diff options
author | Liu Bo <bo.li.liu@oracle.com> | 2018-01-25 19:02:54 +0100 |
---|---|---|
committer | David Sterba <dsterba@suse.com> | 2018-02-02 16:24:40 +0100 |
commit | 1a932ef4e47984dee227834667b5ff5a334e4805 (patch) | |
tree | 9037224c516c5eaaec99d84d7c14c25a8e56a574 /fs/pstore | |
parent | Btrfs: fix btrfs_evict_inode to handle abnormal inodes correctly (diff) | |
download | linux-1a932ef4e47984dee227834667b5ff5a334e4805.tar.xz linux-1a932ef4e47984dee227834667b5ff5a334e4805.zip |
Btrfs: fix use-after-free on root->orphan_block_rsv
I got these from running generic/475,
WARNING: CPU: 0 PID: 26384 at fs/btrfs/inode.c:3326 btrfs_orphan_commit_root+0x1ac/0x2b0 [btrfs]
BUG: unable to handle kernel NULL pointer dereference at 0000000000000010
IP: btrfs_block_rsv_release+0x1c/0x70 [btrfs]
Call Trace:
btrfs_orphan_release_metadata+0x9f/0x200 [btrfs]
btrfs_orphan_del+0x10d/0x170 [btrfs]
btrfs_setattr+0x500/0x640 [btrfs]
notify_change+0x7ae/0x870
do_truncate+0xca/0x130
vfs_truncate+0x2ee/0x3d0
do_sys_truncate+0xaf/0xf0
SyS_truncate+0xe/0x10
entry_SYSCALL_64_fastpath+0x1f/0x96
The race is between btrfs_orphan_commit_root and btrfs_orphan_del,
t1 t2
btrfs_orphan_commit_root btrfs_orphan_del
spin_lock
check (&root->orphan_inodes)
root->orphan_block_rsv = NULL;
spin_unlock
atomic_dec(&root->orphan_inodes);
access root->orphan_block_rsv
Accessing root->orphan_block_rsv must be done before decreasing
root->orphan_inodes.
cc: <stable@vger.kernel.org> v3.12+
Fixes: 703c88e03524 ("Btrfs: fix tracking of orphan inode count")
Signed-off-by: Liu Bo <bo.li.liu@oracle.com>
Reviewed-by: Josef Bacik <jbacik@fb.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Diffstat (limited to 'fs/pstore')
0 files changed, 0 insertions, 0 deletions