From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev,
Ryusuke Konishi <konishi.ryusuke@gmail.com>,
"Bai, Shuangpeng" <sjb7183@psu.edu>,
Andrew Morton <akpm@linux-foundation.org>
Subject: [PATCH 6.1 09/85] nilfs2: fix use-after-free of timer for log writer thread
Date: Thu, 13 Jun 2024 13:35:07 +0200 [thread overview]
Message-ID: <20240613113214.498182663@linuxfoundation.org> (raw)
In-Reply-To: <20240613113214.134806994@linuxfoundation.org>
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Ryusuke Konishi <konishi.ryusuke@gmail.com>
commit f5d4e04634c9cf68bdf23de08ada0bb92e8befe7 upstream.
Patch series "nilfs2: fix log writer related issues".
This bug fix series covers three nilfs2 log writer-related issues,
including a timer use-after-free issue and potential deadlock issue on
unmount, and a potential freeze issue in event synchronization found
during their analysis. Details are described in each commit log.
This patch (of 3):
A use-after-free issue has been reported regarding the timer sc_timer on
the nilfs_sc_info structure.
The problem is that even though it is used to wake up a sleeping log
writer thread, sc_timer is not shut down until the nilfs_sc_info structure
is about to be freed, and is used regardless of the thread's lifetime.
Fix this issue by limiting the use of sc_timer only while the log writer
thread is alive.
Link: https://lkml.kernel.org/r/20240520132621.4054-1-konishi.ryusuke@gmail.com
Link: https://lkml.kernel.org/r/20240520132621.4054-2-konishi.ryusuke@gmail.com
Fixes: fdce895ea5dd ("nilfs2: change sc_timer from a pointer to an embedded one in struct nilfs_sc_info")
Signed-off-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Reported-by: "Bai, Shuangpeng" <sjb7183@psu.edu>
Closes: https://groups.google.com/g/syzkaller/c/MK_LYqtt8ko/m/8rgdWeseAwAJ
Tested-by: Ryusuke Konishi <konishi.ryusuke@gmail.com>
Cc: <stable@vger.kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/nilfs2/segment.c | 25 +++++++++++++++++++------
1 file changed, 19 insertions(+), 6 deletions(-)
--- a/fs/nilfs2/segment.c
+++ b/fs/nilfs2/segment.c
@@ -2159,8 +2159,10 @@ static void nilfs_segctor_start_timer(st
{
spin_lock(&sci->sc_state_lock);
if (!(sci->sc_state & NILFS_SEGCTOR_COMMIT)) {
- sci->sc_timer.expires = jiffies + sci->sc_interval;
- add_timer(&sci->sc_timer);
+ if (sci->sc_task) {
+ sci->sc_timer.expires = jiffies + sci->sc_interval;
+ add_timer(&sci->sc_timer);
+ }
sci->sc_state |= NILFS_SEGCTOR_COMMIT;
}
spin_unlock(&sci->sc_state_lock);
@@ -2378,10 +2380,21 @@ int nilfs_construct_dsync_segment(struct
*/
static void nilfs_segctor_accept(struct nilfs_sc_info *sci)
{
+ bool thread_is_alive;
+
spin_lock(&sci->sc_state_lock);
sci->sc_seq_accepted = sci->sc_seq_request;
+ thread_is_alive = (bool)sci->sc_task;
spin_unlock(&sci->sc_state_lock);
- del_timer_sync(&sci->sc_timer);
+
+ /*
+ * This function does not race with the log writer thread's
+ * termination. Therefore, deleting sc_timer, which should not be
+ * done after the log writer thread exits, can be done safely outside
+ * the area protected by sc_state_lock.
