diff options
| author | Theodore Ts'o <tytso@mit.edu> | 2018-10-12 09:28:09 -0400 |
|---|---|---|
| committer | Theodore Ts'o <tytso@mit.edu> | 2018-10-12 09:28:09 -0400 |
| commit | 33458eaba4dfe778a426df6a19b7aad2ff9f7eec (patch) | |
| tree | f4732bd54c93bd877209855b3148db771da85b55 /fs/ext4/ext4.h | |
| parent | 6fd941784b8ac3e74313f7112f0586076dc36544 (diff) | |
ext4: fix use-after-free race in ext4_remount()'s error path
It's possible for ext4_show_quota_options() to try reading
s_qf_names[i] while it is being modified by ext4_remount() --- most
notably, in ext4_remount's error path when the original values of the
quota file name gets restored.
Reported-by: syzbot+a2872d6feea6918008a9@syzkaller.appspotmail.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org # 3.2+
Diffstat (limited to 'fs/ext4/ext4.h')
| -rw-r--r-- | fs/ext4/ext4.h | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h index 86e1bacac757..12f90d48ba61 100644 --- a/fs/ext4/ext4.h +++ b/fs/ext4/ext4.h | |||
| @@ -1405,7 +1405,8 @@ struct ext4_sb_info { | |||
| 1405 | u32 s_min_batch_time; | 1405 | u32 s_min_batch_time; |
| 1406 | struct block_device *journal_bdev; | 1406 | struct block_device *journal_bdev; |
| 1407 | #ifdef CONFIG_QUOTA | 1407 | #ifdef CONFIG_QUOTA |
| 1408 | char *s_qf_names[EXT4_MAXQUOTAS]; /* Names of quota files with journalled quota */ | 1408 | /* Names of quota files with journalled quota */ |
| 1409 | char __rcu *s_qf_names[EXT4_MAXQUOTAS]; | ||
| 1409 | int s_jquota_fmt; /* Format of quota to use */ | 1410 | int s_jquota_fmt; /* Format of quota to use */ |
| 1410 | #endif | 1411 | #endif |
| 1411 | unsigned int s_want_extra_isize; /* New inodes should reserve # bytes */ | 1412 | unsigned int s_want_extra_isize; /* New inodes should reserve # bytes */ |