ext4: fix use-after-free in dx_release() - linux

diff options

author	Sahitya Tummala <stummala@codeaurora.org>	2019-05-11 04:00:33 +0200
committer	Theodore Ts'o <tytso@mit.edu>	2019-05-11 04:00:33 +0200
commit	08fc98a4d6424af66eb3ac4e2cedd2fc927ed436 (patch)
tree	0868ad014fc042281419f981e93c5e40050d1cf7 /security
parent	ext4: fix data corruption caused by overlapping unaligned and aligned IO (diff)
download	linux-08fc98a4d6424af66eb3ac4e2cedd2fc927ed436.tar.xz linux-08fc98a4d6424af66eb3ac4e2cedd2fc927ed436.zip

ext4: fix use-after-free in dx_release()

The buffer_head (frames[0].bh) and it's corresping page can be potentially free'd once brelse() is done inside the for loop but before the for loop exits in dx_release(). It can be free'd in another context, when the page cache is flushed via drop_caches_sysctl_handler(). This results into below data abort when accessing info->indirect_levels in dx_release(). Unable to handle kernel paging request at virtual address ffffffc17ac3e01e Call trace: dx_release+0x70/0x90 ext4_htree_fill_tree+0x2d4/0x300 ext4_readdir+0x244/0x6f8 iterate_dir+0xbc/0x160 SyS_getdents64+0x94/0x174 Signed-off-by: Sahitya Tummala <stummala@codeaurora.org> Signed-off-by: Theodore Ts'o <tytso@mit.edu> Reviewed-by: Andreas Dilger <adilger@dilger.ca> Cc: stable@kernel.org

Diffstat (limited to 'security')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: