Minki/linux
1
0
Fork 1
mirror of https://github.com/torvalds/linux.git synced 2024-10-25 06:31:06 +00:00
Code Issues Packages Projects Releases Wiki Activity
6be49d100c
linux/fs/nilfs2
History
Ryusuke Konishi 6be49d100c nilfs2: fix potential UAF of struct nilfs_sc_info in nilfs_segctor_thread() 
The finalization of nilfs_segctor_thread() can race with
nilfs_segctor_kill_thread() which terminates that thread, potentially
causing a use-after-free BUG as KASAN detected.

At the end of nilfs_segctor_thread(), it assigns NULL to "sc_task" member
of "struct nilfs_sc_info" to indicate the thread has finished, and then
notifies nilfs_segctor_kill_thread() of this using waitqueue
"sc_wait_task" on the struct nilfs_sc_info.

However, here, immediately after the NULL assignment to "sc_task", it is
possible that nilfs_segctor_kill_thread() will detect it and return to
continue the deallocation, freeing the nilfs_sc_info structure before the
thread does the notification.

This fixes the issue by protecting the NULL assignment to "sc_task" and
its notification, with spinlock "sc_state_lock" of the struct
nilfs_sc_info.  Since nilfs_segctor_kill_thread() does a final check to
see if "sc_task" is NULL with "sc_state_lock" locked, this can eliminate
the race.

Link: https://lkml.kernel.org/r/20230327175318.8060-1-konishi.ryusuke@gmail.com
Reported-by: syzbot+b08ebcc22f8f3e6be43a@syzkaller.appspotmail.com
Link: https://lkml.kernel.org/r/00000000000000660d05f7dfa877@google.com
Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
2023-04-05 18:06:23 -07:00
..
alloc.c nilfs2: remove filenames from file comments 2021-11-09 10:02:52 -08:00
alloc.h nilfs2: remove filenames from file comments 2021-11-09 10:02:52 -08:00
bmap.c nilfs2: remove filenames from file comments 2021-11-09 10:02:52 -08:00
bmap.h nilfs2: remove filenames from file comments 2021-11-09 10:02:52 -08:00
btnode.c nilfs2: replace obvious uses of b_page with b_folio 2023-01-18 17:12:41 -08:00
btnode.h fs/nilfs2: Use the enum req_op and blk_opf_t types 2022-07-14 12:14:33 -06:00
btree.c nilfs2: convert nilfs_btree_lookup_dirty_buffers() to use filemap_get_folios_tag() 2023-02-02 22:33:17 -08:00
btree.h nilfs2: remove filenames from file comments 2021-11-09 10:02:52 -08:00
cpfile.c nilfs2: remove filenames from file comments 2021-11-09 10:02:52 -08:00
cpfile.h nilfs2: remove filenames from file comments 2021-11-09 10:02:52 -08:00
dat.c nilfs2: prevent WARNING in nilfs_dat_commit_end() 2023-02-02 22:50:10 -08:00
dat.h nilfs2: remove filenames from file comments 2021-11-09 10:02:52 -08:00
dir.c nilfs2: Remove check for PageError 2022-06-29 08:51:07 -04:00
direct.c nilfs2: remove filenames from file comments 2021-11-09 10:02:52 -08:00
direct.h nilfs2: remove filenames from file comments 2021-11-09 10:02:52 -08:00
export.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
file.c nilfs2: remove filenames from file comments 2021-11-09 10:02:52 -08:00
gcinode.c nilfs2: replace obvious uses of b_page with b_folio 2023-01-18 17:12:41 -08:00
ifile.c nilfs2: remove filenames from file comments 2021-11-09 10:02:52 -08:00
ifile.h nilfs2: remove filenames from file comments 2021-11-09 10:02:52 -08:00
inode.c fs: port inode_init_owner() to mnt_idmap 2023-01-19 09:24:28 +01:00
ioctl.c nilfs2: fix kernel-infoleak in nilfs_ioctl_wrap_copy() 2023-03-23 17:18:32 -07:00
Kconfig fs: build the legacy direct I/O code conditionally 2023-01-26 10:30:56 -07:00
Makefile License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
mdt.c nilfs2: replace obvious uses of b_page with b_folio 2023-01-18 17:12:41 -08:00
mdt.h nilfs2: fix lockdep warnings during disk space reclamation 2022-04-01 11:46:09 -07:00
namei.c fs: port ->rename() to pass mnt_idmap 2023-01-19 09:24:26 +01:00
nilfs.h fs: port ->permission() to pass mnt_idmap 2023-01-19 09:24:28 +01:00
page.c nilfs2: convert nilfs_clear_dirty_pages() to use filemap_get_folios_tag() 2023-02-02 22:33:18 -08:00
page.h nilfs2: get rid of nilfs_mapping_init() 2022-04-01 11:46:09 -07:00
recovery.c fs: Remove aop flags parameter from block_write_begin() 2022-05-08 14:28:19 -04:00
segbuf.c Merge branch 'akpm' (patches from Andrew) 2022-03-22 16:11:53 -07:00
segbuf.h nilfs2: remove filenames from file comments 2021-11-09 10:02:52 -08:00
segment.c nilfs2: fix potential UAF of struct nilfs_sc_info in nilfs_segctor_thread() 2023-04-05 18:06:23 -07:00
segment.h nilfs2: remove filenames from file comments 2021-11-09 10:02:52 -08:00
sufile.c nilfs2: fix nilfs_sufile_mark_dirty() not set segment usage as dirty 2022-11-22 18:50:45 -08:00
sufile.h nilfs2: remove filenames from file comments 2021-11-09 10:02:52 -08:00
super.c nilfs2: fix underflow in second superblock position calculations 2023-02-17 15:07:05 -08:00
sysfs.c nilfs2: use default_groups in kobj_type 2021-12-29 10:53:48 +01:00
sysfs.h nilfs2: remove filenames from file comments 2021-11-09 10:02:52 -08:00
the_nilfs.c nilfs2: fix underflow in second superblock position calculations 2023-02-17 15:07:05 -08:00
the_nilfs.h nilfs2: remove filenames from file comments 2021-11-09 10:02:52 -08:00