diff options
| author | Jérôme Glisse <jglisse@redhat.com> | 2019-04-10 15:37:47 -0400 |
|---|---|---|
| committer | Steve French <stfrench@microsoft.com> | 2019-04-24 13:33:59 -0400 |
| commit | 13f5938d8264b5501368523c4513ff26608a33e8 (patch) | |
| tree | c69e1c167cebb240986c2f079d3f989e7d23e033 /fs/cifs/misc.c | |
| parent | 652727bbe1b17993636346716ae5867627793647 (diff) | |
cifs: fix page reference leak with readv/writev
CIFS can leak pages reference gotten through GUP (get_user_pages*()
through iov_iter_get_pages()). This happen if cifs_send_async_read()
or cifs_write_from_iter() calls fail from within __cifs_readv() and
__cifs_writev() respectively. This patch move page unreference to
cifs_aio_ctx_release() which will happens on all code paths this is
all simpler to follow for correctness.
Signed-off-by: Jérôme Glisse <jglisse@redhat.com>
Cc: Steve French <sfrench@samba.org>
Cc: linux-cifs@vger.kernel.org
Cc: samba-technical@lists.samba.org
Cc: Alexander Viro <viro@zeniv.linux.org.uk>
Cc: linux-fsdevel@vger.kernel.org
Cc: Linus Torvalds <torvalds@linux-foundation.org>
Cc: Stable <stable@vger.kernel.org>
Signed-off-by: Steve French <stfrench@microsoft.com>
Reviewed-by: Pavel Shilovsky <pshilov@microsoft.com>
Diffstat (limited to 'fs/cifs/misc.c')
| -rw-r--r-- | fs/cifs/misc.c | 23 |
1 files changed, 22 insertions, 1 deletions
diff --git a/fs/cifs/misc.c b/fs/cifs/misc.c index 1e1626a2cfc3..0dc6f08020ac 100644 --- a/fs/cifs/misc.c +++ b/fs/cifs/misc.c | |||
| @@ -789,6 +789,11 @@ cifs_aio_ctx_alloc(void) | |||
| 789 | { | 789 | { |
| 790 | struct cifs_aio_ctx *ctx; | 790 | struct cifs_aio_ctx *ctx; |
| 791 | 791 | ||
| 792 | /* | ||
| 793 | * Must use kzalloc to initialize ctx->bv to NULL and ctx->direct_io | ||
| 794 | * to false so that we know when we have to unreference pages within | ||
| 795 | * cifs_aio_ctx_release() | ||
| 796 | */ | ||
| 792 | ctx = kzalloc(sizeof(struct cifs_aio_ctx), GFP_KERNEL); | 797 | ctx = kzalloc(sizeof(struct cifs_aio_ctx), GFP_KERNEL); |
| 793 | if (!ctx) | 798 | if (!ctx) |
| 794 | return NULL; | 799 | return NULL; |
| @@ -807,7 +812,23 @@ cifs_aio_ctx_release(struct kref *refcount) | |||
| 807 | struct cifs_aio_ctx, refcount); | 812 | struct cifs_aio_ctx, refcount); |
| 808 | 813 | ||
| 809 | cifsFileInfo_put(ctx->cfile); | 814 | cifsFileInfo_put(ctx->cfile); |
| 810 | kvfree(ctx->bv); | 815 | |
| 816 | /* | ||
| 817 | * ctx->bv is only set if setup_aio_ctx_iter() was call successfuly | ||
| 818 | * which means that iov_iter_get_pages() was a success and thus that | ||
| 819 | * we have taken reference on pages. | ||
| 820 | */ | ||
| 821 | if (ctx->bv) { | ||
| 822 | unsigned i; | ||
| 823 | |||
| 824 | for (i = 0; i < ctx->npages; i++) { | ||
| 825 | if (ctx->should_dirty) | ||
| 826 | set_page_dirty(ctx->bv[i].bv_page); | ||
| 827 | put_page(ctx->bv[i].bv_page); | ||
| 828 | } | ||
| 829 | kvfree(ctx->bv); | ||
| 830 | } | ||
| 831 | |||
| 811 | kfree(ctx); | 832 | kfree(ctx); |
| 812 | } | 833 | } |
| 813 | 834 | ||