From 7a77dad7e3be1280456508841ccdd2a091b1906a Mon Sep 17 00:00:00 2001 From: Andreas Gruenbacher Date: Tue, 30 Apr 2019 08:45:34 -0700 Subject: iomap: Fix use-after-free error in page_done callback In iomap_write_end, we're not holding a page reference anymore when calling the page_done callback, but the callback needs that reference to access the page. To fix that, move the put_page call in __generic_write_end into the callers of __generic_write_end. Then, in iomap_write_end, put the page after calling the page_done callback. Reported-by: Jan Kara Fixes: 63899c6f8851 ("iomap: add a page_done callback") Signed-off-by: Andreas Gruenbacher Reviewed-by: Jan Kara Reviewed-by: Christoph Hellwig Reviewed-by: Darrick J. Wong Signed-off-by: Darrick J. Wong --- fs/iomap.c | 1 + 1 file changed, 1 insertion(+) (limited to 'fs/iomap.c') diff --git a/fs/iomap.c b/fs/iomap.c index 4380d2c412f4..e6453c1c831e 100644 --- a/fs/iomap.c +++ b/fs/iomap.c @@ -772,6 +772,7 @@ iomap_write_end(struct inode *inode, loff_t pos, unsigned len, __generic_write_end(inode, pos, ret, page); if (iomap->page_done) iomap->page_done(inode, pos, copied, page, iomap); + put_page(page); if (ret < len) iomap_write_failed(inode, pos, len); -- cgit v1.2.3