[Cluster-devel] [gfs2:for-next.mmap-fault 6/9] fs/iomap/direct-io.c:134 iomap_dio_complete() error: dereferencing freed memory 'dio'

Dan Carpenter dan.carpenter at oracle.com
Tue Jul 27 09:51:48 UTC 2021


tree:   https://git.kernel.org/pub/scm/linux/kernel/git/gfs2/linux-gfs2.git for-next.mmap-fault
head:   1e32783802dce0f79d3b25e800ac86bd24512e10
commit: cbbd26b20cafc8f40d495be172ba807dc260845c [6/9] iomap: Add done_before argument to iomap_dio_rw
config: x86_64-randconfig-m001-20210726 (attached as .config)
compiler: gcc-10 (Ubuntu 10.3.0-1ubuntu1~20.04) 10.3.0

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp at intel.com>
Reported-by: Dan Carpenter <dan.carpenter at oracle.com>

smatch warnings:
fs/iomap/direct-io.c:134 iomap_dio_complete() error: dereferencing freed memory 'dio'

vim +/dio +134 fs/iomap/direct-io.c

c3d4ed1abecfcf Christoph Hellwig   2020-09-28   80  ssize_t iomap_dio_complete(struct iomap_dio *dio)
db074436f42196 Darrick J. Wong     2019-07-15   81  {
838c4f3d7515ef Christoph Hellwig   2019-09-19   82  	const struct iomap_dio_ops *dops = dio->dops;
db074436f42196 Darrick J. Wong     2019-07-15   83  	struct kiocb *iocb = dio->iocb;
db074436f42196 Darrick J. Wong     2019-07-15   84  	struct inode *inode = file_inode(iocb->ki_filp);
db074436f42196 Darrick J. Wong     2019-07-15   85  	loff_t offset = iocb->ki_pos;
838c4f3d7515ef Christoph Hellwig   2019-09-19   86  	ssize_t ret = dio->error;
db074436f42196 Darrick J. Wong     2019-07-15   87  
838c4f3d7515ef Christoph Hellwig   2019-09-19   88  	if (dops && dops->end_io)
838c4f3d7515ef Christoph Hellwig   2019-09-19   89  		ret = dops->end_io(iocb, dio->size, ret, dio->flags);
db074436f42196 Darrick J. Wong     2019-07-15   90  
db074436f42196 Darrick J. Wong     2019-07-15   91  	if (likely(!ret)) {
db074436f42196 Darrick J. Wong     2019-07-15   92  		ret = dio->size;
db074436f42196 Darrick J. Wong     2019-07-15   93  		/* check for short read */
db074436f42196 Darrick J. Wong     2019-07-15   94  		if (offset + ret > dio->i_size &&
db074436f42196 Darrick J. Wong     2019-07-15   95  		    !(dio->flags & IOMAP_DIO_WRITE))
db074436f42196 Darrick J. Wong     2019-07-15   96  			ret = dio->i_size - offset;
db074436f42196 Darrick J. Wong     2019-07-15   97  		iocb->ki_pos += ret;
db074436f42196 Darrick J. Wong     2019-07-15   98  	}
db074436f42196 Darrick J. Wong     2019-07-15   99  
db074436f42196 Darrick J. Wong     2019-07-15  100  	/*
db074436f42196 Darrick J. Wong     2019-07-15  101  	 * Try again to invalidate clean pages which might have been cached by
db074436f42196 Darrick J. Wong     2019-07-15  102  	 * non-direct readahead, or faulted in by get_user_pages() if the source
db074436f42196 Darrick J. Wong     2019-07-15  103  	 * of the write was an mmap'ed region of the file we're writing.  Either
db074436f42196 Darrick J. Wong     2019-07-15  104  	 * one is a pretty crazy thing to do, so we don't support it 100%.  If
db074436f42196 Darrick J. Wong     2019-07-15  105  	 * this invalidation fails, tough, the write still worked...
db074436f42196 Darrick J. Wong     2019-07-15  106  	 *
838c4f3d7515ef Christoph Hellwig   2019-09-19  107  	 * And this page cache invalidation has to be after ->end_io(), as some
838c4f3d7515ef Christoph Hellwig   2019-09-19  108  	 * filesystems convert unwritten extents to real allocations in
838c4f3d7515ef Christoph Hellwig   2019-09-19  109  	 * ->end_io() when necessary, otherwise a racing buffer read would cache
db074436f42196 Darrick J. Wong     2019-07-15  110  	 * zeros from unwritten extents.
db074436f42196 Darrick J. Wong     2019-07-15  111  	 */
c114bbc6c423a4 Andreas Gruenbacher 2020-09-10  112  	if (!dio->error && dio->size &&
db074436f42196 Darrick J. Wong     2019-07-15  113  	    (dio->flags & IOMAP_DIO_WRITE) && inode->i_mapping->nrpages) {
db074436f42196 Darrick J. Wong     2019-07-15  114  		int err;
db074436f42196 Darrick J. Wong     2019-07-15  115  		err = invalidate_inode_pages2_range(inode->i_mapping,
db074436f42196 Darrick J. Wong     2019-07-15  116  				offset >> PAGE_SHIFT,
db074436f42196 Darrick J. Wong     2019-07-15  117  				(offset + dio->size - 1) >> PAGE_SHIFT);
db074436f42196 Darrick J. Wong     2019-07-15  118  		if (err)
db074436f42196 Darrick J. Wong     2019-07-15  119  			dio_warn_stale_pagecache(iocb->ki_filp);
db074436f42196 Darrick J. Wong     2019-07-15  120  	}
db074436f42196 Darrick J. Wong     2019-07-15  121  
1a31182edd0083 Goldwyn Rodrigues   2020-09-28  122  	inode_dio_end(file_inode(iocb->ki_filp));
db074436f42196 Darrick J. Wong     2019-07-15  123  	/*
db074436f42196 Darrick J. Wong     2019-07-15  124  	 * If this is a DSYNC write, make sure we push it to stable storage now
db074436f42196 Darrick J. Wong     2019-07-15  125  	 * that we've written data.
db074436f42196 Darrick J. Wong     2019-07-15  126  	 */
db074436f42196 Darrick J. Wong     2019-07-15  127  	if (ret > 0 && (dio->flags & IOMAP_DIO_NEED_SYNC))
db074436f42196 Darrick J. Wong     2019-07-15  128  		ret = generic_write_sync(iocb, ret);
db074436f42196 Darrick J. Wong     2019-07-15  129  
db074436f42196 Darrick J. Wong     2019-07-15  130  	kfree(dio);
                                                        ^^^^^^^^^^
free

db074436f42196 Darrick J. Wong     2019-07-15  131  
cbbd26b20cafc8 Andreas Gruenbacher 2021-07-24  132  	if (ret < 0)
db074436f42196 Darrick J. Wong     2019-07-15  133  		return ret;
cbbd26b20cafc8 Andreas Gruenbacher 2021-07-24 @134  	return dio->done_before + ret;
                                                               ^^^^^^^^^^^^^^^^
use after free

db074436f42196 Darrick J. Wong     2019-07-15  135  }

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org




More information about the Cluster-devel mailing list