From: Sahitya Tummala Date: Thu, 2 Feb 2017 01:49:35 +0000 (-0500) Subject: jbd2: fix use after free in kjournald2() X-Git-Tag: v4.1.52~76 X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=0759c1c2f140ec56a9fec96dddf9e5beb89f3b48;p=users%2Fdwmw2%2Flinux.git jbd2: fix use after free in kjournald2() [ Upstream commit dbfcef6b0f4012c57bc0b6e0e660d5ed12a5eaed ] Below is the synchronization issue between unmount and kjournald2 contexts, which results into use after free issue in kjournald2(). Fix this issue by using journal->j_state_lock to synchronize the wait_event() done in journal_kill_thread() and the wake_up() done in kjournald2(). TASK 1: umount cmd: |--jbd2_journal_destroy() { |--journal_kill_thread() { write_lock(&journal->j_state_lock); journal->j_flags |= JBD2_UNMOUNT; ... write_unlock(&journal->j_state_lock); wake_up(&journal->j_wait_commit); TASK 2 wakes up here: kjournald2() { ... checks JBD2_UNMOUNT flag and calls goto end-loop; ... end_loop: write_unlock(&journal->j_state_lock); journal->j_task = NULL; --> If this thread gets pre-empted here, then TASK 1 wait_event will exit even before this thread is completely done. wait_event(journal->j_wait_done_commit, journal->j_task == NULL); ... write_lock(&journal->j_state_lock); write_unlock(&journal->j_state_lock); } |--kfree(journal); } } wake_up(&journal->j_wait_done_commit); --> this step now results into use after free issue. } Signed-off-by: Sahitya Tummala Signed-off-by: Theodore Ts'o Signed-off-by: Sasha Levin --- diff --git a/fs/jbd2/journal.c b/fs/jbd2/journal.c index 97f29405e5c6b..0bb394b4f04b7 100644 --- a/fs/jbd2/journal.c +++ b/fs/jbd2/journal.c @@ -275,11 +275,11 @@ loop: goto loop; end_loop: - write_unlock(&journal->j_state_lock); del_timer_sync(&journal->j_commit_timer); journal->j_task = NULL; wake_up(&journal->j_wait_done_commit); jbd_debug(1, "Journal thread exiting.\n"); + write_unlock(&journal->j_state_lock); return 0; }