fs/jffs2/background.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)
During fuzz testing, the following issue was discovered.
BUG: KASAN: use-after-free in __lock_acquire+0x3f22/0x53c0 kernel/locking/lockdep.c:4825
Read of size 8 at addr ffff888053cfa098 by task jffs2_gcd_mtd0/11093
CPU: 1 PID: 11093 Comm: jffs2_gcd_mtd0 Not tainted 5.10.232-syzkaller #0
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x107/0x167 lib/dump_stack.c:118
print_address_description.constprop.0+0x1c/0x220 mm/kasan/report.c:377
__kasan_report mm/kasan/report.c:537 [inline]
kasan_report.cold+0x1f/0x37 mm/kasan/report.c:554
__lock_acquire+0x3f22/0x53c0 kernel/locking/lockdep.c:4825
lock_acquire kernel/locking/lockdep.c:5566 [inline]
lock_acquire+0x197/0x480 kernel/locking/lockdep.c:5531
__raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
_raw_spin_lock_irqsave+0x36/0x60 kernel/locking/spinlock.c:159
complete+0x13/0x60 kernel/sched/completion.c:32
complete_and_exit+0x20/0x40 kernel/exit.c:943
jffs2_garbage_collect_thread+0x554/0x750 fs/jffs2/background.c:164
kthread+0x3a9/0x490 kernel/kthread.c:328
ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298
Allocated by task 11091:
kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48
kasan_set_track mm/kasan/common.c:56 [inline]
__kasan_kmalloc.constprop.0+0xc9/0xd0 mm/kasan/common.c:461
kmalloc include/linux/slab.h:552 [inline]
kzalloc include/linux/slab.h:664 [inline]
jffs2_init_fs_context+0x41/0xd0 fs/jffs2/super.c:314
alloc_fs_context+0x4f9/0x840 fs/fs_context.c:267
do_new_mount fs/namespace.c:2896 [inline]
path_mount+0xb99/0x2140 fs/namespace.c:3247
do_mount fs/namespace.c:3260 [inline]
__do_sys_mount fs/namespace.c:3468 [inline]
__se_sys_mount fs/namespace.c:3445 [inline]
__x64_sys_mount+0x283/0x300 fs/namespace.c:3445
do_syscall_64+0x30/0x40 arch/x86/entry/common.c:46
entry_SYSCALL_64_after_hwframe+0x67/0xd1
Freed by task 28546:
kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48
kasan_set_track+0x1c/0x30 mm/kasan/common.c:56
kasan_set_free_info+0x1b/0x30 mm/kasan/generic.c:355
__kasan_slab_free+0x112/0x170 mm/kasan/common.c:422
slab_free_hook mm/slub.c:1542 [inline]
slab_free_freelist_hook+0xb8/0x1b0 mm/slub.c:1576
slab_free mm/slub.c:3149 [inline]
kfree+0xd9/0x360 mm/slub.c:4125
deactivate_locked_super+0x96/0x170 fs/super.c:335
deactivate_super+0xb2/0xd0 fs/super.c:366
cleanup_mnt+0x3a3/0x530 fs/namespace.c:1118
task_work_run+0xdf/0x1a0 kernel/task_work.c:185
tracehook_notify_resume include/linux/tracehook.h:188 [inline]
exit_to_user_mode_loop kernel/entry/common.c:172 [inline]
exit_to_user_mode_prepare+0x1de/0x1f0 kernel/entry/common.c:199
syscall_exit_to_user_mode+0x38/0x1e0 kernel/entry/common.c:274
In jffs2_garbage_collect_thread() gc_task is set to NULL and then
kthread_complete_and_exit() calls complete() on gc_thread_exit. These operations
are not atomic: stop path can see gc_task == NULL, skip wait_for_completion(),
and the caller frees jffs2_sb_info while the GC thread still accesses
gc_thread_exit in complete().
Fix moving complete() under erase_completion_lock together with gc_task =
NULL, and replacing kthread_complete_and_exit() with kthread_exit(). The
conditional wait in stop path is preserved as it is needed when
jffs2_do_fill_super() fails before start().
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
Fixes: e2d48b1a98bb ("[JFFS2] Fix cleanup in case of GC-Task not started")
Signed-off-by: Dmitriy Chumachenko <Dmitry.Chumachenko@cyberprotect.ru>
---
fs/jffs2/background.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/fs/jffs2/background.c b/fs/jffs2/background.c
index bb0ee1a59e71..abf0572dfd3c 100644
--- a/fs/jffs2/background.c
+++ b/fs/jffs2/background.c
@@ -160,6 +160,7 @@ static int jffs2_garbage_collect_thread(void *_c)
die:
spin_lock(&c->erase_completion_lock);
c->gc_task = NULL;
+ complete(&c->gc_thread_exit);
spin_unlock(&c->erase_completion_lock);
- kthread_complete_and_exit(&c->gc_thread_exit, 0);
+ kthread_exit(0);
}
--
2.49.0在 2026/3/23 17:21, Dmitriy Chumachenko 写道:
> During fuzz testing, the following issue was discovered.
>
> BUG: KASAN: use-after-free in __lock_acquire+0x3f22/0x53c0 kernel/locking/lockdep.c:4825
> Read of size 8 at addr ffff888053cfa098 by task jffs2_gcd_mtd0/11093
>
> CPU: 1 PID: 11093 Comm: jffs2_gcd_mtd0 Not tainted 5.10.232-syzkaller #0
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
> Call Trace:
> __dump_stack lib/dump_stack.c:77 [inline]
> dump_stack+0x107/0x167 lib/dump_stack.c:118
> print_address_description.constprop.0+0x1c/0x220 mm/kasan/report.c:377
> __kasan_report mm/kasan/report.c:537 [inline]
> kasan_report.cold+0x1f/0x37 mm/kasan/report.c:554
> __lock_acquire+0x3f22/0x53c0 kernel/locking/lockdep.c:4825
> lock_acquire kernel/locking/lockdep.c:5566 [inline]
> lock_acquire+0x197/0x480 kernel/locking/lockdep.c:5531
> __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline]
> _raw_spin_lock_irqsave+0x36/0x60 kernel/locking/spinlock.c:159
> complete+0x13/0x60 kernel/sched/completion.c:32
> complete_and_exit+0x20/0x40 kernel/exit.c:943
> jffs2_garbage_collect_thread+0x554/0x750 fs/jffs2/background.c:164
> kthread+0x3a9/0x490 kernel/kthread.c:328
> ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298
>
> Allocated by task 11091:
> kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48
> kasan_set_track mm/kasan/common.c:56 [inline]
> __kasan_kmalloc.constprop.0+0xc9/0xd0 mm/kasan/common.c:461
> kmalloc include/linux/slab.h:552 [inline]
> kzalloc include/linux/slab.h:664 [inline]
> jffs2_init_fs_context+0x41/0xd0 fs/jffs2/super.c:314
> alloc_fs_context+0x4f9/0x840 fs/fs_context.c:267
> do_new_mount fs/namespace.c:2896 [inline]
> path_mount+0xb99/0x2140 fs/namespace.c:3247
> do_mount fs/namespace.c:3260 [inline]
> __do_sys_mount fs/namespace.c:3468 [inline]
> __se_sys_mount fs/namespace.c:3445 [inline]
> __x64_sys_mount+0x283/0x300 fs/namespace.c:3445
> do_syscall_64+0x30/0x40 arch/x86/entry/common.c:46
> entry_SYSCALL_64_after_hwframe+0x67/0xd1
>
> Freed by task 28546:
> kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48
> kasan_set_track+0x1c/0x30 mm/kasan/common.c:56
> kasan_set_free_info+0x1b/0x30 mm/kasan/generic.c:355
> __kasan_slab_free+0x112/0x170 mm/kasan/common.c:422
> slab_free_hook mm/slub.c:1542 [inline]
> slab_free_freelist_hook+0xb8/0x1b0 mm/slub.c:1576
> slab_free mm/slub.c:3149 [inline]
> kfree+0xd9/0x360 mm/slub.c:4125
> deactivate_locked_super+0x96/0x170 fs/super.c:335
> deactivate_super+0xb2/0xd0 fs/super.c:366
> cleanup_mnt+0x3a3/0x530 fs/namespace.c:1118
> task_work_run+0xdf/0x1a0 kernel/task_work.c:185
> tracehook_notify_resume include/linux/tracehook.h:188 [inline]
> exit_to_user_mode_loop kernel/entry/common.c:172 [inline]
> exit_to_user_mode_prepare+0x1de/0x1f0 kernel/entry/common.c:199
> syscall_exit_to_user_mode+0x38/0x1e0 kernel/entry/common.c:274
>
> In jffs2_garbage_collect_thread() gc_task is set to NULL and then
> kthread_complete_and_exit() calls complete() on gc_thread_exit. These operations
> are not atomic: stop path can see gc_task == NULL, skip wait_for_completion(),
> and the caller frees jffs2_sb_info while the GC thread still accesses
> gc_thread_exit in complete().
>
> Fix moving complete() under erase_completion_lock together with gc_task =
> NULL, and replacing kthread_complete_and_exit() with kthread_exit(). The
> conditional wait in stop path is preserved as it is needed when
> jffs2_do_fill_super() fails before start().
>
> Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
I guess the race window is small and it won't happen in normal mode, the
jffs2_garbage_collect_thread is killed by
jffs2_stop_garbage_collect_thread normally. For above case, the
jffs2_garbage_collect_thread is stopped by other reasons(eg.
jffs2_garbage_collect_pass returns ENOSPC, or user sends SIGKILL to
jffs2_garbage_collect_thread task).
>
> Fixes: e2d48b1a98bb ("[JFFS2] Fix cleanup in case of GC-Task not started")
> Signed-off-by: Dmitriy Chumachenko <Dmitry.Chumachenko@cyberprotect.ru>
> ---
> fs/jffs2/background.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/fs/jffs2/background.c b/fs/jffs2/background.c
> index bb0ee1a59e71..abf0572dfd3c 100644
> --- a/fs/jffs2/background.c
> +++ b/fs/jffs2/background.c
> @@ -160,6 +160,7 @@ static int jffs2_garbage_collect_thread(void *_c)
> die:
> spin_lock(&c->erase_completion_lock);
> c->gc_task = NULL;
> + complete(&c->gc_thread_exit);
> spin_unlock(&c->erase_completion_lock);
> - kthread_complete_and_exit(&c->gc_thread_exit, 0);
> + kthread_exit(0);
> }
>
Hi, I think the UAF could still happen even this patch is applied.
jffs2_kill_sb jffs2_garbage_collect_thread
jffs2_stop_garbage_collect_thread
spin_lock(&c->erase_completion_lock)
send_sig(SIGKILL, c->gc_task, 1)
wait = 1
spin_unlock(&c->erase_completion_lock)
goto die // receive kill SIGKILL
spin_lock(&c->erase_completion_lock)
complete(&c->gc_thread_exit)
wait_for_completion(&c->gc_thread_exit) // don't wait
kfree(c)
spin_unlock(&c->erase_completion_lock)
© 2016 - 2026 Red Hat, Inc.