Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 9977586d authored by Sahitya Tummala's avatar Sahitya Tummala
Browse files

f2fs: fix use-after-free when accessing bio->bi_crypt_context 



There could be a potential race between these two paths below,
leading to use-after-free when accessing  bio->bi_crypt_context.

f2fs_write_cache_pages
->f2fs_do_write_data_page on page#1
  ->f2fs_inplace_write_data
    ->f2fs_merge_page_bio
      ->add_bio_entry
->f2fs_do_write_data_page on page#2
  ->f2fs_inplace_write_data
    ->f2fs_merge_page_bio
      ->f2fs_crypt_mergeable_bio
        ->fscrypt_mergeable_bio
                                       f2fs_write_begin on page#1
                                       ->f2fs_wait_on_page_writeback
                                         ->f2fs_submit_merged_ipu_write
                                           ->__submit_bio
                                        The bio gets completed, calling
                                        bio_endio
                                        ->bio_uninit
                                          ->bio_crypt_free_ctx
          ->use-after-free issue

Fix this by moving f2fs_crypt_mergeable_bio() check within
add_ipu_page() so that it's done under bio_list_lock to prevent
the above race.

Change-Id: I0ea667d6c749f2db9aefd85924eb347504495ef0
Signed-off-by: default avatarSahitya Tummala <stummala@codeaurora.org>
parent 4d86e041

fs/f2fs/data.c

+14 −9
Original line number Diff line number Diff line
@@ -782,9 +782,10 @@ static void del_bio_entry(struct bio_entry *be) 
	kmem_cache_free(bio_entry_slab, be);

}



static int add_ipu_page(struct f2fs_sb_info *sbi, struct bio **bio,

static int add_ipu_page(struct f2fs_io_info *fio, struct bio **bio,

							struct page *page)

{

	struct f2fs_sb_info *sbi = fio->sbi;

	enum temp_type temp;

	bool found = false;

	int ret = -EAGAIN;
@@ -801,13 +802,19 @@ static int add_ipu_page(struct f2fs_sb_info *sbi, struct bio **bio, 


			found = true;



			if (bio_add_page(*bio, page, PAGE_SIZE, 0) ==

			f2fs_bug_on(sbi, !page_is_mergeable(sbi, *bio,

							    *fio->last_block,

							    fio->new_blkaddr));

			if (f2fs_crypt_mergeable_bio(*bio,

					fio->page->mapping->host,

					fio->page->index, fio) &&

			    bio_add_page(*bio, page, PAGE_SIZE, 0) ==

					PAGE_SIZE) {

				ret = 0;

				break;

			}



			/* bio is full */

			/* page can't be merged into bio; submit the bio */

			del_bio_entry(be);

			__submit_bio(sbi, *bio, DATA);

			break;
@@ -892,10 +899,8 @@ int f2fs_merge_page_bio(struct f2fs_io_info *fio) 
	trace_f2fs_submit_page_bio(page, fio);

	f2fs_trace_ios(fio, 0);



	if (bio && (!page_is_mergeable(fio->sbi, bio, *fio->last_block,

						fio->new_blkaddr) ||

		    !f2fs_crypt_mergeable_bio(bio, fio->page->mapping->host,

					      fio->page->index, fio)))

	if (bio && !page_is_mergeable(fio->sbi, bio, *fio->last_block,

				       fio->new_blkaddr))

		f2fs_submit_merged_ipu_write(fio->sbi, &bio, NULL);



alloc_new:
@@ -908,7 +913,7 @@ int f2fs_merge_page_bio(struct f2fs_io_info *fio) 


		add_bio_entry(fio->sbi, bio, page, fio->temp);

	} else {

		if (add_ipu_page(fio->sbi, &bio, page))

		if (add_ipu_page(fio, &bio, page))

			goto alloc_new;

	}