From patchwork Tue Feb 20 03:55:18 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Edward Adam Davis X-Patchwork-Id: 203404 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a05:693c:2685:b0:108:e6aa:91d0 with SMTP id mn5csp178236dyc; Mon, 19 Feb 2024 19:55:40 -0800 (PST) X-Forwarded-Encrypted: i=3; AJvYcCVubJHH72P0Dz7NA/EtpUYgEKGcV5WavGhEoi2qoQkh4z+8IV70u5Olbqwv6HA3MDuE8SIihshwdZywOQbO2uzElWehVw== X-Google-Smtp-Source: AGHT+IHdB8tJrtzyKyHeeRrJ/j/xaHpvuG5STnFdE+PWcDsFBQG2JwSDgiDZK87yhLha2LWj90jB X-Received: by 2002:a05:622a:1996:b0:42e:1911:93fc with SMTP id u22-20020a05622a199600b0042e191193fcmr3987577qtc.55.1708401340111; Mon, 19 Feb 2024 19:55:40 -0800 (PST) ARC-Seal: i=2; a=rsa-sha256; t=1708401340; cv=pass; d=google.com; s=arc-20160816; b=pJx6NtMbwXrbE2f0BBY5RvoommN2yNXMC1BOsy6I+Co1eWKyhYvKKOVrkefXH866h6 q62r/IuK5rYBPSng5odBfHvXARSCuSndCPr2Y4ZVIYb4c02tk5QPTC9U17WNdLtpNiV+ axHUCxQNY2M8yfxBWlLp3EoIg3sqqmbJJRPpHbtgLY+OgDXeG0lLvvKt/a6ZWtJUnpGb q7yLUWso9ypj/h4G2JaUktdbTLZVmN0/AeWDqkYACE6e0xirUWc5EW4C5Vlayfs3SvXB sXs0UqTDEw+A1ISiRcBcMMeK9S5id0kHu1qYZw+h3C1prGr34xMu6dqEv2//5LuOO2DO ci0g== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:in-reply-to:date :subject:cc:to:from:message-id:dkim-signature; bh=3jTd95gK70X2nBcjTwzGRdH17uQgMXk8jURH3DqzqBg=; fh=inzdmqfYgKfX254G5dbPCLcqRMioGpMZMZDUOnTRUVY=; b=vgBBLEi6v4CWIwyP2hhYd9LjorOb6zlnFw97hAjCOzp34iAxPLD8WpggT1Zb1M4pkA ByojcC+R20twmAOf3/PTurDDQzVn6bAjTUyaRFTqa0GtCX1nEgspexawwYe75BcWSLR4 MtRT0aj916BQ9VFi2FAEzg0Wf2CB8bNoLo4fFkODxq2BplYUkuco5JWbM24lPY5cXDHE +0PYyf6sxf7UrvXwDL9KiM7rmSGRfYonJhcaQk3kx7NJ4AdTYdtyxq8uXDpVKjf3MYPa UiE2AkS8BkzWUzr6ZV64yBD1uUC8Ofe0DfWbvxdVoLPUiFl4HiefTqsPGM6c35tGBAPj gYxg==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@qq.com header.s=s201512 header.b=ds40mMzW; arc=pass (i=1 spf=pass spfdomain=qq.com dkim=pass dkdomain=qq.com dmarc=pass fromdomain=qq.com); spf=pass (google.com: domain of linux-kernel+bounces-72297-ouuuleilei=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-72297-ouuuleilei=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=qq.com Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223]) by mx.google.com with ESMTPS id d12-20020a05622a05cc00b0042bf171ffe8si8927947qtb.524.2024.02.19.19.55.40 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 19 Feb 2024 19:55:40 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel+bounces-72297-ouuuleilei=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) client-ip=147.75.199.223; Authentication-Results: mx.google.com; dkim=pass header.i=@qq.com header.s=s201512 header.b=ds40mMzW; arc=pass (i=1 spf=pass spfdomain=qq.com dkim=pass dkdomain=qq.com dmarc=pass fromdomain=qq.com); spf=pass (google.com: domain of linux-kernel+bounces-72297-ouuuleilei=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-72297-ouuuleilei=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=qq.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id E23331C215A0 for ; Tue, 20 Feb 2024 03:55:39 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 56BEE56B69; Tue, 20 Feb 2024 03:55:28 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=qq.com header.i=@qq.com header.b="ds40mMzW" Received: from out203-205-221-155.mail.qq.com (out203-205-221-155.mail.qq.com [203.205.221.155]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2242350A98; Tue, 20 Feb 2024 03:55:22 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=203.205.221.155 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708401325; cv=none; b=XKOQZhsQpNlyLZPYZPikHUYIv9X1eQYbJuUonK4UzeTz2rPeDAlwHE8ppSPUPP4BOIMOHPj1xZGyjupCBulrMyk/1/nt9fc3eDj7vG/Eu9etqWdZVHdWCIAwRl1t22aBUEkqVpC8VjP83Wc1FKP4iVS2iu9srQNbNJ0ZYg4YR9c= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1708401325; c=relaxed/simple; bh=ZdFn5apitN8GnM3/p1LTDMKxEr8qz7tAt/krl7HUDzY=; h=Message-ID:From:To:Cc:Subject:Date:In-Reply-To:References: MIME-Version; b=t1Q5TO1MvJZVm6YCYi2wfEUQgA+lX8m2cc7zovql9SgxAKiDk3zve84G15rXLTN7nTDez7OA0fI1gKly1EyRcAGP6WfluXzVyme53mDQDmATcm4vDwQ7j+9W30uoSPRtVujZCUoFiMZYf2DgzfK2XX0TJX3WdcIBPSmS9MLTTK8= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=qq.com; spf=pass smtp.mailfrom=qq.com; dkim=pass (1024-bit key) header.d=qq.com header.i=@qq.com header.b=ds40mMzW; arc=none smtp.client-ip=203.205.221.155 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=qq.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=qq.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=qq.com; s=s201512; t=1708401320; bh=3jTd95gK70X2nBcjTwzGRdH17uQgMXk8jURH3DqzqBg=; h=From:To:Cc:Subject:Date:In-Reply-To:References; b=ds40mMzWs5S7CQnjZvv+wz/M/2ornf/6xiPjbpJv2S2K+Usf+gIXyhR9hSi7jFHey m1E4rABPFK9o9ftbJhJfeb/EfAhkX/7m7VMdpNlk4vmSlL7v7RYcgHhaaCCg3jJLgB 8CmOs7PUS5/fS8U5WU2q4oCCWRLQGCnmbLS8TnAI= Received: from pek-lxu-l1.wrs.com ([111.198.228.140]) by newxmesmtplogicsvrsza10-0.qq.com (NewEsmtp) with SMTP id DD198E4D; Tue, 20 Feb 2024 11:55:17 +0800 X-QQ-mid: xmsmtpt1708401317t2ce8lavy Message-ID: X-QQ-XMAILINFO: N7h1OCCDntujaWSH7ZPN/fW7iDszXhnNNTb4Zx30q9IYTmSszZI/yKqW8bTsww T6SBI4F+U11e1E9IceIVvzmtwGalk9Db3cOzrs24uSJ2kFV/JaJReUl/N53YvWmDm5LkHPFLfcmy qb8EVpFKFnVA323lvRH3lBdWOEmsQSf2cBzK/GtmYoSuABPsIVX6mUQn/0ya1IWl1i16imYyGiKR f95nA0ILysOM09HQ/zOwavFCVHTpTeCj3lN4VEXLQv47HSoZJY3LHVz41c13/6zyLIWiW64ys+v6 8bsr99bFuw7kPiw19ouP2sznwDyZkeW5tjGYpNTxCSMEJFnlR3h/eMMmpDvFUYIVfFYFC+2HmeDD kvhb5yEMRCTcqX2wFxFq7MgMk8gWCZbyyH8etArx75dt0IJjlPViH7E2T9V7FznLZ2tsg4/LzdTG vgtBoRmuE0KpdZAzxFuNFQcf84GGeszTB4gmzmb3lNJ+Q06co9n5wjl8fb6g49IN5OpSUeBajy6X e0mP5jTQf+zQiQWFA5X999GX9k8KkSrXdUqdvQcy1OlU8LFLwyXkKWbpWqSyvT1F0SLVJtQosIam z8vHy3r4HvRZfiC3LLX7wqEead4BCgcc5RHIYWep4A6Q3xvGwTJMZqH9UO3ngjCwnk4PcLkHuv5v GTfdCfyi0/Y6zrJ2ClRmKeuop0iZ3ySsQC2w94i5d5q9hwBH9tdkGTw67duE3aIqXcIu3M0L5t/l ap1zMzu41lQMAfLLZv/6NVknTBGzhsqKa612+Cro7uxjy5UruNacG1CTNQdhBQ1ZtVVON3lSW7tH wkmHRYfA2SJ6P0ZyCUZJewPk5POkYs2eAWJ1Ax+7S5xE+QocA7xjNjD9Yu+AIeOpDw0kIRD4NkGS zH5Qa72+T2VJD9LQ3u2EHN72tg8XRNCMo+g54ugNYZ3Kk4eKsJlH2Qtl/xlGsRng== X-QQ-XMRINFO: NyFYKkN4Ny6FSmKK/uo/jdU= From: Edward Adam Davis To: syzbot+c244f4a09ca85dd2ebc1@syzkaller.appspotmail.com Cc: jfs-discussion@lists.sourceforge.net, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, shaggy@kernel.org, syzkaller-bugs@googlegroups.com Subject: [PATCH] jfs: fix uaf in jfs_syncpt Date: Tue, 20 Feb 2024 11:55:18 +0800 X-OQ-MSGID: <20240220035517.2079019-2-eadavis@qq.com> X-Mailer: git-send-email 2.43.0 In-Reply-To: <0000000000003d021006119cbf46@google.com> References: <0000000000003d021006119cbf46@google.com> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-getmail-retrieved-from-mailbox: INBOX X-GMAIL-THRID: 1791388643900280677 X-GMAIL-MSGID: 1791388643900280677 During the execution of the jfs lazy commit, the jfs file system was unmounted, causing the sbi and jfs log objects to be released, triggering this issue. The solution is to add mutex to synchronize jfs lazy commit and jfs unmount operations. Reported-and-tested-by: syzbot+c244f4a09ca85dd2ebc1@syzkaller.appspotmail.com Signed-off-by: Edward Adam Davis --- fs/jfs/jfs_incore.h | 1 + fs/jfs/jfs_txnmgr.c | 7 ++++++- fs/jfs/jfs_umount.c | 2 ++ fs/jfs/super.c | 1 + 4 files changed, 10 insertions(+), 1 deletion(-) diff --git a/fs/jfs/jfs_incore.h b/fs/jfs/jfs_incore.h index dd4264aa9bed..15955dd86bfd 100644 --- a/fs/jfs/jfs_incore.h +++ b/fs/jfs/jfs_incore.h @@ -197,6 +197,7 @@ struct jfs_sb_info { kgid_t gid; /* gid to override on-disk gid */ uint umask; /* umask to override on-disk umask */ uint minblks_trim; /* minimum blocks, for online trim */ + struct mutex log_mutex; }; /* jfs_sb_info commit_state */ diff --git a/fs/jfs/jfs_txnmgr.c b/fs/jfs/jfs_txnmgr.c index be17e3c43582..eb60862dc61b 100644 --- a/fs/jfs/jfs_txnmgr.c +++ b/fs/jfs/jfs_txnmgr.c @@ -2665,6 +2665,9 @@ static void txLazyCommit(struct tblock * tblk) log = (struct jfs_log *) JFS_SBI(tblk->sb)->log; + if (!log) + return; + spin_lock_irq(&log->gclock); // LOGGC_LOCK tblk->flag |= tblkGC_COMMITTED; @@ -2730,10 +2733,12 @@ int jfs_lazycommit(void *arg) list_del(&tblk->cqueue); LAZY_UNLOCK(flags); + mutex_lock(&sbi->log_mutex); txLazyCommit(tblk); + sbi->commit_state &= ~IN_LAZYCOMMIT; + mutex_unlock(&sbi->log_mutex); LAZY_LOCK(flags); - sbi->commit_state &= ~IN_LAZYCOMMIT; /* * Don't continue in the for loop. (We can't * anyway, it's unsafe!) We want to go back to diff --git a/fs/jfs/jfs_umount.c b/fs/jfs/jfs_umount.c index 8ec43f53f686..04788cf3a471 100644 --- a/fs/jfs/jfs_umount.c +++ b/fs/jfs/jfs_umount.c @@ -51,6 +51,7 @@ int jfs_umount(struct super_block *sb) * * if mounted read-write and log based recovery was enabled */ + mutex_lock(&sbi->log_mutex); if ((log = sbi->log)) /* * Wait for outstanding transactions to be written to log: @@ -113,6 +114,7 @@ int jfs_umount(struct super_block *sb) */ rc = lmLogClose(sb); } + mutex_unlock(&sbi->log_mutex); jfs_info("UnMount JFS Complete: rc = %d", rc); return rc; } diff --git a/fs/jfs/super.c b/fs/jfs/super.c index 8d8e556bd610..cf291bdd094f 100644 --- a/fs/jfs/super.c +++ b/fs/jfs/super.c @@ -504,6 +504,7 @@ static int jfs_fill_super(struct super_block *sb, void *data, int silent) sbi->uid = INVALID_UID; sbi->gid = INVALID_GID; sbi->umask = -1; + mutex_init(&sbi->log_mutex); /* initialize the mount flag and determine the default error handler */ flag = JFS_ERR_REMOUNT_RO;