+ */
+ if (thread_is_alive)
+ del_timer_sync(&sci->sc_timer);
}
/**
@@ -2407,7 +2420,7 @@ static void nilfs_segctor_notify(struct
sci->sc_flush_request &= ~FLUSH_DAT_BIT;
/* re-enable timer if checkpoint creation was not done */
- if ((sci->sc_state & NILFS_SEGCTOR_COMMIT) &&
+ if ((sci->sc_state & NILFS_SEGCTOR_COMMIT) && sci->sc_task &&
time_before(jiffies, sci->sc_timer.expires))
add_timer(&sci->sc_timer);
}
@@ -2597,6 +2610,7 @@ static int nilfs_segctor_thread(void *ar
int timeout = 0;
sci->sc_timer_task = current;
+ timer_setup(&sci->sc_timer, nilfs_construction_timeout, 0);
/* start sync. */
sci->sc_task = current;
@@ -2663,6 +2677,7 @@ static int nilfs_segctor_thread(void *ar
end_thread:
/* end sync. */
sci->sc_task = NULL;
+ del_timer_sync(&sci->sc_timer);
wake_up(&sci->sc_wait_task); /* for nilfs_segctor_kill_thread() */
spin_unlock(&sci->sc_state_lock);
return 0;
@@ -2726,7 +2741,6 @@ static struct nilfs_sc_info *nilfs_segct
INIT_LIST_HEAD(&sci->sc_gc_inodes);
INIT_LIST_HEAD(&sci->sc_iput_queue);
INIT_WORK(&sci->sc_iput_work, nilfs_iput_work_func);
- timer_setup(&sci->sc_timer, nilfs_construction_timeout, 0);
sci->sc_interval = HZ * NILFS_SC_DEFAULT_TIMEOUT;
sci->sc_mjcp_freq = HZ * NILFS_SC_DEFAULT_SR_FREQ;
@@ -2812,7 +2826,6 @@ static void nilfs_segctor_destroy(struct
down_write(&nilfs->ns_segctor_sem);
- del_timer_sync(&sci->sc_timer);
kfree(sci);
}
next prev parent reply other threads:[~2024-06-13 12:48 UTC|newest]
Thread overview: 99+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-06-13 11:34 [PATCH 6.1 00/85] 6.1.94-rc1 review Greg Kroah-Hartman
2024-06-13 11:34 ` [PATCH 6.1 01/85] drm: Check output polling initialized before disabling Greg Kroah-Hartman
2024-06-13 11:35 ` [PATCH 6.1 02/85] drm: Check polling initialized before enabling in drm_helper_probe_single_connector_modes Greg Kroah-Hartman
2024-06-13 11:35 ` [PATCH 6.1 03/85] Bluetooth: btrtl: Add missing MODULE_FIRMWARE declarations Greg Kroah-Hartman
2024-06-13 11:35 ` [PATCH 6.1 04/85] maple_tree: fix allocation in mas_sparse_area() Greg Kroah-Hartman
2024-06-13 11:35 ` [PATCH 6.1 05/85] maple_tree: fix mas_empty_area_rev() null pointer dereference Greg Kroah-Hartman
2024-06-13 11:35 ` [PATCH 6.1 06/85] mmc: core: Do not force a retune before RPMB switch Greg Kroah-Hartman
2024-06-13 11:35 ` [PATCH 6.1 07/85] afs: Dont cross .backup mountpoint from backup volume Greg Kroah-Hartman
2024-06-13 11:35 ` [PATCH 6.1 08/85] riscv: signal: handle syscall restart before get_signal Greg Kroah-Hartman
2024-06-13 11:35 ` Greg Kroah-Hartman [this message]
2024-06-13 11:35 ` [PATCH 6.1 10/85] drm/i915/audio: Fix audio time stamp programming for DP Greg Kroah-Hartman
2024-06-13 11:35 ` [PATCH 6.1 11/85] mptcp: avoid some duplicate code in socket option handling Greg Kroah-Hartman
2024-06-13 11:35 ` [PATCH 6.1 12/85] mptcp: cleanup SOL_TCP handling Greg Kroah-Hartman
2024-06-13 11:35 ` [PATCH 6.1 13/85] mptcp: fix full TCP keep-alive support Greg Kroah-Hartman
2024-06-13 11:35 ` [PATCH 6.1 14/85] vxlan: Fix regression when dropping packets due to invalid src addresses Greg Kroah-Hartman
2024-06-13 11:35 ` [PATCH 6.1 15/85] scripts/gdb: fix SB_* constants parsing Greg Kroah-Hartman
2024-06-13 11:35 ` [PATCH 6.1 16/85] f2fs: fix to do sanity check on i_xattr_nid in sanity_check_inode() Greg Kroah-Hartman
2024-06-13 11:35 ` [PATCH 6.1 17/85] media: lgdt3306a: Add a check against null-pointer-def Greg Kroah-Hartman
2024-06-13 11:35 ` [PATCH 6.1 18/85] drm/amdgpu: add error handle to avoid out-of-bounds Greg Kroah-Hartman
2024-06-13 11:35 ` [PATCH 6.1 19/85] bcache: fix variable length array abuse in btree_iter Greg Kroah-Hartman
2024-06-13 11:35 ` [PATCH 6.1 20/85] wifi: rtw89: correct aSIFSTime for 6GHz band Greg Kroah-Hartman
2024-06-13 11:35 ` [PATCH 6.1 21/85] ata: pata_legacy: make legacy_exit() work again Greg Kroah-Hartman
2024-06-13 11:35 ` [PATCH 6.1 22/85] thermal/drivers/qcom/lmh: Check for SCM availability at probe Greg Kroah-Hartman
2024-06-13 11:35 ` [PATCH 6.1 23/85] soc: qcom: rpmh-rsc: Enhance check for VRM in-flight request Greg Kroah-Hartman
2024-06-13 11:35 ` [PATCH 6.1 24/85] ACPI: resource: Do IRQ override on TongFang GXxHRXx and GMxHGxx Greg Kroah-Hartman
2024-06-13 11:35 ` [PATCH 6.1 25/85] arm64: tegra: Correct Tegra132 I2C alias Greg Kroah-Hartman
2024-06-13 11:35 ` [PATCH 6.1 26/85] arm64: dts: qcom: qcs404: fix bluetooth device address Greg Kroah-Hartman
2024-06-13 11:35 ` [PATCH 6.1 27/85] md/raid5: fix deadlock that raid5d() wait for itself to clear MD_SB_CHANGE_PENDING Greg Kroah-Hartman
2024-06-13 11:35 ` [PATCH 6.1 28/85] wifi: rtw89: pci: correct TX resource checking for PCI DMA channel of firmware command Greg Kroah-Hartman
2024-06-13 11:35 ` [PATCH 6.1 29/85] wifi: rtl8xxxu: Fix the TX power of RTL8192CU, RTL8723AU Greg Kroah-Hartman
2024-06-13 11:35 ` [PATCH 6.1 30/85] wifi: rtlwifi: rtl8192de: Fix 5 GHz TX power Greg Kroah-Hartman
2024-06-13 11:35 ` [PATCH 6.1 31/85] wifi: rtlwifi: rtl8192de: Fix low speed with WPA3-SAE Greg Kroah-Hartman
2024-06-13 11:35 ` [PATCH 6.1 32/85] wifi: rtlwifi: rtl8192de: Fix endianness issue in RX path Greg Kroah-Hartman
2024-06-13 11:35 ` [PATCH 6.1 33/85] arm64: dts: hi3798cv200: fix the size of GICR Greg Kroah-Hartman
2024-06-13 11:35 ` [PATCH 6.1 34/85] media: mc: Fix graph walk in media_pipeline_start Greg Kroah-Hartman
2024-06-13 11:35 ` [PATCH 6.1 35/85] media: mc: mark the media devnode as registered from the, start Greg Kroah-Hartman
2024-06-13 11:35 ` [PATCH 6.1 36/85] media: mxl5xx: Move xpt structures off stack Greg Kroah-Hartman
2024-06-13 11:35 ` [PATCH 6.1 37/85] media: v4l2-core: hold videodev_lock until dev reg, finishes Greg Kroah-Hartman
2024-06-13 11:35 ` [PATCH 6.1 38/85] mmc: core: Add mmc_gpiod_set_cd_config() function Greg Kroah-Hartman
2024-06-13 11:35 ` [PATCH 6.1 39/85] mmc: sdhci: Add support for "Tuning Error" interrupts Greg Kroah-Hartman
2024-06-13 11:35 ` [PATCH 6.1 40/85] mmc: sdhci-acpi: Sort DMI quirks alphabetically Greg Kroah-Hartman
2024-06-13 11:35 ` [PATCH 6.1 41/85] mmc: sdhci-acpi: Fix Lenovo Yoga Tablet 2 Pro 1380 sdcard slot not working Greg Kroah-Hartman
2024-06-13 11:35 ` [PATCH 6.1 42/85] mmc: sdhci-acpi: Disable write protect detection on Toshiba WT10-A Greg Kroah-Hartman
2024-06-13 11:35 ` [PATCH 6.1 43/85] mmc: sdhci-acpi: Add quirk to enable pull-up on the card-detect GPIO on Asus T100TA Greg Kroah-Hartman
2024-06-13 11:35 ` [PATCH 6.1 44/85] fbdev: savage: Handle err return when savagefb_check_var failed Greg Kroah-Hartman
2024-06-13 11:35 ` [PATCH 6.1 45/85] drm/amdgpu/atomfirmware: add intergrated info v2.3 table Greg Kroah-Hartman
2024-06-13 11:35 ` [PATCH 6.1 46/85] 9p: add missing locking around taking dentry fid list Greg Kroah-Hartman
2024-06-13 11:35 ` [PATCH 6.1 47/85] drm/amd: Fix shutdown (again) on some SMU v13.0.4/11 platforms Greg Kroah-Hartman
2024-06-13 11:35 ` [PATCH 6.1 48/85] KVM: arm64: Fix AArch32 register narrowing on userspace write Greg Kroah-Hartman
2024-06-13 11:35 ` [PATCH 6.1 49/85] KVM: arm64: Allow AArch32 PSTATE.M to be restored as System mode Greg Kroah-Hartman
2024-06-13 11:35 ` [PATCH 6.1 50/85] KVM: arm64: AArch32: Fix spurious trapping of conditional instructions Greg Kroah-Hartman
2024-06-13 11:35 ` [PATCH 6.1 51/85] crypto: ecdsa - Fix module auto-load on add-key Greg Kroah-Hartman
2024-06-13 11:35 ` [PATCH 6.1 52/85] crypto: ecrdsa - Fix module auto-load on add_key Greg Kroah-Hartman
2024-06-13 11:35 ` [PATCH 6.1 53/85] crypto: qat - Fix ADF_DEV_RESET_SYNC memory leak Greg Kroah-Hartman
2024-06-13 11:35 ` [PATCH 6.1 54/85] mm: fix race between __split_huge_pmd_locked() and GUP-fast Greg Kroah-Hartman
2024-06-24 8:39 ` Ryan Roberts
2024-06-13 11:35 ` [PATCH 6.1 55/85] scsi: core: Handle devices which return an unusually large VPD page count Greg Kroah-Hartman
2024-06-13 11:35 ` [PATCH 6.1 56/85] net/ipv6: Fix route deleting failure when metric equals 0 Greg Kroah-Hartman
2024-06-13 11:35 ` [PATCH 6.1 57/85] net/9p: fix uninit-value in p9_client_rpc() Greg Kroah-Hartman
2024-06-13 11:35 ` [PATCH 6.1 58/85] kmsan: do not wipe out origin when doing partial unpoisoning Greg Kroah-Hartman
2024-06-13 11:35 ` [PATCH 6.1 59/85] cpufreq: amd-pstate: Fix the inconsistency in max frequency units Greg Kroah-Hartman
2024-06-13 11:35 ` [PATCH 6.1 60/85] intel_th: pci: Add Meteor Lake-S CPU support Greg Kroah-Hartman
2024-06-13 11:35 ` [PATCH 6.1 61/85] sparc64: Fix number of online CPUs Greg Kroah-Hartman
2024-06-13 11:36 ` [PATCH 6.1 62/85] mm/cma: drop incorrect alignment check in cma_init_reserved_mem Greg Kroah-Hartman
2024-06-13 11:36 ` [PATCH 6.1 63/85] mm/hugetlb: pass correct order_per_bit to cma_declare_contiguous_nid Greg Kroah-Hartman
2024-06-13 11:36 ` [PATCH 6.1 64/85] watchdog: rti_wdt: Set min_hw_heartbeat_ms to accommodate a safety margin Greg Kroah-Hartman
2024-06-13 11:36 ` [PATCH 6.1 65/85] kdb: Fix buffer overflow during tab-complete Greg Kroah-Hartman
