21:46 ` Justin Forbes
2019-05-23 5:41 ` Greg Kroah-Hartman
2019-05-20 12:15 ` [PATCH 5.0 120/123] ext4: unsigned int compared against zero Greg Kroah-Hartman
2019-05-20 12:15 ` [PATCH 5.0 121/123] ext4: fix block validity checks for journal inodes using indirect blocks Greg Kroah-Hartman
2019-05-20 12:15 ` [PATCH 5.0 122/123] ext4: fix compile error when using BUFFER_TRACE Greg Kroah-Hartman
2019-05-20 12:15 ` [PATCH 5.0 123/123] ext4: dont update s_rev_level if not required Greg Kroah-Hartman
2019-05-20 19:08 ` [PATCH 5.0 000/123] 5.0.18-stable review kernelci.org bot
2019-05-21 8:52 ` Jon Hunter
2019-05-21 21:24 ` shuah
2019-05-22 5:01 ` Naresh Kamboju
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190520115251.954691616@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=adilger@dilger.ca \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@kernel.org \
--cc=stable@vger.kernel.org \
--cc=stummala@codeaurora.org \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).