[PATCH] jfs: fix use-after-free in jfs_lazycommit

[l1za0.sec@gmail.com]

From: Haocheng Yu <l1za0.sec@gmail.com>

A KASAN: slab-use-after-free Read in jfs_lazycommit is found
by a modified Syzkaller-based kernel fuzzing tool that we developed.

This issue is caused by a race condition between
fs/jfs/jfs_txnmgr.c:jfs_lazycommit() and
fs/jfs/super.c:jfs_put_super(). In jfs_lazycommit(), the commit
thread reads struct jfs_sb_info from tblk->sb and accesses
sbi->commit_state. At the same time, if another thread unmounts the
file system and frees the corresponding sbi, then jfs_lazycommit()
might access a freed sbi and trigger a use-after-free read.

To fix this vulnerability, call txQuiesce() and txDrain() in
jfs_umount() and jfs_umount_rw() before freeing JFS state.

Signed-off-by: Haocheng Yu <l1za0.sec@gmail.com>
---
 fs/jfs/jfs_txnmgr.c | 29 +++++++++++++++++++++++++++++
 fs/jfs/jfs_txnmgr.h |  1 +
 fs/jfs/jfs_umount.c |  9 +++++++++
 3 files changed, 39 insertions(+)

diff --git a/fs/jfs/jfs_txnmgr.c b/fs/jfs/jfs_txnmgr.c
index 083dbbb0c326..3aa7f5787688 100644
--- a/fs/jfs/jfs_txnmgr.c
+++ b/fs/jfs/jfs_txnmgr.c
@@ -2874,6 +2874,35 @@ void txResume(struct super_block *sb)
 	TXN_WAKEUP(&log->syncwait);
 }
 
+void txDrain(struct super_block *sb)
+{
+	struct jfs_sb_info *sbi = JFS_SBI(sb);
+	struct tblock *tblk;
+	unsigned long flags;
+	bool pending;
+
+	for (;;) {
+		pending = false;
+		LAZY_LOCK(flags);
+		if (sbi->commit_state & IN_LAZYCOMMIT) {
+			pending = true;
+		} else {
+			list_for_each_entry(tblk, &TxAnchor.unlock_queue, cqueue) {
+				if (tblk->sb == sb) {
+					pending = true;
+					break;
+				}
+			}
+		}
+		LAZY_UNLOCK(flags);
+
+		if (!pending)
+			return;
+
+		schedule_timeout_uninterruptible(1);
+	}
+}
+
 /*
  *	jfs_sync(void)
  *
diff --git a/fs/jfs/jfs_txnmgr.h b/fs/jfs/jfs_txnmgr.h
index ba71eb5ced56..55cda4aa3691 100644
--- a/fs/jfs/jfs_txnmgr.h
+++ b/fs/jfs/jfs_txnmgr.h
@@ -293,6 +293,7 @@ extern int lmLog(struct jfs_log *, struct tblock *, struct lrd *,
 extern void txQuiesce(struct super_block *);
 extern void txResume(struct super_block *);
 extern void txLazyUnlock(struct tblock *);
+extern void txDrain(struct super_block *sb);
 extern int jfs_lazycommit(void *);
 extern int jfs_sync(void *);
 #endif				/* _H_JFS_TXNMGR */
diff --git a/fs/jfs/jfs_umount.c b/fs/jfs/jfs_umount.c
index 18569f1eaabd..6d332c8b85be 100644
--- a/fs/jfs/jfs_umount.c
+++ b/fs/jfs/jfs_umount.c
@@ -23,6 +23,7 @@
 #include "jfs_logmgr.h"
 #include "jfs_metapage.h"
 #include "jfs_debug.h"
+#include "jfs_txnmgr.h"
 
 /*
  * NAME:	jfs_umount(vfsp, flags, crp)
@@ -52,11 +53,17 @@ int jfs_umount(struct super_block *sb)
 	 *
 	 * if mounted read-write and log based recovery was enabled
 	 */
+
 	if ((log = sbi->log))
+		txQuiesce(sb);
+
+	if (log)
 		/*
 		 * Wait for outstanding transactions to be written to log:
 		 */
 		jfs_flush_journal(log, 2);
+
+	txDrain(sb);
 
 	/*
 	 * Hold log lock so write_special_inodes (lmLogSync) cannot see
@@ -141,7 +148,9 @@ int jfs_umount_rw(struct super_block *sb)
 	 *
 	 * remove file system from log active file system list.
 	 */
+	txQuiesce(sb);
 	jfs_flush_journal(log, 2);
+	txDrain(sb);
 
 	/*
 	 * Make sure all metadata makes it to disk

base-commit: f1a5e78a55ebf2b05777fd5eb738038ddae609d6
-- 
2.51.0