2024-06-13 11:36 ` [PATCH 6.1 66/85] kdb: Use format-strings rather than \0 injection in kdb_read() Greg Kroah-Hartman
2024-06-13 11:36 ` [PATCH 6.1 67/85] kdb: Fix console handling when editing and tab-completing commands Greg Kroah-Hartman
2024-06-13 11:36 ` [PATCH 6.1 68/85] kdb: Merge identical case statements in kdb_read() Greg Kroah-Hartman
2024-06-13 11:36 ` [PATCH 6.1 69/85] kdb: Use format-specifiers rather than memset() for padding " Greg Kroah-Hartman
2024-06-13 11:36 ` [PATCH 6.1 70/85] net: fix __dst_negative_advice() race Greg Kroah-Hartman
2024-06-13 11:36 ` [PATCH 6.1 71/85] sparc: move struct termio to asm/termios.h Greg Kroah-Hartman
2024-06-13 11:36 ` [PATCH 6.1 72/85] ext4: set type of ac_groups_linear_remaining to __u32 to avoid overflow Greg Kroah-Hartman
2024-06-13 11:36 ` [PATCH 6.1 73/85] ext4: fix mb_cache_entrys e_refcnt leak in ext4_xattr_block_cache_find() Greg Kroah-Hartman
2024-06-13 11:36 ` [PATCH 6.1 74/85] parisc: Define HAVE_ARCH_HUGETLB_UNMAPPED_AREA Greg Kroah-Hartman
2024-06-13 11:36 ` [PATCH 6.1 75/85] parisc: Define sigset_t in parisc uapi header Greg Kroah-Hartman
2024-06-13 11:36 ` [PATCH 6.1 76/85] s390/ap: Fix crash in AP internal function modify_bitmap() Greg Kroah-Hartman
2024-06-13 11:36 ` [PATCH 6.1 77/85] s390/cpacf: Split and rework cpacf query functions Greg Kroah-Hartman
2024-06-13 11:36 ` [PATCH 6.1 78/85] s390/cpacf: Make use of invalid opcode produce a link error Greg Kroah-Hartman
2024-06-13 11:36 ` [PATCH 6.1 79/85] i3c: master: svc: fix invalidate IBI type and miss call client IBI handler Greg Kroah-Hartman
2024-06-13 11:36 ` [PATCH 6.1 80/85] EDAC/igen6: Convert PCIBIOS_* return codes to errnos Greg Kroah-Hartman
2024-06-13 11:36 ` [PATCH 6.1 81/85] nfs: fix undefined behavior in nfs_block_bits() Greg Kroah-Hartman
2024-06-13 11:36 ` [PATCH 6.1 82/85] NFS: Fix READ_PLUS when server doesnt support OP_READ_PLUS Greg Kroah-Hartman
2024-06-13 11:36 ` [PATCH 6.1 83/85] btrfs: fix crash on racing fsync and size-extending write into prealloc Greg Kroah-Hartman
2024-06-13 11:36 ` [PATCH 6.1 84/85] powerpc/bpf: enforce full ordering for ATOMIC operations with BPF_FETCH Greg Kroah-Hartman
2024-06-13 11:36 ` [PATCH 6.1 85/85] smb: client: fix deadlock in smb2_find_smb_tcon() Greg Kroah-Hartman
2024-06-13 16:49 ` [PATCH 6.1 00/85] 6.1.94-rc1 review SeongJae Park
2024-06-13 17:43 ` Guenter Roeck
2024-06-15 11:09 ` Greg Kroah-Hartman
2024-06-14 9:35 ` Pavel Machek
2024-06-14 10:17 ` Naresh Kamboju
2024-06-14 12:00 ` Ron Economos
2024-06-14 14:14 ` Mark Brown
2024-06-14 17:03 ` Jon Hunter
2024-06-14 23:21 ` Peter Schneider
2024-06-15 2:09 ` Shuah Khan
2024-06-15 13:19 ` Mateusz Jończyk
2024-06-16 13:18 ` Florian Fainelli
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240613113214.498182663@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=akpm@linux-foundation.org \
--cc=konishi.ryusuke@gmail.com \
--cc=patches@lists.linux.dev \
--cc=sjb7183@psu.edu \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox