Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 09617a6d authored by Jaegeuk Kim's avatar Jaegeuk Kim
Browse files

f2fs: don't access node/meta inode mapping after iput 



This fixes wrong access of address spaces of node and meta inodes after iput.

Fixes: 60aa4d5536ab ("f2fs: fix use-after-free issue when accessing sbi->stat_info")
Reviewed-by: default avatarChao Yu <yuchao0@huawei.com>
Signed-off-by: default avatarJaegeuk Kim <jaegeuk@kernel.org>
parent 5e4654d7

fs/f2fs/debug.c

+12 −7
Original line number Diff line number Diff line
@@ -96,7 +96,9 @@ static void update_general_status(struct f2fs_sb_info *sbi) 
	si->free_secs = free_sections(sbi);

	si->prefree_count = prefree_segments(sbi);

	si->dirty_count = dirty_segments(sbi);

	if (sbi->node_inode)

		si->node_pages = NODE_MAPPING(sbi)->nrpages;

	if (sbi->meta_inode)

		si->meta_pages = META_MAPPING(sbi)->nrpages;

	si->nats = NM_I(sbi)->nat_cnt;

	si->dirty_nats = NM_I(sbi)->dirty_nat_cnt;
@@ -175,7 +177,6 @@ static void update_sit_info(struct f2fs_sb_info *sbi) 
static void update_mem_info(struct f2fs_sb_info *sbi)

{

	struct f2fs_stat_info *si = F2FS_STAT(sbi);

	unsigned npages;

	int i;



	if (si->base_mem)
@@ -258,11 +259,15 @@ static void update_mem_info(struct f2fs_sb_info *sbi) 
						sizeof(struct extent_node);



	si->page_mem = 0;

	npages = NODE_MAPPING(sbi)->nrpages;

	if (sbi->node_inode) {

		unsigned npages = NODE_MAPPING(sbi)->nrpages;

		si->page_mem += (unsigned long long)npages << PAGE_SHIFT;

	npages = META_MAPPING(sbi)->nrpages;

	}

	if (sbi->meta_inode) {

		unsigned npages = META_MAPPING(sbi)->nrpages;

		si->page_mem += (unsigned long long)npages << PAGE_SHIFT;

	}

}



static int stat_show(struct seq_file *s, void *v)

{

fs/f2fs/super.c

+5 −0
Original line number Diff line number Diff line
@@ -1075,7 +1075,10 @@ static void f2fs_put_super(struct super_block *sb) 
	f2fs_bug_on(sbi, sbi->fsync_node_num);



	iput(sbi->node_inode);

	sbi->node_inode = NULL;



	iput(sbi->meta_inode);

	sbi->meta_inode = NULL;



	/*

	 * iput() can update stat information, if f2fs_write_checkpoint()
@@ -3409,6 +3412,7 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent) 
	f2fs_release_ino_entry(sbi, true);

	truncate_inode_pages_final(NODE_MAPPING(sbi));

	iput(sbi->node_inode);

	sbi->node_inode = NULL;

free_stats:

	f2fs_destroy_stats(sbi);

free_nm:
@@ -3421,6 +3425,7 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent) 
free_meta_inode:

	make_bad_inode(sbi->meta_inode);

	iput(sbi->meta_inode);

	sbi->meta_inode = NULL;

free_io_dummy:

	mempool_destroy(sbi->write_io_dummy);

free_percpu: