summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorNaohiro Aota <naota@elisp.net>2018-07-13 16:07:20 +0200
committerDavid Sterba <dsterba@suse.com>2018-07-13 17:31:35 +0200
commit97b191702b05a7cb9fa6d846adba68419cbbc7a6 (patch)
tree00bfe21efca70c8504eac5e36715e940efbff446
parentbtrfs: restore uuid_mutex in btrfs_open_devices (diff)
downloadlinux-97b191702b05a7cb9fa6d846adba68419cbbc7a6.tar.xz
linux-97b191702b05a7cb9fa6d846adba68419cbbc7a6.zip
btrfs: fix use-after-free of cmp workspace pages
btrfs_cmp_data_free() puts cmp's src_pages and dst_pages, but leaves their page address intact. Now, if you hit "goto again" in btrfs_extent_same_range() and hit some error in btrfs_cmp_data_prepare(), you'll try to unlock/put already put pages. This is simple fix to reset the address to avoid use-after-free. Fixes: 67b07bd4bec5 ("Btrfs: reuse cmp workspace in EXTENT_SAME ioctl") Signed-off-by: Naohiro Aota <naota@elisp.net> Reviewed-by: David Sterba <dsterba@suse.com> Signed-off-by: David Sterba <dsterba@suse.com>
-rw-r--r--fs/btrfs/ioctl.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c
index a4d2856a4df1..aa914aaa00f8 100644
--- a/fs/btrfs/ioctl.c
+++ b/fs/btrfs/ioctl.c
@@ -3327,11 +3327,13 @@ static void btrfs_cmp_data_free(struct cmp_pages *cmp)
if (pg) {
unlock_page(pg);
put_page(pg);
+ cmp->src_pages[i] = NULL;
}
pg = cmp->dst_pages[i];
if (pg) {
unlock_page(pg);
put_page(pg);
+ cmp->dst_pages[i] = NULL;
}
}
}