[PATCH AUTOSEL 6.6 11/11] gfs2: Fix slab-use-after-free in gfs2_qd_dealloc

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Juntong Deng <juntong.deng@outlook.com>,
	syzbot+29c47e9e51895928698c@syzkaller.appspotmail.com,
	Andreas Gruenbacher <agruenba@redhat.com>,
	Sasha Levin <sashal@kernel.org>,
	swhiteho@redhat.com, rpeterso@redhat.com,
	cluster-devel@redhat.com
Subject: [PATCH AUTOSEL 6.6 11/11] gfs2: Fix slab-use-after-free in gfs2_qd_dealloc
Date: Sun, 12 Nov 2023 08:27:34 -0500	[thread overview]
Message-ID: <20231112132736.175494-11-sashal@kernel.org> (raw)
In-Reply-To: <20231112132736.175494-1-sashal@kernel.org>

From: Juntong Deng <juntong.deng@outlook.com>

[ Upstream commit bdcb8aa434c6d36b5c215d02a9ef07551be25a37 ]

In gfs2_put_super(), whether withdrawn or not, the quota should
be cleaned up by gfs2_quota_cleanup().

Otherwise, struct gfs2_sbd will be freed before gfs2_qd_dealloc (rcu
callback) has run for all gfs2_quota_data objects, resulting in
use-after-free.

Also, gfs2_destroy_threads() and gfs2_quota_cleanup() is already called
by gfs2_make_fs_ro(), so in gfs2_put_super(), after calling
gfs2_make_fs_ro(), there is no need to call them again.

Reported-by: syzbot+29c47e9e51895928698c@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=29c47e9e51895928698c
Signed-off-by: Juntong Deng <juntong.deng@outlook.com>
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/gfs2/super.c | 10 ++++++----
 1 file changed, 6 insertions(+), 4 deletions(-)

diff --git a/fs/gfs2/super.c b/fs/gfs2/super.c
index 0dd5641990b90..5f4ebe279aaae 100644
--- a/fs/gfs2/super.c
+++ b/fs/gfs2/super.c
@@ -602,13 +602,15 @@ static void gfs2_put_super(struct super_block *sb)
 	}
 	spin_unlock(&sdp->sd_jindex_spin);
 
-	if (!sb_rdonly(sb)) {
+	if (!sb_rdonly(sb))
 		gfs2_make_fs_ro(sdp);
-	}
-	if (gfs2_withdrawn(sdp)) {
-		gfs2_destroy_threads(sdp);
+	else {
+		if (gfs2_withdrawn(sdp))
+			gfs2_destroy_threads(sdp);
+
 		gfs2_quota_cleanup(sdp);
 	}
+
 	WARN_ON(gfs2_withdrawing(sdp));
 
 	/*  At this point, we're through modifying the disk  */
-- 
2.42.0

     prev parent reply	other threads:[~2023-11-12 13:28 UTC|newest]

Thread overview: 20+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-11-12 13:27 [PATCH AUTOSEL 6.6 01/11] media: gspca: cpia1: shift-out-of-bounds in set_flicker Sasha Levin
2023-11-12 13:27 ` [PATCH AUTOSEL 6.6 02/11] media: vivid: avoid integer overflow Sasha Levin
2023-11-12 13:27 ` [PATCH AUTOSEL 6.6 03/11] media: ipu-bridge: increase sensor_name size Sasha Levin
2023-11-12 13:27 ` [PATCH AUTOSEL 6.6 04/11] gfs2: ignore negated quota changes Sasha Levin
2023-11-12 13:27 ` [PATCH AUTOSEL 6.6 05/11] gfs2: fix an oops in gfs2_permission Sasha Levin
2023-11-12 13:27 ` [PATCH AUTOSEL 6.6 06/11] media: cobalt: Use FIELD_GET() to extract Link Width Sasha Levin
2023-11-12 13:27 ` [PATCH AUTOSEL 6.6 07/11] media: ccs: Fix driver quirk struct documentation Sasha Levin
2023-11-12 13:27 ` [PATCH AUTOSEL 6.6 08/11] media: imon: fix access to invalid resource for the second interface Sasha Levin
2023-11-12 13:27 ` [PATCH AUTOSEL 6.6 09/11] drm/amd: Fix UBSAN array-index-out-of-bounds for Powerplay headers Sasha Levin
2023-11-12 13:27   ` Sasha Levin
2023-11-12 18:00   ` Alex Deucher
2023-11-12 18:00     ` Alex Deucher
2023-11-12 18:51     ` Sasha Levin
2023-11-12 18:51       ` Sasha Levin
2023-11-14  9:31       ` Pavel Machek
2023-11-14  9:31         ` Pavel Machek
2023-11-14  9:31         ` Pavel Machek
2023-11-12 13:27 ` [PATCH AUTOSEL 6.6 10/11] drm/amd/display: Avoid NULL dereference of timing generator Sasha Levin
2023-11-12 13:27   ` Sasha Levin
2023-11-12 13:27 ` Sasha Levin [this message]

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:0dd5641990b9 dfblob:5f4ebe279aaa )
 OR (
bs:"[PATCH AUTOSEL 6.6 11/11] gfs2: Fix slab-use-after-free in gfs2_qd_dealloc" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20231112132736.175494-11-sashal@kernel.org \
    --to=sashal@kernel.org \
    --cc=agruenba@redhat.com \
    --cc=cluster-devel@redhat.com \
    --cc=juntong.deng@outlook.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=rpeterso@redhat.com \
    --cc=stable@vger.kernel.org \
    --cc=swhiteho@redhat.com \
    --cc=syzbot+29c47e9e51895928698c@syzkaller.appspotmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.