Received: by 2002:a05:6a10:f3d0:0:0:0:0 with SMTP id a16csp4933663pxv; Tue, 6 Jul 2021 12:50:30 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxFTfuJdHABB4q/f8HjxjhgBnj+zHSduU9GMNkv9yL9IF1+MJAGBeJlvo9LbUOjSgf+LPOb X-Received: by 2002:a05:6402:796:: with SMTP id d22mr25430794edy.64.1625601030217; Tue, 06 Jul 2021 12:50:30 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1625601030; cv=none; d=google.com; s=arc-20160816; b=cbvGw/ueqOUQIoMzHbBbHvlM1tS5lHt69rbmUT+W/ATRD1brkq28VUM5jYv9AtAuZR D7KZ15C8UZlj6LL+6reRUl7dMNfva6znY8kAMukL1cHPCT6RqEHQ+W3wz9vLckiFbhq9 t7VoTKGAiLYcMTew2iV8gWLwK3cD2MkEFk5X6s+S+Il3LYL6eLOZrPZ27AmgN05gwE2R NFrQkAnmeuO69aSgsrNW7As+a6vT3LlDmPOkOPuAk3S2aAfiJadFTbDH4Rv2+YkibZLO VEXSydAV1D12K1B5sIh4RBy74gsXkn0WFNOjXrmY0OQNjJVPuDe0OCrQGnYb/c5IbcCT kChw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :dkim-signature:dkim-signature; bh=UWBB6sfgBNgo8f42RVzTS7Pe3efTD5jv2aJov1fuEC4=; b=jBvrm69wSqh9o5Rcn3ZGLrhDootKAvolJJnQ2ZlqjhbWmTPU5RfxMNoroBxuU07ruj JxhFuoEZmli8FUsAF9SRLfXtEiMJxOqOygUggp3dW3KbSMXDzjedjD6oHyMvgl3wbbpO LRIJd1YR83ONr/cov1/UyCdQ4d12JpCpTH1yyvW/QTqrhP178Hjmwtj/Af0kpvGTFksZ kJLQBrYdCk1qTzD8u809QZXmJCfuZnfSbkoYFu2kl2HVovvASjYrZNdO9wXEvPRKIfkV ZxL2l8dZ8A2e4n7ADn7RSlY3onzUOIkeHDDq5hrb8/hRH6dNkkesH6oUCvI98Gf25XU5 ToDQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@suse.cz header.s=susede2_rsa header.b=gs01kOkk; dkim=neutral (no key) header.i=@suse.cz header.b=s8a4ypGe; spf=pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id kw23si13783ejc.414.2021.07.06.12.49.58; Tue, 06 Jul 2021 12:50:30 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@suse.cz header.s=susede2_rsa header.b=gs01kOkk; dkim=neutral (no key) header.i=@suse.cz header.b=s8a4ypGe; spf=pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229812AbhGFTvv (ORCPT + 99 others); Tue, 6 Jul 2021 15:51:51 -0400 Received: from smtp-out1.suse.de ([195.135.220.28]:59224 "EHLO smtp-out1.suse.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229781AbhGFTvv (ORCPT ); Tue, 6 Jul 2021 15:51:51 -0400 Received: from relay2.suse.de (relay2.suse.de [149.44.160.134]) by smtp-out1.suse.de (Postfix) with ESMTP id 3AB99222A9; Tue, 6 Jul 2021 19:49:11 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_rsa; t=1625600951; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=UWBB6sfgBNgo8f42RVzTS7Pe3efTD5jv2aJov1fuEC4=; b=gs01kOkk3HEw0mPVPAZ+9VsCB5/lgtJ/3p7AzxkLsB3LWbLZIE9CF26gUXM1biZpCHGc5W lA5voCcfVezH2gEJC/qhxFzZPNAV/s2KZAaeqwAPgCxvwXkPcsOK80ZrcCqdl/WJVUBNMj TLOrfuZHrVCP+ajM0jdu+gCLLPGEJGg= DKIM-Signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=suse.cz; s=susede2_ed25519; t=1625600951; h=from:from:reply-to:date:date:message-id:message-id:to:to:cc:cc: mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=UWBB6sfgBNgo8f42RVzTS7Pe3efTD5jv2aJov1fuEC4=; b=s8a4ypGe9QhXvXTth8VdqAXa06xHMspTuNVdEohAHZY4xYK8xi1ZxWqLRKObzvkN1R8ROI RFMJgFPzTNZgd2DA== Received: from quack2.suse.cz (unknown [10.163.43.118]) by relay2.suse.de (Postfix) with ESMTP id 2AAFBA3B8A; Tue, 6 Jul 2021 19:49:11 +0000 (UTC) Received: by quack2.suse.cz (Postfix, from userid 1000) id F32791E62D5; Tue, 6 Jul 2021 21:49:10 +0200 (CEST) Date: Tue, 6 Jul 2021 21:49:10 +0200 From: Jan Kara To: Theodore Ts'o Cc: Ext4 Developers List , Jan Kara , Ye Bin Subject: Re: [PATCH -v3] ext4: fix possible UAF when remounting r/o a mmp-protected file system Message-ID: <20210706194910.GC17149@quack2.suse.cz> References: <20210706171208.3540887-1-tytso@mit.edu> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20210706171208.3540887-1-tytso@mit.edu> User-Agent: Mutt/1.10.1 (2018-07-13) Precedence: bulk List-ID: X-Mailing-List: linux-ext4@vger.kernel.org On Tue 06-07-21 13:12:08, Theodore Ts'o wrote: > After commit 618f003199c6 ("ext4: fix memory leak in > ext4_fill_super"), after the file system is remounted read-only, there > is a race where the kmmpd thread can exit, causing sbi->s_mmp_tsk to > point at freed memory, which the call to ext4_stop_mmpd() can trip > over. > > Fix this by only allowing kmmpd() to exit when it is stopped via > ext4_stop_mmpd(). > > Link: https://lore.kernel.org/r/YONtEGojq7LcXnuC@mit.edu > Reported-by: Ye Bin > Bug-Report-Link: <20210629143603.2166962-1-yebin10@huawei.com> > Signed-off-by: Theodore Ts'o The patch looks mostly fine. Two comments below. > @@ -242,9 +237,13 @@ static int kmmpd(void *data) > mmp->mmp_seq = cpu_to_le32(EXT4_MMP_SEQ_CLEAN); > mmp->mmp_time = cpu_to_le64(ktime_get_real_seconds()); > > - retval = write_mmp_block(sb, bh); > + return write_mmp_block(sb, bh); I think we need to keep retval = write_mmp_block() here. Otherwise we could exit early in sb_rdonly() case and still have potential use-after-free. > > -exit_thread: > +wait_to_exit: > + set_current_state(TASK_INTERRUPTIBLE); > + while (!kthread_should_stop()) > + schedule(); > + set_current_state(TASK_RUNNING); > return retval; > } This is more or less fine but if we get a spurious wakeup for whatever reason (which sets task to TASK_RUNNING state) we would still be potentially looping in that loop burning cpu... Honza -- Jan Kara SUSE Labs, CR