mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-10-29 23:53:32 +00:00
7727ae5297
Remount process will release system zone which was allocated before if "noblock_validity" is specified. If we mount an ext4 file system to two mountpoints with default mount options, and then remount one of them with "noblock_validity", it may trigger a use after free problem when someone accessing the other one. # mount /dev/sda foo # mount /dev/sda bar User access mountpoint "foo" | Remount mountpoint "bar" | ext4_map_blocks() | ext4_remount() check_block_validity() | ext4_setup_system_zone() ext4_data_block_valid() | ext4_release_system_zone() | free system_blks rb nodes access system_blks rb nodes | trigger use after free | This problem can also be reproduced by one mountpint, At the same time, add_system_zone() can get called during remount as well so there can be racing ext4_data_block_valid() reading the rbtree at the same time. This patch add RCU to protect system zone from releasing or building when doing a remount which inverse current "noblock_validity" mount option. It assign the rbtree after the whole tree was complete and do actual freeing after rcu grace period, avoid any intermediate state. Reported-by: syzbot+1e470567330b7ad711d5@syzkaller.appspotmail.com Signed-off-by: zhangyi (F) <yi.zhang@huawei.com> Signed-off-by: Theodore Ts'o <tytso@mit.edu> Reviewed-by: Jan Kara <jack@suse.cz> |
||
---|---|---|
.. | ||
acl.c | ||
acl.h | ||
balloc.c | ||
bitmap.c | ||
block_validity.c | ||
dir.c | ||
ext4.h | ||
ext4_extents.h | ||
ext4_jbd2.c | ||
ext4_jbd2.h | ||
extents.c | ||
extents_status.c | ||
extents_status.h | ||
file.c | ||
fsmap.c | ||
fsmap.h | ||
fsync.c | ||
hash.c | ||
ialloc.c | ||
indirect.c | ||
inline.c | ||
inode.c | ||
ioctl.c | ||
Kconfig | ||
Makefile | ||
mballoc.c | ||
mballoc.h | ||
migrate.c | ||
mmp.c | ||
move_extent.c | ||
namei.c | ||
page-io.c | ||
readpage.c | ||
resize.c | ||
super.c | ||
symlink.c | ||
sysfs.c | ||
truncate.h | ||
xattr.c | ||
xattr.h | ||
xattr_security.c | ||
xattr_trusted.c | ||
xattr_user.c |