diff options
author | Naohiro Aota <naota@elisp.net> | 2018-07-13 23:07:20 +0900 |
---|---|---|
committer | David Sterba <dsterba@suse.com> | 2018-07-13 17:31:35 +0200 |
commit | 97b191702b05a7cb9fa6d846adba68419cbbc7a6 (patch) | |
tree | 00bfe21efca70c8504eac5e36715e940efbff446 | |
parent | 20c5bbc640cdf8e23947990ab98f5ba950a3e1b0 (diff) | |
download | op-kernel-dev-97b191702b05a7cb9fa6d846adba68419cbbc7a6.zip op-kernel-dev-97b191702b05a7cb9fa6d846adba68419cbbc7a6.tar.gz |
btrfs: fix use-after-free of cmp workspace pages
btrfs_cmp_data_free() puts cmp's src_pages and dst_pages, but leaves
their page address intact. Now, if you hit "goto again" in
btrfs_extent_same_range() and hit some error in
btrfs_cmp_data_prepare(), you'll try to unlock/put already put pages.
This is simple fix to reset the address to avoid use-after-free.
Fixes: 67b07bd4bec5 ("Btrfs: reuse cmp workspace in EXTENT_SAME ioctl")
Signed-off-by: Naohiro Aota <naota@elisp.net>
Reviewed-by: David Sterba <dsterba@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
-rw-r--r-- | fs/btrfs/ioctl.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c index a4d2856..aa914aa 100644 --- a/fs/btrfs/ioctl.c +++ b/fs/btrfs/ioctl.c @@ -3327,11 +3327,13 @@ static void btrfs_cmp_data_free(struct cmp_pages *cmp) if (pg) { unlock_page(pg); put_page(pg); + cmp->src_pages[i] = NULL; } pg = cmp->dst_pages[i]; if (pg) { unlock_page(pg); put_page(pg); + cmp->dst_pages[i] = NULL; } } } |