Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
ext4: Fix use-after-free about sbi->s_mmp_tsk
After merge 618f003("ext4: fix memory leak in ext4_fill_super") commit, we add delay in ext4_remount after "sb->s_flags |= SB_RDONLY", then remount filesystem with read-only kasan report following warning: [ 888.695326] ================================================================== [ 888.696566] BUG: KASAN: use-after-free in kthread_stop+0x4c/0x2f0 [ 888.697599] Write of size 4 at addr ffff8883849e0020 by task mount/2013 [ 888.698707] [ 888.698982] CPU: 4 PID: 2013 Comm: mount Not tainted 4.19.95-00013-ga369a6189bbf-dirty torvalds#413 [ 888.700376] Hardware name: QEMU Standard PC [ 888.702587] Call Trace: [ 888.703017] dump_stack+0x108/0x15f [ 888.703615] print_address_description+0xa5/0x372 [ 888.704420] kasan_report.cold+0x236/0x2a8 [ 888.705761] check_memory_region+0x240/0x270 [ 888.706486] kasan_check_write+0x20/0x30 [ 888.707156] kthread_stop+0x4c/0x2f0 [ 888.707776] ext4_stop_mmpd+0x32/0x90 [ 888.708262] ext4_remount.cold+0xf6/0x116 [ 888.712671] do_remount_sb+0xff/0x460 [ 888.714007] do_mount+0xce3/0x1be0 [ 888.717749] ksys_mount+0xb2/0x150 [ 888.718163] __x64_sys_mount+0x6a/0x80 [ 888.718607] do_syscall_64+0xd9/0x1f0 [ 888.719047] entry_SYSCALL_64_after_hwframe+0x44/0xa9 As kmmpd will exit if filesystem is read-only. Then sbi->s_mmp_tsk become wild ptr, lead to use-after-free. As kmmpd will exit by others(call ktread_stop) or by itself. After 618f003 commit we can trigger this issue very easy. Before this commit also exist this issue. If kmmpd exit by itself, after merge 618f003 commit there will trigger UAF when umount filesystem. To fix this issue, introduce sbi->s_mmp_lock to protect sbi->s_mmp_tsk. If kmmpd exit by itself, we set sbi->s_mmp_tsk with NULL, and release mmp buffer_head. Fixes: 618f003 ("ext4: fix memory leak in ext4_fill_super") Signed-off-by: Ye Bin <yebin10@huawei.com>
- Loading branch information