btrfs: fix use-after-free of cmp workspace pages

naota · kdave · commit 97b191702b05 · 2018-07-13T17:31:35.000+02:00
btrfs_cmp_data_free() puts cmp's src_pages and dst_pages, but leaves their page address intact. Now, if you hit "goto again" in btrfs_extent_same_range() and hit some error in btrfs_cmp_data_prepare(), you'll try to unlock/put already put pages. This is simple fix to reset the address to avoid use-after-free. Fixes: 67b07bd ("Btrfs: reuse cmp workspace in EXTENT_SAME ioctl") Signed-off-by: Naohiro Aota <naota@elisp.net> Reviewed-by: David Sterba <dsterba@suse.com> Signed-off-by: David Sterba <dsterba@suse.com>
diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c
@@ -3327,11 +3327,13 @@ static void btrfs_cmp_data_free(struct cmp_pages *cmp)
 		if (pg) {
 			unlock_page(pg);
 			put_page(pg);
+			cmp->src_pages[i] = NULL;
 		}
 		pg = cmp->dst_pages[i];
 		if (pg) {
 			unlock_page(pg);
 			put_page(pg);
+			cmp->dst_pages[i] = NULL;
 		}
 	}
 }

Original file line number	Diff line number	Diff line change
`@@ -3327,11 +3327,13 @@ static void btrfs_cmp_data_free(struct cmp_pages *cmp)`
`3327`	`3327`	`if (pg) {`
`3328`	`3328`	`unlock_page(pg);`
`3329`	`3329`	`put_page(pg);`
	`3330`	`+ cmp->src_pages[i] = NULL;`
`3330`	`3331`	`}`
`3331`	`3332`	`pg = cmp->dst_pages[i];`
`3332`	`3333`	`if (pg) {`
`3333`	`3334`	`unlock_page(pg);`
`3334`	`3335`	`put_page(pg);`
	`3336`	`+ cmp->dst_pages[i] = NULL;`
`3335`	`3337`	`}`
`3336`	`3338`	`}`
`3337`	`3339`	`}`