Received: by 2002:a05:6602:2086:0:0:0:0 with SMTP id a6csp3992878ioa; Tue, 26 Apr 2022 14:17:59 -0700 (PDT) X-Google-Smtp-Source: ABdhPJw6whT1eEToAovyfhyS5mYpA69Icg4kNhDD4RGNHpJUgfxbiHE9/NiTAWYW9Q19z7OSw4xL X-Received: by 2002:a17:907:608f:b0:6f3:891d:ccb0 with SMTP id ht15-20020a170907608f00b006f3891dccb0mr14072157ejc.750.1651007878930; Tue, 26 Apr 2022 14:17:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1651007878; cv=none; d=google.com; s=arc-20160816; b=KLUIGcdfPc3jQNSBEurh0gkn4i4SC9rIpVQC0o8LwVO9X0yV54+gesubTwZTg/JEav slOmCHvGIePGnz/Vo2RPZTYafqsEZTNmuNJISK2L4OG6p3aO97hSZdkErLOGOajDY6v0 VcDvv6AYljTEo0kj8LNAgpa+3OXyZMfRMbbDZk7a6bB5KqcBlctl7BmbyfpaaGtBMEnn G40xni5k8f4FB15ijwb/JkdDDWdmNTixMn87Xdd0qNNgWSQNDYeAeT2BYDQHpZaY+8lm U9pL8vKR5g97kPcKlPEUxwGyJ+9i1nFVAfoMhj42po+X7iuQOFIN2wzfkdy7KWpdleR8 o/yw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=EPFkrvYzzEnBU5B8E1LfK5E6xn9ZbXldaw8ZFDlxsgk=; b=WlOvPopiezknUDagOpzbrqjaLodANpJTQcm4M29HKyeaQUmS7vn9r1sR5mnWIOFkys tOq7te4P2FDePhsy5jj/y1PC2MRPLhyA5E0wHopYSiBi0WQTSkhk22U6woHTpfD0g36I +GbZGAQMqmuiMhIvgknXGYjGtwSq7TPEom1oGdu+FGrVOzOCAfCqjb1QfJhJ8nn7hJPb jGveQOA90bQpEKHNN/VngUe9KAcdqJKmofTNUEJfWytkGvYvv46q66ftHtepkQcxsP4D Ldhp2jzXBDH/A3kx9V6u7UeYJK3QEu3OG0+0Q5yPe0ggv/KpGl9QiEf8RDCA/YAoyEO3 lIjg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@amazon.com header.s=amazon201209 header.b=UIcZIFmu; spf=pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=amazon.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id f17-20020a1709062c5100b006e0f9bb12a5si14722624ejh.253.2022.04.26.14.17.22; Tue, 26 Apr 2022 14:17:58 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@amazon.com header.s=amazon201209 header.b=UIcZIFmu; spf=pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=amazon.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1351465AbiDZSeh (ORCPT + 99 others); Tue, 26 Apr 2022 14:34:37 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58598 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1351436AbiDZSeg (ORCPT ); Tue, 26 Apr 2022 14:34:36 -0400 Received: from smtp-fw-2101.amazon.com (smtp-fw-2101.amazon.com [72.21.196.25]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 317DB26AD9 for ; Tue, 26 Apr 2022 11:31:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazon201209; t=1650997888; x=1682533888; h=date:from:to:cc:subject:message-id:references: mime-version:in-reply-to; bh=EPFkrvYzzEnBU5B8E1LfK5E6xn9ZbXldaw8ZFDlxsgk=; b=UIcZIFmuE5XpQrpXFQGJcGjZtOuLwPl14kwR6roiJcUW+aUgzue/9Fnk G/SpsWKv+adwxmuX1tSZSAxEAXtq5ENlDYHW+c6DB3YtN/ODpZIDfou6n Q5ph91NOdxkGIVKycSvWxFX32+gw4ExuomjRfOmc3+dsiNnI7/Dvq58nz k=; X-IronPort-AV: E=Sophos;i="5.90,291,1643673600"; d="scan'208";a="193216123" Received: from iad12-co-svc-p1-lb1-vlan2.amazon.com (HELO email-inbound-relay-pdx-2b-05e8af15.us-west-2.amazon.com) ([10.43.8.2]) by smtp-border-fw-2101.iad2.amazon.com with ESMTP; 26 Apr 2022 18:31:26 +0000 Received: from EX13MTAUWA001.ant.amazon.com (pdx1-ws-svc-p6-lb9-vlan2.pdx.amazon.com [10.236.137.194]) by email-inbound-relay-pdx-2b-05e8af15.us-west-2.amazon.com (Postfix) with ESMTPS id BC4B8A285E; Tue, 26 Apr 2022 18:31:25 +0000 (UTC) Received: from EX13D01UWA002.ant.amazon.com (10.43.160.74) by EX13MTAUWA001.ant.amazon.com (10.43.160.58) with Microsoft SMTP Server (TLS) id 15.0.1497.32; Tue, 26 Apr 2022 18:31:25 +0000 Received: from localhost (10.43.160.52) by EX13d01UWA002.ant.amazon.com (10.43.160.74) with Microsoft SMTP Server (TLS) id 15.0.1497.32; Tue, 26 Apr 2022 18:31:24 +0000 Date: Tue, 26 Apr 2022 11:31:24 -0700 From: Samuel Mendoza-Jonas To: Ritesh Harjani CC: , Jan Kara , Subject: Re: [PATCH] jbd2: Fix use-after-free of transaction_t race Message-ID: <20220426183124.phrwsl77bch5uljx@u46989501580c5c.ant.amazon.com> References: <948c2fed518ae739db6a8f7f83f1d58b504f87d0.1644497105.git.ritesh.list@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Disposition: inline