korg/linux
0
0
Fork 0
mirror of https://mirrors.bfsu.edu.cn/git/linux.git synced 2024-11-30 23:54:04 +08:00
Code Issues Packages Projects Releases Wiki Activity
c7f114d864
linux/fs/f2fs
History
Chao Yu c7f114d864 f2fs: fix to avoid use-after-free in f2fs_stop_gc_thread() 
syzbot reports a f2fs bug as below:

 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x241/0x360 lib/dump_stack.c:114
 print_report+0xe8/0x550 mm/kasan/report.c:491
 kasan_report+0x143/0x180 mm/kasan/report.c:601
 kasan_check_range+0x282/0x290 mm/kasan/generic.c:189
 instrument_atomic_read_write include/linux/instrumented.h:96 [inline]
 atomic_fetch_add_relaxed include/linux/atomic/atomic-instrumented.h:252 [inline]
 __refcount_add include/linux/refcount.h:184 [inline]
 __refcount_inc include/linux/refcount.h:241 [inline]
 refcount_inc include/linux/refcount.h:258 [inline]
 get_task_struct include/linux/sched/task.h:118 [inline]
 kthread_stop+0xca/0x630 kernel/kthread.c:704
 f2fs_stop_gc_thread+0x65/0xb0 fs/f2fs/gc.c:210
 f2fs_do_shutdown+0x192/0x540 fs/f2fs/file.c:2283
 f2fs_ioc_shutdown fs/f2fs/file.c:2325 [inline]
 __f2fs_ioctl+0x443a/0xbe60 fs/f2fs/file.c:4325
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:907 [inline]
 __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

The root cause is below race condition, it may cause use-after-free
issue in sbi->gc_th pointer.

- remount
 - f2fs_remount
  - f2fs_stop_gc_thread
   - kfree(gc_th)
				- f2fs_ioc_shutdown
				 - f2fs_do_shutdown
				  - f2fs_stop_gc_thread
				   - kthread_stop(gc_th->f2fs_gc_task)
   : sbi->gc_thread = NULL;

We will call f2fs_do_shutdown() in two paths:
- for f2fs_ioc_shutdown() path, we should grab sb->s_umount semaphore
for fixing.
- for f2fs_shutdown() path, it's safe since caller has already grabbed
sb->s_umount semaphore.

Reported-by: syzbot+1a8e2b31f2ac9bd3d148@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/linux-f2fs-devel/0000000000005c7ccb061e032b9b@google.com
Fixes: 7950e9ac63 ("f2fs: stop gc/discard thread after fs shutdown")
Signed-off-by: Chao Yu <chao@kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
2024-08-21 00:56:28 +00:00
..
acl.c f2fs: Use in_group_or_capable() helper 2024-06-25 11:15:48 +02:00
acl.h fs: port ->set_acl() to pass mnt_idmap 2023-01-19 09:24:27 +01:00
checkpoint.c f2fs: clean up val{>>,<<}F2FS_BLKSIZE_BITS 2024-08-21 00:56:27 +00:00
compress.c f2fs: clean up set REQ_RAHEAD given rac 2024-06-18 02:31:48 +00:00
data.c f2fs: fix to use per-inode maxbytes and cleanup 2024-08-15 15:26:40 +00:00
debug.c f2fs: clean up val{>>,<<}F2FS_BLKSIZE_BITS 2024-08-21 00:56:27 +00:00
dir.c f2fs: prevent possible int overflow in dir_block_index() 2024-08-05 20:18:35 +00:00
extent_cache.c f2fs: fix several potential integer overflows in file offsets 2024-08-05 20:18:35 +00:00
f2fs.h f2fs: fix to avoid use-after-free in f2fs_stop_gc_thread() 2024-08-21 00:56:28 +00:00
file.c f2fs: fix to avoid use-after-free in f2fs_stop_gc_thread() 2024-08-21 00:56:28 +00:00
gc.c f2fs: use meta inode for GC of COW file 2024-07-10 22:48:20 +00:00
gc.h f2fs: fix to limit gc_pin_file_threshold 2024-05-09 01:03:44 +00:00
hash.c f2fs: don't use casefolded comparison for "." and ".." 2022-05-17 11:19:23 -07:00
inline.c f2fs: use f2fs_get_node_page when write inline data 2024-08-15 15:26:40 +00:00
inode.c f2fs: get rid of buffer_head use 2024-08-15 15:26:40 +00:00
iostat.c f2fs: add async reset zone command support 2023-06-12 13:04:09 -07:00
iostat.h f2fs: use iostat_lat_type directly as a parameter in the iostat_update_and_unbind_ctx() 2023-02-07 10:39:28 -08:00
Kconfig fs: add CONFIG_BUFFER_HEAD 2023-08-02 09:13:09 -06:00
Makefile f2fs: separate out iostat feature 2021-08-23 10:25:51 -07:00
namei.c f2fs update for 6.11-rc1 2024-07-23 15:21:19 -07:00
node.c f2fs: clean up val{>>,<<}F2FS_BLKSIZE_BITS 2024-08-21 00:56:27 +00:00
node.h f2fs: use BLKS_PER_SEG, BLKS_PER_SEC, and SEGS_PER_SEC 2024-02-27 09:41:12 -08:00
recovery.c f2fs update for 6.11-rc1 2024-07-23 15:21:19 -07:00
segment.c f2fs: add write priority option based on zone UFS 2024-08-05 20:18:35 +00:00
segment.h f2fs: fix start segno of large section 2024-07-09 19:33:50 +00:00
shrinker.c f2fs: add block_age-based extent cache 2022-12-12 14:53:56 -08:00
super.c f2fs: fix to avoid use-after-free in f2fs_stop_gc_thread() 2024-08-21 00:56:28 +00:00
sysfs.c f2fs: sysfs: support atgc_enabled 2024-08-15 15:26:40 +00:00
verity.c f2fs: fix to use per-inode maxbytes and cleanup 2024-08-15 15:26:40 +00:00
xattr.c f2fs: reduce expensive checkpoint trigger frequency 2024-08-15 15:26:39 +00:00
xattr.h f2fs: move f2fs_xattr_handlers and f2fs_xattr_handler_map to .rodata 2023-10-09 16:24:18 +02:00