diff options
author | Junho Ryu <jayr@google.com> | 2013-12-03 18:10:28 -0500 |
---|---|---|
committer | Theodore Ts'o <tytso@mit.edu> | 2013-12-03 18:10:28 -0500 |
commit | 4e8d2139802ce4f41936a687f06c560b12115247 (patch) | |
tree | 1567612eeb7bf2e0b50500f9c464f4ee2c849dbf /fs/ext4 | |
parent | ae1495b12df1897d4f42842a7aa7276d920f6290 (diff) |
ext4: fix use-after-free in ext4_mb_new_blocks
ext4_mb_put_pa should hold pa->pa_lock before accessing pa->pa_count.
While ext4_mb_use_preallocated checks pa->pa_deleted first and then
increments pa->count later, ext4_mb_put_pa decrements pa->pa_count
before holding pa->pa_lock and then sets pa->pa_deleted.
* Free sequence
ext4_mb_put_pa (1): atomic_dec_and_test pa->pa_count
ext4_mb_put_pa (2): lock pa->pa_lock
ext4_mb_put_pa (3): check pa->pa_deleted
ext4_mb_put_pa (4): set pa->pa_deleted=1
ext4_mb_put_pa (5): unlock pa->pa_lock
ext4_mb_put_pa (6): remove pa from a list
ext4_mb_pa_callback: free pa
* Use sequence
ext4_mb_use_preallocated (1): iterate over preallocation
ext4_mb_use_preallocated (2): lock pa->pa_lock
ext4_mb_use_preallocated (3): check pa->pa_deleted
ext4_mb_use_preallocated (4): increase pa->pa_count
ext4_mb_use_preallocated (5): unlock pa->pa_lock
ext4_mb_release_context: access pa
* Use-after-free sequence
[initial status] <pa->pa_deleted = 0, pa_count = 1>
ext4_mb_use_preallocated (1): iterate over preallocation
ext4_mb_use_preallocated (2): lock pa->pa_lock
ext4_mb_use_preallocated (3): check pa->pa_deleted
ext4_mb_put_pa (1): atomic_dec_and_test pa->pa_count
[pa_count decremented] <pa->pa_deleted = 0, pa_count = 0>
ext4_mb_use_preallocated (4): increase pa->pa_count
[pa_count incremented] <pa->pa_deleted = 0, pa_count = 1>
ext4_mb_use_preallocated (5): unlock pa->pa_lock
ext4_mb_put_pa (2): lock pa->pa_lock
ext4_mb_put_pa (3): check pa->pa_deleted
ext4_mb_put_pa (4): set pa->pa_deleted=1
[race condition!] <pa->pa_deleted = 1, pa_count = 1>
ext4_mb_put_pa (5): unlock pa->pa_lock
ext4_mb_put_pa (6): remove pa from a list
ext4_mb_pa_callback: free pa
ext4_mb_release_context: access pa
AddressSanitizer has detected use-after-free in ext4_mb_new_blocks
Bug report: http://goo.gl/rG1On3
Signed-off-by: Junho Ryu <jayr@google.com>
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
Cc: stable@vger.kernel.org
Diffstat (limited to 'fs/ext4')
-rw-r--r-- | fs/ext4/mballoc.c | 11 |
1 files changed, 8 insertions, 3 deletions
diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c index 4d113efa024c..04766d9a29cd 100644 --- a/fs/ext4/mballoc.c +++ b/fs/ext4/mballoc.c | |||
@@ -3442,6 +3442,9 @@ static void ext4_mb_pa_callback(struct rcu_head *head) | |||
3442 | { | 3442 | { |
3443 | struct ext4_prealloc_space *pa; | 3443 | struct ext4_prealloc_space *pa; |
3444 | pa = container_of(head, struct ext4_prealloc_space, u.pa_rcu); | 3444 | pa = container_of(head, struct ext4_prealloc_space, u.pa_rcu); |
3445 | |||
3446 | BUG_ON(atomic_read(&pa->pa_count)); | ||
3447 | BUG_ON(pa->pa_deleted == 0); | ||
3445 | kmem_cache_free(ext4_pspace_cachep, pa); | 3448 | kmem_cache_free(ext4_pspace_cachep, pa); |
3446 | } | 3449 | } |
3447 | 3450 | ||
@@ -3455,11 +3458,13 @@ static void ext4_mb_put_pa(struct ext4_allocation_context *ac, | |||
3455 | ext4_group_t grp; | 3458 | ext4_group_t grp; |
3456 | ext4_fsblk_t grp_blk; | 3459 | ext4_fsblk_t grp_blk; |
3457 | 3460 | ||
3458 | if (!atomic_dec_and_test(&pa->pa_count) || pa->pa_free != 0) | ||
3459 | return; | ||
3460 | |||
3461 | /* in this short window concurrent discard can set pa_deleted */ | 3461 | /* in this short window concurrent discard can set pa_deleted */ |
3462 | spin_lock(&pa->pa_lock); | 3462 | spin_lock(&pa->pa_lock); |
3463 | if (!atomic_dec_and_test(&pa->pa_count) || pa->pa_free != 0) { | ||
3464 | spin_unlock(&pa->pa_lock); | ||
3465 | return; | ||
3466 | } | ||
3467 | |||
3463 | if (pa->pa_deleted == 1) { | 3468 | if (pa->pa_deleted == 1) { |
3464 | spin_unlock(&pa->pa_lock); | 3469 | spin_unlock(&pa->pa_lock); |
3465 | return; | 3470 | return; |