In-Reply-To: <948c2fed518ae739db6a8f7f83f1d58b504f87d0.1644497105.git.ritesh.list@gmail.com> X-Originating-IP: [10.43.160.52] X-ClientProxiedBy: EX13D46UWC004.ant.amazon.com (10.43.162.173) To EX13d01UWA002.ant.amazon.com (10.43.160.74) X-Spam-Status: No, score=-12.5 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED, RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_PASS, USER_IN_DEF_SPF_WL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-ext4@vger.kernel.org On Thu, Feb 10, 2022 at 09:07:11PM +0530, Ritesh Harjani wrote: > jbd2_journal_wait_updates() is called with j_state_lock held. But if > there is a commit in progress, then this transaction might get committed > and freed via jbd2_journal_commit_transaction() -> > jbd2_journal_free_transaction(), when we release j_state_lock. > So check for journal->j_running_transaction everytime we release and > acquire j_state_lock to avoid use-after-free issue. > > Fixes: 4f98186848707f53 ("jbd2: refactor wait logic for transaction updates into a common function") > Reported-and-tested-by: syzbot+afa2ca5171d93e44b348@syzkaller.appspotmail.com > Signed-off-by: Ritesh Harjani Hi Ritesh, Looking at the refactor in the commit this fixes, I believe the same issue is present prior to the refactor, so this would apply before 5.17 as well. I've posted a backport for 4.9-4.19 and 5.4-5.16 to stable here: https://lore.kernel.org/stable/20220426182702.716304-1-samjonas@amazon.com/T/#t Please have a look and let me know if you agree. Cheers, Sam Mendoza-Jonas > --- > fs/jbd2/transaction.c | 41 +++++++++++++++++++++++++---------------- > 1 file changed, 25 insertions(+), 16 deletions(-) > > diff --git a/fs/jbd2/transaction.c b/fs/jbd2/transaction.c > index 8e2f8275a253..259e00046a8b 100644 > --- a/fs/jbd2/transaction.c > +++ b/fs/jbd2/transaction.c > @@ -842,27 +842,38 @@ EXPORT_SYMBOL(jbd2_journal_restart); > */ > void jbd2_journal_wait_updates(journal_t *journal) > { > - transaction_t *commit_transaction = journal->j_running_transaction; > + DEFINE_WAIT(wait); > > - if (!commit_transaction) > - return; > + while (1) { > + /* > + * Note that the running transaction can get freed under us if > + * this transaction is getting committed in > + * jbd2_journal_commit_transaction() -> > + * jbd2_journal_free_transaction(). This can only happen when we > + * release j_state_lock -> schedule() -> acquire j_state_lock. > + * Hence we should everytime retrieve new j_running_transaction > + * value (after j_state_lock release acquire cycle), else it may > + * lead to use-after-free of old freed transaction. > + */ > + transaction_t *transaction = journal->j_running_transaction; > > - spin_lock(&commit_transaction->t_handle_lock); > - while (atomic_read(&commit_transaction->t_updates)) { > - DEFINE_WAIT(wait); > + if (!transaction) > + break; > > + spin_lock(&transaction->t_handle_lock); > prepare_to_wait(&journal->j_wait_updates, &wait, > - TASK_UNINTERRUPTIBLE); > - if (atomic_read(&commit_transaction->t_updates)) { > - spin_unlock(&commit_transaction->t_handle_lock); > - write_unlock(&journal->j_state_lock); > - schedule(); > - write_lock(&journal->j_state_lock); > - spin_lock(&commit_transaction->t_handle_lock); > + TASK_UNINTERRUPTIBLE); > + if (!atomic_read(&transaction->t_updates)) { > + spin_unlock(&transaction->t_handle_lock); > + finish_wait(&journal->j_wait_updates, &wait); > + break; > } > + spin_unlock(&transaction->t_handle_lock); > + write_unlock(&journal->j_state_lock); > + schedule(); > finish_wait(&journal->j_wait_updates, &wait); > + write_lock(&journal->j_state_lock); > } > - spin_unlock(&commit_transaction->t_handle_lock); > } > > /** > @@ -877,8 +888,6 @@ void jbd2_journal_wait_updates(journal_t *journal) > */ > void jbd2_journal_lock_updates(journal_t *journal) > { > - DEFINE_WAIT(wait); > - > jbd2_might_wait_for_commit(journal); > > write_lock(&journal->j_state_lock); > -- > 2.31.1 >