Received: by 2002:a25:1985:0:0:0:0:0 with SMTP id 127csp3648785ybz; Mon, 4 May 2020 07:08:53 -0700 (PDT) X-Google-Smtp-Source: APiQypI9M+HDa70UZR22it3RZj15QMLxgNLLHdQrvisgx+hU8ZJVD/uLezObwaQrmvKcQNSlTW2f X-Received: by 2002:a17:906:a38f:: with SMTP id k15mr15438102ejz.181.1588601332979; Mon, 04 May 2020 07:08:52 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1588601332; cv=none; d=google.com; s=arc-20160816; b=NLIlo+24bKmuEA42W3+9cKfHpNt0w/yxiEoXCTed48s6uGGuY6TRVl/ALyHwrrk2BK Kujuzf7MYJlJ/r5joVcCn1+RYLQeoL6mZ6H2Sfed8gjLCY4gp2QCoKJ+AtBIAU+ZRBOb gbXkkmiaU5tbWneaLg2Vo9glwb7/K1cQSYExJDuwTL+fjfa8/AimfhuoitH35RaJ14rf bPiZr4p18TkIITr2Xqt0pCITgIQDBN0zwIFApmV4Oke+algcOolkVX/1o0nUX4VUuu9J K/U8lAP8t0gXTP9CRfe+cFg/h//gLmJV3aYiO/E3qLJivlLa7Q7H/4+3M4ZjeBySUsLp Fuxg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature; bh=4eecyt+DUYccwhMTCjrta4aHo5IczYr3GF085KGw+5w=; b=F64UgM+HJZp+QuaigaCruZnKvo8TraTFKND8E4sIBrZQVKgI7fC9iL2Ro3UnrPP53L +/EZ7//oURIO3LMRlBONoRchZ6IlIb5tT01Azg3y38p+3mXjBtagy+PsxZGR+7HRqBAJ TRRDjawlqjsVrHHgAIjfZT/4TbuvgmFlGxLMJkraFJsQ+AL68MlL6nTa9v32IaOK9Q2F R8y8OA22uSEDFiOJf6t74EwWu+Vf5uFhsacsTmuzjI6JAjO9uqevMtBMc3DK7vepOs1a EOm/D4e07FXJpC7lKCwkbSyMLhYOdNGQs7+QRB7vfYi7qhgv1ykaHH+n1XDqgVkNeyuM NWQg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=AnLqvQY2; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id p17si6708387ejd.260.2020.05.04.07.08.16; Mon, 04 May 2020 07:08:52 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=AnLqvQY2; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728938AbgEDOCq (ORCPT + 99 others); Mon, 4 May 2020 10:02:46 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47956 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728434AbgEDOCp (ORCPT ); Mon, 4 May 2020 10:02:45 -0400 Received: from mail-pg1-x541.google.com (mail-pg1-x541.google.com [IPv6:2607:f8b0:4864:20::541]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 03E97C061A0F for ; Mon, 4 May 2020 07:02:45 -0700 (PDT) Received: by mail-pg1-x541.google.com with SMTP id s8so8514433pgq.1 for ; Mon, 04 May 2020 07:02:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=4eecyt+DUYccwhMTCjrta4aHo5IczYr3GF085KGw+5w=; b=AnLqvQY2GefSo4gIsF0Xry75jB/5c736xQEWdac1hcQEmpj9DFoeWNNdplAVlncZE3 0H5wpYdNfEV/V5UbAE60/DVJ7kXrrZzW/lZd6JXEYKcRbyofTe06v6Ncm+dP8GiQNhtb exEBibD2NBwTkjLV8yFO2JBQm78vaclpB4ffxx+0MY0WyJIU+4gxoISYjatiVRcz9YAx 1agGfHr895fCPWc9xKgTNfOKOCoWAEVXCnyZa1dbrJGw+WkBf4JnHOoUyrO/KieL7wdB BFml0TeWiv1RjOpr1cVUGjxSYvwlnbY/Y8p+MYuQko/Pi8kVN+NYpFkDYOYAreFaSSNb F1Hg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=4eecyt+DUYccwhMTCjrta4aHo5IczYr3GF085KGw+5w=; b=ulkUWNhHuZTGAaRh9aUysQOqHdQkSuJfAFjQB3MXp5FLNr96/N4VUtZylyBTWJYWjG HLzfTT5lZ7grYO+fUXWSmsZAQ3f23X5llKXJv+FcKu3YUOgDqdzWubOyKCkQ1ykVqwBr GM43EPDp/deoO74AOJcT4IuPmCYdyOfN+S15U01k6VJPMaGXk3QWQDZcOeJDtuWv1fcI 1Nne3eEWgPzu2g4pm1xIjTxijVW4ITWhf3Cb6cBzJWz2w3rc5xMuBfm3iG9jYGyheOLf HpP8vFM5b/evFAuAtMm4L3IIK9IjHs0IlY0t55EO4/YdXaUXwIvor+jC/6zdG5wDTY52 PEdg== X-Gm-Message-State: AGi0PuY3iWcVYrbcdXTUzGrq01P9/O+BgCmVA0oyBS4Gc12B+Eky4g6l mQni/BblKorpnnjDi3FU+OM= X-Received: by 2002:a62:2ad2:: with SMTP id q201mr17769556pfq.323.1588600964431; Mon, 04 May 2020 07:02:44 -0700 (PDT) Received: from localhost.localdomain ([120.244.110.63]) by smtp.gmail.com with ESMTPSA id mn1sm7113207pjb.24.2020.05.04.07.02.40 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 04 May 2020 07:02:43 -0700 (PDT) From: Jia-Ju Bai To: shaggy@kernel.org Cc: jfs-discussion@lists.sourceforge.net, linux-kernel@vger.kernel.org, Jia-Ju Bai Subject: [PATCH] fs: jfs: fix possible data races in txExit() Date: Mon, 4 May 2020 22:02:09 +0800 Message-Id: <20200504140209.18689-1-baijiaju1990@gmail.com> X-Mailer: git-send-email 2.17.1 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The functions txEnd() and txExit() can be concurrently executed in the following call contexts: Thread1: jfs_lazycommit() txLazyCommit() txEnd() Thread2: exit_jfs_fs() txExit() In txEnd(): struct tblock *tblk = tid_to_tblock(tid); // #define tid_to_tblock(tid) (&TxBlock[tid]) In txExit(): vfree(TxBlock); TxBlock = NULL; Thus, data races can occur for the global variable TxBlock. And these data races can cause use-after-free bugs and null-pointer dereferences. To fix these data races, txExit() is called after the filesystem stops the threads that run jfs_lazycommit(). These data races are found by our concurrency fuzzer. Signed-off-by: Jia-Ju Bai --- fs/jfs/super.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/jfs/super.c b/fs/jfs/super.c index b2dc4d1f9dcc..8c80397df336 100644 --- a/fs/jfs/super.c +++ b/fs/jfs/super.c @@ -1027,13 +1027,13 @@ static void __exit exit_jfs_fs(void) jfs_info("exit_jfs_fs called"); - txExit(); metapage_exit(); kthread_stop(jfsIOthread); for (i = 0; i < commit_threads; i++) kthread_stop(jfsCommitThread[i]); kthread_stop(jfsSyncThread); + txExit(); #ifdef PROC_FS_JFS jfs_proc_clean(); #endif -- 2.17.1