jfs: fix use-after-free races during unmount

[PATCH v2 0/2] jfs: fix use-after-free races during unmount

Tristan Madani posted 2 patches 1 month, 1 week ago

Download series mbox

fs/jfs/jfs_logmgr.c | 10 ++++++++++
fs/jfs/jfs_logmgr.h |  2 ++
fs/jfs/jfs_txnmgr.c | 35 +++++++++++++++++++++++++++++++++++
fs/jfs/jfs_txnmgr.h |  1 +
fs/jfs/jfs_umount.c  |  8 ++++++++
5 files changed, 56 insertions(+)

Expand all Fold all

[PATCH v2 0/2] jfs: fix use-after-free races during unmount

Posted by Tristan Madani 1 month, 1 week ago

From: Tristan Madani <tristan@talencesecurity.com>

Two related UAF races exist in JFS unmount:

1. jfs_lazycommit accesses freed jfs_sb_info/jfs_log after unmount
   proceeds past jfs_flush_journal but before jfsCommit drains
   TxAnchor.unlock_queue.

2. lbmIODone (BIO completion in softirq) accesses freed lbuf fields
   after lbmLogShutdown frees all lbufs from the freelist.

V1 fixed only race #1.  Syzbot testing showed that race #2 can
still trigger independently.  This V2 adds a second patch for the
BIO completion race.

Changes since v1:
 - Split into two patches (one per race)
 - NEW: patch 2/2 adds atomic io_count to drain in-flight BIO
   completions before lbmLogShutdown frees lbufs

Tristan Madani (2):
  jfs: drain lazy commit queue during unmount to prevent use-after-free
  jfs: wait for in-flight log I/O before freeing lbufs in lbmLogShutdown

 fs/jfs/jfs_logmgr.c | 10 ++++++++++
 fs/jfs/jfs_logmgr.h |  2 ++
 fs/jfs/jfs_txnmgr.c | 35 +++++++++++++++++++++++++++++++++++
 fs/jfs/jfs_txnmgr.h |  1 +
 fs/jfs/jfs_umount.c  |  8 ++++++++
 5 files changed, 56 insertions(+)

-- 
2.47.3