From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Cc: stable@vger.kernel.org, Andrew Morton <akpm@linux-foundation.org>,
sjb7183@psu.edu
Subject: Re: [PATCH 4.19 5.4 5.10 5.15 6.1] nilfs2: fix use-after-free of timer for log writer thread
Date: Wed, 12 Jun 2024 14:38:59 +0200 [thread overview]
Message-ID: <2024061254-dig-relax-0743@gregkh> (raw)
In-Reply-To: <20240527212637.5907-1-konishi.ryusuke@gmail.com>
On Tue, May 28, 2024 at 06:26:37AM +0900, Ryusuke Konishi wrote:
> commit f5d4e04634c9cf68bdf23de08ada0bb92e8befe7 upstream.
>
> Patch series "nilfs2: fix log writer related issues".
>
> This bug fix series covers three nilfs2 log writer-related issues,
> including a timer use-after-free issue and potential deadlock issue on
> unmount, and a potential freeze issue in event synchronization found
> during their analysis. Details are described in each commit log.
>
> This patch (of 3):
>
> A use-after-free issue has been reported regarding the timer sc_timer on
> the nilfs_sc_info structure.
>
> The problem is that even though it is used to wake up a sleeping log
> writer thread, sc_timer is not shut down until the nilfs_sc_info structure
> is about to be freed, and is used regardless of the thread's lifetime.
>
> Fix this issue by limiting the use of sc_timer only while the log writer
> thread is alive.
>
> Link: https://lkml.kernel.org/r/20240520132621.4054-1-konishi.ryusuke@gmail.com
> Link: https://lkml.kernel.org/r/20240520132621.4054-2-konishi.ryusuke@gmail.com
> Fixes: fdce895ea5dd ("nilfs2: change sc_timer from a pointer to an embedded one in struct nilfs_sc_info")
> Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
> Reported-by: "Bai, Shuangpeng" <sjb7183@psu.edu>
> Closes: https://groups.google.com/g/syzkaller/c/MK_LYqtt8ko/m/8rgdWeseAwAJ
> Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
> Cc: <stable@vger.kernel.org>
> Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
> ---
> Please apply this patch to the stable trees indicated by the subject
> prefix instead of the patch that failed.
>
> This patch is tailored to replace a call to timer_shutdown_sync(), which
> does not yet exist in these versions, with an equivalent function call,
> and is applicable from v4.15 to v6.1.
>
> Also, all the builds and tests I did on each stable tree passed.
Now queued up, thanks.
greg k-h
prev parent reply other threads:[~2024-06-12 12:39 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-05-26 13:48 FAILED: patch "[PATCH] nilfs2: fix use-after-free of timer for log writer thread" failed to apply to 6.1-stable tree gregkh
2024-05-27 21:26 ` [PATCH 4.19 5.4 5.10 5.15 6.1] nilfs2: fix use-after-free of timer for log writer thread Ryusuke Konishi
2024-06-12 12:38 ` Greg Kroah-Hartman [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2024061254-dig-relax-0743@gregkh \
--to=gregkh@linuxfoundation.org \
--cc=akpm@linux-foundation.org \
--cc=konishi.ryusuke@gmail.com \
--cc=sjb7183@psu.edu \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.