From: Zhihao Cheng <chengzhihao1@huawei.com>
To: Dmitriy Chumachenko <Dmitry.Chumachenko@cyberprotect.ru>,
David Woodhouse <dwmw2@infradead.org>
Cc: Richard Weinberger <richard@nod.at>,
Thomas Gleixner <tglx@linutronix.de>,
<linux-mtd@lists.infradead.org>, <linux-kernel@vger.kernel.org>,
<lvc-project@linuxtesting.org>
Subject: Re: [PATCH v2] jffs2: fix use-after-free in jffs2_garbage_collect_thread()
Date: Wed, 8 Apr 2026 19:34:19 +0800 [thread overview]
Message-ID: <75953ab2-8b96-ffe5-98ae-a565397bd7c3@huawei.com> (raw)
In-Reply-To: <20260408103127.22218-1-Dmitry.Chumachenko@cyberprotect.ru>
在 2026/4/8 18:31, Dmitriy Chumachenko 写道:
> During fuzz testing, the following issue was discovered.
>
> BUG: KASAN: use-after-free in __lock_acquire+0x3f22/0x53c0 kernel/locking/lockdep.c:4825
> Read of size 8 at addr ffff888053cfa098 by task jffs2_gcd_mtd0/11093
>
> CPU: 1 PID: 11093 Comm: jffs2_gcd_mtd0 Not tainted 5.10.232-syzkaller #0
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
> Call Trace:
> __dump_stack lib/dump_stack.c:77 [inline]
> dump_stack+0x107/0x167 lib/dump_stack.c:118
> print_address_description.constprop.0+0x1c/0x220 mm/kasan/report.c:377
> __kasan_report mm/kasan/report.c:537 [inline]
> kasan_report.cold+0x1f/0x37 mm/kasan/report.c:554
> __lock_acquire+0x3f22/0x53c0 kernel/locking/lockdep.c:4825
> lock_acquire kernel/locking/lockdep.c:5566 [inline]
> lock_acquire+0x197/0x480 kernel/locking/lockdep.c:5531
> __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
> _raw_spin_lock_irqsave+0x36/0x60 kernel/locking/spinlock.c:159
> complete+0x13/0x60 kernel/sched/completion.c:32
> complete_and_exit+0x20/0x40 kernel/exit.c:943
> jffs2_garbage_collect_thread+0x554/0x750 fs/jffs2/background.c:164
> kthread+0x3a9/0x490 kernel/kthread.c:328
> ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298
>
> Allocated by task 11091:
> kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48
> kasan_set_track mm/kasan/common.c:56 [inline]
> __kasan_kmalloc.constprop.0+0xc9/0xd0 mm/kasan/common.c:461
> kmalloc include/linux/slab.h:552 [inline]
> kzalloc include/linux/slab.h:664 [inline]
> jffs2_init_fs_context+0x41/0xd0 fs/jffs2/super.c:314
> alloc_fs_context+0x4f9/0x840 fs/fs_context.c:267
> do_new_mount fs/namespace.c:2896 [inline]
> path_mount+0xb99/0x2140 fs/namespace.c:3247
> do_mount fs/namespace.c:3260 [inline]
> __do_sys_mount fs/namespace.c:3468 [inline]
> __se_sys_mount fs/namespace.c:3445 [inline]
> __x64_sys_mount+0x283/0x300 fs/namespace.c:3445
> do_syscall_64+0x30/0x40 arch/x86/entry/common.c:46
> entry_SYSCALL_64_after_hwframe+0x67/0xd1
>
> Freed by task 28546:
> kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48
> kasan_set_track+0x1c/0x30 mm/kasan/common.c:56
> kasan_set_free_info+0x1b/0x30 mm/kasan/generic.c:355
> __kasan_slab_free+0x112/0x170 mm/kasan/common.c:422
> slab_free_hook mm/slub.c:1542 [inline]
> slab_free_freelist_hook+0xb8/0x1b0 mm/slub.c:1576
> slab_free mm/slub.c:3149 [inline]
> kfree+0xd9/0x360 mm/slub.c:4125
> deactivate_locked_super+0x96/0x170 fs/super.c:335
> deactivate_super+0xb2/0xd0 fs/super.c:366
> cleanup_mnt+0x3a3/0x530 fs/namespace.c:1118
> task_work_run+0xdf/0x1a0 kernel/task_work.c:185
> tracehook_notify_resume include/linux/tracehook.h:188 [inline]
> exit_to_user_mode_loop kernel/entry/common.c:172 [inline]
> exit_to_user_mode_prepare+0x1de/0x1f0 kernel/entry/common.c:199
> syscall_exit_to_user_mode+0x38/0x1e0 kernel/entry/common.c:274
>
> In jffs2_garbage_collect_thread() gc_task is set to NULL and then
> kthread_complete_and_exit() calls complete() on gc_thread_exit. These
> operations are not atomic: stop path can see gc_task == NULL, skip
> wait_for_completion(), and the caller frees jffs2_sb_info while the GC
> thread still accesses gc_thread_exit in complete().
