Unverified Commit 2ff12244 authored by openeuler-ci-bot's avatar openeuler-ci-bot Committed by Gitee
Browse files

!12805 ext4: fix slab-use-after-free in ext4_split_extent_at() 

Merge Pull Request from: @ci-robot 
 
PR sync from: Baokun Li <libaokun1@huawei.com>
https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/GEIPZ3CUHSBNBHOGFMRAGXBKICPNDJME/ 
 
https://gitee.com/src-openeuler/kernel/issues/IAYR9L 
 
Link:https://gitee.com/openeuler/kernel/pulls/12805

 

Reviewed-by: default avatarZhang Peng <zhangpeng362@huawei.com>
Signed-off-by: default avatarZhang Peng <zhangpeng362@huawei.com>
parents bc1376a3 bfe59138

fs/ext4/extents.c

+20 −1
Original line number Diff line number Diff line
@@ -3241,6 +3241,25 @@ static int ext4_split_extent_at(handle_t *handle, 
	if (err != -ENOSPC && err != -EDQUOT && err != -ENOMEM)

		goto out;



	/*

	 * Update path is required because previous ext4_ext_insert_extent()

	 * may have freed or reallocated the path. Using EXT4_EX_NOFAIL

	 * guarantees that ext4_find_extent() will not return -ENOMEM,

	 * otherwise -ENOMEM will cause a retry in do_writepages(), and a

	 * WARN_ON may be triggered in ext4_da_update_reserve_space() due to

	 * an incorrect ee_len causing the i_reserved_data_blocks exception.

	 */

	path = ext4_find_extent(inode, ee_block, ppath,

				flags | EXT4_EX_NOFAIL);

	if (IS_ERR(path)) {

		EXT4_ERROR_INODE(inode, "Failed split extent on %u, err %ld",

				 split, PTR_ERR(path));

		return PTR_ERR(path);

	}

	depth = ext_depth(inode);

	ex = path[depth].p_ext;

	*ppath = path;



	if (EXT4_EXT_MAY_ZEROOUT & split_flag) {

		if (split_flag & (EXT4_EXT_DATA_VALID1|EXT4_EXT_DATA_VALID2)) {

			if (split_flag & EXT4_EXT_DATA_VALID1) {
@@ -3293,7 +3312,7 @@ static int ext4_split_extent_at(handle_t *handle, 
	ext4_ext_dirty(handle, inode, path + path->p_depth);

	return err;

out:

	ext4_ext_show_leaf(inode, path);

	ext4_ext_show_leaf(inode, *ppath);

	return err;

}