fix-use-after-free-in-kjournald2

   1 jbd2: fix use after free in kjournald2()
   2
   3 From: Sahitya Tummala <stummala@codeaurora.org>
   4
   5 Below is the synchronization issue between unmount and kjournald2
   6 contexts, which results into use after free issue in kjournald2().
   7 Fix this issue by using journal->j_state_lock to synchronize the
   8 wait_event() done in journal_kill_thread() and the wake_up() done
   9 in kjournald2().
  10
  11 TASK 1:
  12 umount cmd:
  13    |--jbd2_journal_destroy() {
  14        |--journal_kill_thread() {
  15             write_lock(&journal->j_state_lock);
  16             journal->j_flags |= JBD2_UNMOUNT;
  17             ...
  18             write_unlock(&journal->j_state_lock);
  19             wake_up(&journal->j_wait_commit);      TASK 2 wakes up here:
  20                                                    kjournald2() {
  21                                                      ...
  22                                                      checks JBD2_UNMOUNT flag and calls goto end-loop;
  23                                                      ...
  24                                                      end_loop:
  25                                                        write_unlock(&journal->j_state_lock);
  26                                                        journal->j_task = NULL; --> If this thread gets
  27                                                        pre-empted here, then TASK 1 wait_event will
  28                                                        exit even before this thread is completely
  29                                                        done.
  30             wait_event(journal->j_wait_done_commit, journal->j_task == NULL);
  31             ...
  32             write_lock(&journal->j_state_lock);
  33             write_unlock(&journal->j_state_lock);
  34           }
  35        |--kfree(journal);
  36      }
  37 }
  38                                                        wake_up(&journal->j_wait_done_commit); --> this step
  39                                                        now results into use after free issue.
  40                                                    }
  41
  42 Signed-off-by: Sahitya Tummala <stummala@codeaurora.org>
  43 Signed-off-by: Theodore Ts'o <tytso@mit.edu>
  44 ---
  45  fs/jbd2/journal.c | 2 +-
  46  1 file changed, 1 insertion(+), 1 deletion(-)
  47
  48 diff --git a/fs/jbd2/journal.c b/fs/jbd2/journal.c
  49 index a097048..85d1483 100644
  50 --- a/fs/jbd2/journal.c
  51 +++ b/fs/jbd2/journal.c
  52 @@ -276,11 +276,11 @@ static int kjournald2(void *arg)
  53         goto loop;
  54
  55  end_loop:
  56 -       write_unlock(&journal->j_state_lock);
  57         del_timer_sync(&journal->j_commit_timer);
  58         journal->j_task = NULL;
  59         wake_up(&journal->j_wait_done_commit);
  60         jbd_debug(1, "Journal thread exiting.\n");
  61 +       write_unlock(&journal->j_state_lock);
  62         return 0;
  63  }
  64
  65 --
  66 Qualcomm India Private Limited, on behalf of Qualcomm Innovation Center, Inc.
  67 Qualcomm Innovation Center, Inc. is a member of Code Aurora Forum, a Linux Foundation Collaborative Project.
  68
  69