>
> Moreover, spin_unlock() itself accesses c after complete() has woken the
> stop path:
>
> jffs2_kill_sb jffs2_garbage_collect_thread
> jffs2_stop_garbage_collect_thread
> spin_lock
> send_sig(SIGKILL)
> wait = 1
> spin_unlock
> goto die
> spin_lock
> c->gc_task = NULL
> spin_unlock
> kthread_complete_and_exit()
> complete(&c->gc_thread_exit)
> wait_for_completion()
> kfree(c)
>
> Fix by adding a gc_thread_started flag that is set when the GC thread is
> successfully started. Use this flag instead of gc_task to decide whether
> to wait. The flag is never cleared by the GC thread, so
> wait_for_completion() is always called when start() succeeded, regardless
> of the current value of gc_task.
>
> Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
>
> Fixes: e2d48b1a98bb ("[JFFS2] Fix cleanup in case of GC-Task not started")
> Signed-off-by: Dmitriy Chumachenko <Dmitry.Chumachenko@cyberprotect.ru>
> ---
> v1->v2: Use gc_thread_started flag as a reliable indicator instead
> of gc_task. Drop complete() under erase_completion_lock
> (thanks, Zhihao Cheng).
>
> fs/jffs2/background.c | 7 ++++---
> fs/jffs2/jffs2_fs_sb.h | 1 +
> 2 files changed, 5 insertions(+), 3 deletions(-)
>
Reviewed-by: Zhihao Cheng <chengzhihao1@huawei.com>
> diff --git a/fs/jffs2/background.c b/fs/jffs2/background.c
> index bb0ee1a59e71..5e5ed9053326 100644
> --- a/fs/jffs2/background.c
> +++ b/fs/jffs2/background.c
> @@ -52,6 +52,7 @@ int jffs2_start_garbage_collect_thread(struct jffs2_sb_info *c)
> /* Wait for it... */
> jffs2_dbg(1, "Garbage collect thread is pid %d\n", tsk->pid);
> wait_for_completion(&c->gc_thread_start);
> + c->gc_thread_started = true;
> ret = tsk->pid;
> }
>
> @@ -60,16 +61,16 @@ int jffs2_start_garbage_collect_thread(struct jffs2_sb_info *c)
>
> void jffs2_stop_garbage_collect_thread(struct jffs2_sb_info *c)
> {
> - int wait = 0;
> spin_lock(&c->erase_completion_lock);
> if (c->gc_task) {
> jffs2_dbg(1, "Killing GC task %d\n", c->gc_task->pid);
> send_sig(SIGKILL, c->gc_task, 1);
> - wait = 1;
> }
> spin_unlock(&c->erase_completion_lock);
> - if (wait)
> + if (c->gc_thread_started) {
> wait_for_completion(&c->gc_thread_exit);
> + c->gc_thread_started = false;
> + }
> }
>
> static int jffs2_garbage_collect_thread(void *_c)
> diff --git a/fs/jffs2/jffs2_fs_sb.h b/fs/jffs2/jffs2_fs_sb.h
> index 5a7091746f68..4c833e0ff03c 100644
> --- a/fs/jffs2/jffs2_fs_sb.h
> +++ b/fs/jffs2/jffs2_fs_sb.h
> @@ -55,6 +55,7 @@ struct jffs2_sb_info {
> unsigned int flags;
>
> struct task_struct *gc_task; /* GC task struct */
> + bool gc_thread_started; /* GC thread was successfully started */
> struct completion gc_thread_start; /* GC thread start completion */
> struct completion gc_thread_exit; /* GC thread exit completion port */
>
>
______________________________________________________
Linux MTD discussion mailing list
http://lists.infradead.org/mailman/listinfo/linux-mtd/
prev parent reply other threads:[~2026-04-08 11:34 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-08 10:31 [PATCH v2] jffs2: fix use-after-free in jffs2_garbage_collect_thread() Dmitriy Chumachenko
2026-04-08 11:34 ` Zhihao Cheng [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=75953ab2-8b96-ffe5-98ae-a565397bd7c3@huawei.com \
--to=chengzhihao1@huawei.com \
--cc=Dmitry.Chumachenko@cyberprotect.ru \
--cc=dwmw2@infradead.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mtd@lists.infradead.org \
--cc=lvc-project@linuxtesting.org \
--cc=richard@nod.at \
--cc=tglx@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox