From nobody Fri Apr 3 20:53:40 2026 Received: from mx2.cyberprotect.ru (mx2.cyberprotect.ru [176.10.93.31]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 437F037BE66 for ; Mon, 23 Mar 2026 10:03:43 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=176.10.93.31 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774260227; cv=none; b=TbnjpEd+nLq7ZWVgQ//M6GnTBFffOLCTf/yjQhBcli+sNsLhJLpF6fi/j2yy2YOwk/ZBehlB1H6xg3+s7JBp63tnzfdmsGgQP32qjxPpAtrQQV6yZBKhQwEowxO0z4Jisg1RPrgGriZJxmKeZYJ/YMjiTX2W5ZG957m2Io9PDAk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774260227; c=relaxed/simple; bh=rwDMtwnRdth9g73Yq1lcEmA93wVjkJ6xC/cv6Bs2idA=; h=From:To:CC:Subject:Date:Message-ID:MIME-Version:Content-Type; b=EMIhZocgG3KpTB4k/U5lWa5dR7ZqL1Yz+ZiTv+5sOFdT+U9RkLHP06PdqX6ESVmexTJq4v6F6T01g4nromTFA3wr3HF0z+Mm9Fl/FdqGMz8yut76zh7fSawPagBoLrSs6OKcMT66UC21sZUdVwj4NfxkCCihztoYa/LMpIiZu4k= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=cyberprotect.ru; spf=pass smtp.mailfrom=cyberprotect.ru; dkim=pass (2048-bit key) header.d=cyberprotect.ru header.i=@cyberprotect.ru header.b=d3aNjm/t; dkim=permerror (0-bit key) header.d=cyberprotect.ru header.i=@cyberprotect.ru header.b=zE/pLUgD; arc=none smtp.client-ip=176.10.93.31 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=cyberprotect.ru Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=cyberprotect.ru Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=cyberprotect.ru header.i=@cyberprotect.ru header.b="d3aNjm/t"; dkim=permerror (0-bit key) header.d=cyberprotect.ru header.i=@cyberprotect.ru header.b="zE/pLUgD" DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=cyberprotect.ru; s=dkim-r; h=MIME-Version:Date:From:Sender:Reply-To; bh=NOaRPSDC4hvOaKwBBZyyruA+Hbtj/kUSKaD2sInZ+tw=; b=d3aNjm/tHXxGtTmRiZ3AaBhrHP OzNSJXT/5mDIvqEylm3qt0+2UXRLPtWUpfmCl8E4ZYTfhJyupaC9vo0RNZhRFf+vkzuRxfhppqTIA VLmCS0e+iqtJxeyN4R9/KQc6R9auPTBFvgpo4GaSdtQf6YwWdizc+BySfmn4O2jSVoBjy4FurngQm 2/XpX71RnfxfOPxQ/1ESll/G67xQapn2TO2aD4nn/ZewQuBntynK7aoJHLcpLa1S9vQhcR7ijt6ue 5mIjjxka4R+RW5l8adKwbDTfFXyI2cMSGewpFylufIIrVdzXp5f1jxGT5OpNyeoW/M4E6SAAZvXoy cp8pBOZw==; DKIM-Signature: v=1; a=ed25519-sha256; q=dns/txt; c=relaxed/relaxed; d=cyberprotect.ru; s=dkim; h=MIME-Version:Date:From:Sender:Reply-To; bh=NOaRPSDC4hvOaKwBBZyyruA+Hbtj/kUSKaD2sInZ+tw=; b=zE/pLUgDUXBX4OxpntXEU+z4RV WAI3wY5/gNmVvSRFdv9YJk6CPu7XGcDgXU58c9Rrg9sZKiiBqfW05HdPbRBw==; From: Dmitriy Chumachenko To: David Woodhouse CC: Richard Weinberger , Thomas Gleixner , , , Subject: [PATCH] jffs2: fix use-after-free in jffs2_garbage_collect_thread() Date: Mon, 23 Mar 2026 12:21:42 +0300 Message-ID: <20260323092142.15241-1-Dmitry.Chumachenko@cyberprotect.ru> X-Mailer: git-send-email 2.49.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-ClientProxiedBy: AIP-EXCH-1.aip.ooo (10.77.28.101) To AIP-EXCH-2.aip.ooo (10.77.28.102) Content-Type: text/plain; charset="utf-8" During fuzz testing, the following issue was discovered. = =20 = =20 BUG: KASAN: use-after-free in __lock_acquire+0x3f22/0x53c0 kernel/locking/l= ockdep.c:4825 Read of size 8 at addr ffff888053cfa098 by task jffs2_gcd_mtd0/11093 = =20 = =20 CPU: 1 PID: 11093 Comm: jffs2_gcd_mtd0 Not tainted 5.10.232-syzkaller #0 = =20 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/= 2014=20 Call Trace: = =20 __dump_stack lib/dump_stack.c:77 [inline] = =20 dump_stack+0x107/0x167 lib/dump_stack.c:118 = =20 print_address_description.constprop.0+0x1c/0x220 mm/kasan/report.c:377 = =20 __kasan_report mm/kasan/report.c:537 [inline] = =20 kasan_report.cold+0x1f/0x37 mm/kasan/report.c:554 = =20 __lock_acquire+0x3f22/0x53c0 kernel/locking/lockdep.c:4825 = =20 lock_acquire kernel/locking/lockdep.c:5566 [inline] = =20 lock_acquire+0x197/0x480 kernel/locking/lockdep.c:5531 = =20 __raw_spin_lock_irqsave include/linux/spinlock_api_smp.h:110 [inline] = =20 _raw_spin_lock_irqsave+0x36/0x60 kernel/locking/spinlock.c:159 = =20 complete+0x13/0x60 kernel/sched/completion.c:32 = =20 complete_and_exit+0x20/0x40 kernel/exit.c:943 = =20 jffs2_garbage_collect_thread+0x554/0x750 fs/jffs2/background.c:164 = =20 kthread+0x3a9/0x490 kernel/kthread.c:328 = =20 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:298 = =20 = =20 Allocated by task 11091: = =20 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48 = =20 kasan_set_track mm/kasan/common.c:56 [inline] = =20 __kasan_kmalloc.constprop.0+0xc9/0xd0 mm/kasan/common.c:461 = =20 kmalloc include/linux/slab.h:552 [inline] = =20 kzalloc include/linux/slab.h:664 [inline] = =20 jffs2_init_fs_context+0x41/0xd0 fs/jffs2/super.c:314 = =20 alloc_fs_context+0x4f9/0x840 fs/fs_context.c:267 = =20 do_new_mount fs/namespace.c:2896 [inline] = =20 path_mount+0xb99/0x2140 fs/namespace.c:3247 = =20 do_mount fs/namespace.c:3260 [inline] = =20 __do_sys_mount fs/namespace.c:3468 [inline] = =20 __se_sys_mount fs/namespace.c:3445 [inline] = =20 __x64_sys_mount+0x283/0x300 fs/namespace.c:3445 = =20 do_syscall_64+0x30/0x40 arch/x86/entry/common.c:46 = =20 entry_SYSCALL_64_after_hwframe+0x67/0xd1 = =20 = =20 Freed by task 28546: = =20 kasan_save_stack+0x1b/0x40 mm/kasan/common.c:48 = =20 kasan_set_track+0x1c/0x30 mm/kasan/common.c:56 = =20 kasan_set_free_info+0x1b/0x30 mm/kasan/generic.c:355 = =20 __kasan_slab_free+0x112/0x170 mm/kasan/common.c:422 = =20 slab_free_hook mm/slub.c:1542 [inline] = =20 slab_free_freelist_hook+0xb8/0x1b0 mm/slub.c:1576 = =20 slab_free mm/slub.c:3149 [inline] = =20 kfree+0xd9/0x360 mm/slub.c:4125 = =20 deactivate_locked_super+0x96/0x170 fs/super.c:335 = =20 deactivate_super+0xb2/0xd0 fs/super.c:366 = =20 cleanup_mnt+0x3a3/0x530 fs/namespace.c:1118 = =20 task_work_run+0xdf/0x1a0 kernel/task_work.c:185 = =20 tracehook_notify_resume include/linux/tracehook.h:188 [inline] = =20 exit_to_user_mode_loop kernel/entry/common.c:172 [inline] = =20 exit_to_user_mode_prepare+0x1de/0x1f0 kernel/entry/common.c:199 = =20 syscall_exit_to_user_mode+0x38/0x1e0 kernel/entry/common.c:274 In jffs2_garbage_collect_thread() gc_task is set to NULL and then kthread_complete_and_exit() calls complete() on gc_thread_exit. These opera= tions are not atomic: stop path can see gc_task =3D=3D NULL, skip wait_for_comple= tion(), and the caller frees jffs2_sb_info while the GC thread still accesses gc_thread_exit in complete(). Fix moving complete() under erase_completion_lock together with gc_task =3D NULL, and replacing kthread_complete_and_exit() with kthread_exit(). The conditional wait in stop path is preserved as it is needed when jffs2_do_fill_super() fails before start(). Found by Linux Verification Center (linuxtesting.org) with Syzkaller. Fixes: e2d48b1a98bb ("[JFFS2] Fix cleanup in case of GC-Task not started") Signed-off-by: Dmitriy Chumachenko --- fs/jffs2/background.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/fs/jffs2/background.c b/fs/jffs2/background.c index bb0ee1a59e71..abf0572dfd3c 100644 --- a/fs/jffs2/background.c +++ b/fs/jffs2/background.c @@ -160,6 +160,7 @@ static int jffs2_garbage_collect_thread(void *_c) die: spin_lock(&c->erase_completion_lock); c->gc_task =3D NULL; + complete(&c->gc_thread_exit); spin_unlock(&c->erase_completion_lock); - kthread_complete_and_exit(&c->gc_thread_exit, 0); + kthread_exit(0); } --=20 2.49.0