From patchwork Sun Jun 29 20:45:40 2014
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Filipe Manana <fdmanana@gmail.com>
X-Patchwork-Id: 4445091
Return-Path: <linux-btrfs-owner@kernel.org>
X-Original-To: patchwork-linux-btrfs@patchwork.kernel.org
Delivered-To: patchwork-parsemail@patchwork1.web.kernel.org
Received: from mail.kernel.org (mail.kernel.org [198.145.19.201])
	by patchwork1.web.kernel.org (Postfix) with ESMTP id 40B7F9F319
	for <patchwork-linux-btrfs@patchwork.kernel.org>;
	Sun, 29 Jun 2014 19:46:52 +0000 (UTC)
Received: from mail.kernel.org (localhost [127.0.0.1])
	by mail.kernel.org (Postfix) with ESMTP id 65BA920375
	for <patchwork-linux-btrfs@patchwork.kernel.org>;
	Sun, 29 Jun 2014 19:46:51 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id 90D112035E
	for <patchwork-linux-btrfs@patchwork.kernel.org>;
	Sun, 29 Jun 2014 19:46:50 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1753443AbaF2Tqr (ORCPT
	<rfc822;patchwork-linux-btrfs@patchwork.kernel.org>);
	Sun, 29 Jun 2014 15:46:47 -0400
Received: from mail-wg0-f42.google.com ([74.125.82.42]:32789 "EHLO
	mail-wg0-f42.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1753315AbaF2Tqq (ORCPT
	<rfc822;linux-btrfs@vger.kernel.org>);
	Sun, 29 Jun 2014 15:46:46 -0400
Received: by mail-wg0-f42.google.com with SMTP id z12so7140017wgg.13
	for <linux-btrfs@vger.kernel.org>;
	Sun, 29 Jun 2014 12:46:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20120113;
	h=from:to:cc:subject:date:message-id:in-reply-to:references;
	bh=PCR374JoW075FFT8SEkG8FBrBwSp3ZfRNl/lwsHq/To=;
	b=LT93DX60zEVq7Dw4rzz0YCHd0wesSdOG45yGRerOkttWbiIIhKNx4McX5zeSdhALgI
	N3nyf8Y6H0sUJhr40MVRAkkqyXlhDoGnsvo8vHfvStXDP7s+A+SSQ4gEZ/j8GTsG7f1t
	xKoUpbsKzf4k3FKzaRp+OxLTDDYsSBlF2vB9mbB9dnahBs2xBY8KdcB8cVNGFg4lHYYy
	sMNmPBncFFUQC2ows1vqdAPAIjx9HBjEIUpu6LHM5oiG1QF7cj8jZsTPEN16zE1Y/rwW
	/3On6W8VaR9nfCQ9a5Y+gBTjHCGWjL99dZdam8PdMiFJB7hPjRdvmd83DxLy0D3ReqSb
	wM0w==
X-Received: by 10.194.76.99 with SMTP id j3mr846855wjw.85.1404071205492;
	Sun, 29 Jun 2014 12:46:45 -0700 (PDT)
Received: from debian-vm3.lan (bl5-3-231.dsl.telepac.pt. [82.154.3.231])
	by mx.google.com with ESMTPSA id
	q11sm22879074wib.14.2014.06.29.12.46.44 for <multiple recipients>
	(version=TLSv1.2 cipher=ECDHE-RSA-AES128-SHA bits=128/128);
	Sun, 29 Jun 2014 12:46:44 -0700 (PDT)
From: Filipe David Borba Manana <fdmanana@gmail.com>
To: linux-btrfs@vger.kernel.org
Cc: Filipe David Borba Manana <fdmanana@gmail.com>, Chris Mason <clm@fb.com>
Subject: [PATCH v2] Btrfs: fix use-after-free when cloning a trailing file
	hole
Date: Sun, 29 Jun 2014 21:45:40 +0100
Message-Id: <1404074740-32112-1-git-send-email-fdmanana@gmail.com>
X-Mailer: git-send-email 1.9.1
In-Reply-To: <1404071004-20724-1-git-send-email-fdmanana@gmail.com>
References: <1404071004-20724-1-git-send-email-fdmanana@gmail.com>
Sender: linux-btrfs-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-btrfs.vger.kernel.org>
X-Mailing-List: linux-btrfs@vger.kernel.org
X-Spam-Status: No, score=-6.8 required=5.0 tests=BAYES_00,
	DKIM_ADSP_CUSTOM_MED,
	DKIM_SIGNED, FREEMAIL_FROM, RCVD_IN_DNSWL_HI, T_DKIM_INVALID,
	T_RP_MATCHES_RCVD,
	UNPARSEABLE_RELAY autolearn=ham version=3.3.1
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on mail.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

The transaction handle was being used after being freed.

Cc: Chris Mason <clm@fb.com>
Signed-off-by: Filipe David Borba Manana <fdmanana@gmail.com>
---

V2: Removed file extent item argument to clone_update_extent_map() for
    more clarity.

 fs/btrfs/ioctl.c | 20 +++++++++-----------
 1 file changed, 9 insertions(+), 11 deletions(-)

diff --git a/fs/btrfs/ioctl.c b/fs/btrfs/ioctl.c
index 02dc64b..2a99f49 100644
--- a/fs/btrfs/ioctl.c
+++ b/fs/btrfs/ioctl.c
@@ -3142,7 +3142,6 @@ out:
 static void clone_update_extent_map(struct inode *inode,
 				    const struct btrfs_trans_handle *trans,
 				    const struct btrfs_path *path,
-				    struct btrfs_file_extent_item *fi,
 				    const u64 hole_offset,
 				    const u64 hole_len)
 {
@@ -3157,7 +3156,11 @@ static void clone_update_extent_map(struct inode *inode,
 		return;
 	}
 
-	if (fi) {
+	if (path) {
+		struct btrfs_file_extent_item *fi;
+
+		fi = btrfs_item_ptr(path->nodes[0], path->slots[0],
+				    struct btrfs_file_extent_item);
 		btrfs_extent_item_to_extent_map(inode, path, fi, false, em);
 		em->generation = -1;
 		if (btrfs_file_extent_type(path->nodes[0], fi) ==
@@ -3511,18 +3514,15 @@ process_slot:
 					    btrfs_item_ptr_offset(leaf, slot),
 					    size);
 				inode_add_bytes(inode, datal);
-				extent = btrfs_item_ptr(leaf, slot,
-						struct btrfs_file_extent_item);
 			}
 
 			/* If we have an implicit hole (NO_HOLES feature). */
 			if (drop_start < new_key.offset)
 				clone_update_extent_map(inode, trans,
-						path, NULL, drop_start,
+						NULL, drop_start,
 						new_key.offset - drop_start);
 
-			clone_update_extent_map(inode, trans, path,
-						extent, 0, 0);
+			clone_update_extent_map(inode, trans, path, 0, 0);
 
 			btrfs_mark_buffer_dirty(leaf);
 			btrfs_release_path(path);
@@ -3565,12 +3565,10 @@ process_slot:
 			btrfs_end_transaction(trans, root);
 			goto out;
 		}
+		clone_update_extent_map(inode, trans, NULL, last_dest_end,
+					destoff + len - last_dest_end);
 		ret = clone_finish_inode_update(trans, inode, destoff + len,
 						destoff, olen);
-		if (ret)
-			goto out;
-		clone_update_extent_map(inode, trans, path, NULL, last_dest_end,
-					destoff + len - last_dest_end);
 	}
 
 out: