d6c1b3599b
[syzbot reported] ================================================================== BUG: KASAN: slab-use-after-free in __mutex_lock_common kernel/locking/mutex.c:587 [inline] BUG: KASAN: slab-use-after-free in __mutex_lock+0xfe/0xd70 kernel/locking/mutex.c:752 Read of size 8 at addr ffff8880229254b0 by task syz-executor357/5216 CPU: 0 UID: 0 PID: 5216 Comm: syz-executor357 Not tainted 6.11.0-rc3-syzkaller-00156-gd7a5aa4b3c00 #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 06/27/2024 Call Trace: <TASK> __dump_stack lib/dump_stack.c:93 [inline] dump_stack_lvl+0x241/0x360 lib/dump_stack.c:119 print_address_description mm/kasan/report.c:377 [inline] print_report+0x169/0x550 mm/kasan/report.c:488 kasan_report+0x143/0x180 mm/kasan/report.c:601 __mutex_lock_common kernel/locking/mutex.c:587 [inline] __mutex_lock+0xfe/0xd70 kernel/locking/mutex.c:752 dbFreeBits+0x7ea/0xd90 fs/jfs/jfs_dmap.c:2390 dbFreeDmap fs/jfs/jfs_dmap.c:2089 [inline] dbFree+0x35b/0x680 fs/jfs/jfs_dmap.c:409 dbDiscardAG+0x8a9/0xa20 fs/jfs/jfs_dmap.c:1650 jfs_ioc_trim+0x433/0x670 fs/jfs/jfs_discard.c:100 jfs_ioctl+0x2d0/0x3e0 fs/jfs/ioctl.c:131 vfs_ioctl fs/ioctl.c:51 [inline] __do_sys_ioctl fs/ioctl.c:907 [inline] __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:893 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 Freed by task 5218: kasan_save_stack mm/kasan/common.c:47 [inline] kasan_save_track+0x3f/0x80 mm/kasan/common.c:68 kasan_save_free_info+0x40/0x50 mm/kasan/generic.c:579 poison_slab_object+0xe0/0x150 mm/kasan/common.c:240 __kasan_slab_free+0x37/0x60 mm/kasan/common.c:256 kasan_slab_free include/linux/kasan.h:184 [inline] slab_free_hook mm/slub.c:2252 [inline] slab_free mm/slub.c:4473 [inline] kfree+0x149/0x360 mm/slub.c:4594 dbUnmount+0x11d/0x190 fs/jfs/jfs_dmap.c:278 jfs_mount_rw+0x4ac/0x6a0 fs/jfs/jfs_mount.c:247 jfs_remount+0x3d1/0x6b0 fs/jfs/super.c:454 reconfigure_super+0x445/0x880 fs/super.c:1083 vfs_cmd_reconfigure fs/fsopen.c:263 [inline] vfs_fsconfig_locked fs/fsopen.c:292 [inline] __do_sys_fsconfig fs/fsopen.c:473 [inline] __se_sys_fsconfig+0xb6e/0xf80 fs/fsopen.c:345 do_syscall_x64 arch/x86/entry/common.c:52 [inline] do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83 entry_SYSCALL_64_after_hwframe+0x77/0x7f [Analysis] There are two paths (dbUnmount and jfs_ioc_trim) that generate race condition when accessing bmap, which leads to the occurrence of uaf. Use the lock s_umount to synchronize them, in order to avoid uaf caused by race condition. Reported-and-tested-by: syzbot+3c010e21296f33a5dc16@syzkaller.appspotmail.com Signed-off-by: Edward Adam Davis <eadavis@qq.com> Signed-off-by: Dave Kleikamp <dave.kleikamp@oracle.com>
114 lines
2.5 KiB
C
114 lines
2.5 KiB
C
// SPDX-License-Identifier: GPL-2.0-or-later
|
|
/*
|
|
* Copyright (C) Tino Reichardt, 2012
|
|
*/
|
|
|
|
#include <linux/fs.h>
|
|
#include <linux/slab.h>
|
|
#include <linux/blkdev.h>
|
|
|
|
#include "jfs_incore.h"
|
|
#include "jfs_superblock.h"
|
|
#include "jfs_discard.h"
|
|
#include "jfs_dmap.h"
|
|
#include "jfs_debug.h"
|
|
|
|
|
|
/*
|
|
* NAME: jfs_issue_discard()
|
|
*
|
|
* FUNCTION: TRIM the specified block range on device, if supported
|
|
*
|
|
* PARAMETERS:
|
|
* ip - pointer to in-core inode
|
|
* blkno - starting block number to be trimmed (0..N)
|
|
* nblocks - number of blocks to be trimmed
|
|
*
|
|
* RETURN VALUES:
|
|
* none
|
|
*
|
|
* serialization: IREAD_LOCK(ipbmap) held on entry/exit;
|
|
*/
|
|
void jfs_issue_discard(struct inode *ip, u64 blkno, u64 nblocks)
|
|
{
|
|
struct super_block *sb = ip->i_sb;
|
|
int r = 0;
|
|
|
|
r = sb_issue_discard(sb, blkno, nblocks, GFP_NOFS, 0);
|
|
if (unlikely(r != 0)) {
|
|
jfs_err("JFS: sb_issue_discard(%p, %llu, %llu, GFP_NOFS, 0) = %d => failed!",
|
|
sb, (unsigned long long)blkno,
|
|
(unsigned long long)nblocks, r);
|
|
}
|
|
|
|
jfs_info("JFS: sb_issue_discard(%p, %llu, %llu, GFP_NOFS, 0) = %d",
|
|
sb, (unsigned long long)blkno,
|
|
(unsigned long long)nblocks, r);
|
|
|
|
return;
|
|
}
|
|
|
|
/*
|
|
* NAME: jfs_ioc_trim()
|
|
*
|
|
* FUNCTION: attempt to discard (TRIM) all free blocks from the
|
|
* filesystem.
|
|
*
|
|
* PARAMETERS:
|
|
* ip - pointer to in-core inode;
|
|
* range - the range, given by user space
|
|
*
|
|
* RETURN VALUES:
|
|
* 0 - success
|
|
* -EIO - i/o error
|
|
*/
|
|
int jfs_ioc_trim(struct inode *ip, struct fstrim_range *range)
|
|
{
|
|
struct inode *ipbmap = JFS_SBI(ip->i_sb)->ipbmap;
|
|
struct bmap *bmp;
|
|
struct super_block *sb = ipbmap->i_sb;
|
|
int agno, agno_end;
|
|
u64 start, end, minlen;
|
|
u64 trimmed = 0;
|
|
|
|
/**
|
|
* convert byte values to block size of filesystem:
|
|
* start: First Byte to trim
|
|
* len: number of Bytes to trim from start
|
|
* minlen: minimum extent length in Bytes
|
|
*/
|
|
start = range->start >> sb->s_blocksize_bits;
|
|
end = start + (range->len >> sb->s_blocksize_bits) - 1;
|
|
minlen = range->minlen >> sb->s_blocksize_bits;
|
|
if (minlen == 0)
|
|
minlen = 1;
|
|
|
|
down_read(&sb->s_umount);
|
|
bmp = JFS_SBI(ip->i_sb)->bmap;
|
|
|
|
if (minlen > bmp->db_agsize ||
|
|
start >= bmp->db_mapsize ||
|
|
range->len < sb->s_blocksize) {
|
|
up_read(&sb->s_umount);
|
|
return -EINVAL;
|
|
}
|
|
|
|
if (end >= bmp->db_mapsize)
|
|
end = bmp->db_mapsize - 1;
|
|
|
|
/**
|
|
* we trim all ag's within the range
|
|
*/
|
|
agno = BLKTOAG(start, JFS_SBI(ip->i_sb));
|
|
agno_end = BLKTOAG(end, JFS_SBI(ip->i_sb));
|
|
while (agno <= agno_end) {
|
|
trimmed += dbDiscardAG(ip, agno, minlen);
|
|
agno++;
|
|
}
|
|
|
|
up_read(&sb->s_umount);
|
|
range->len = trimmed << sb->s_blocksize_bits;
|
|
|
|
return 0;
|
|
}
|