1 jbd2: fix use after free in kjournald2()
3 From: Sahitya Tummala <stummala@codeaurora.org>
5 Below is the synchronization issue between unmount and kjournald2
6 contexts, which results into use after free issue in kjournald2().
7 Fix this issue by using journal->j_state_lock to synchronize the
8 wait_event() done in journal_kill_thread() and the wake_up() done
13 |--jbd2_journal_destroy() {
14 |--journal_kill_thread() {
15 write_lock(&journal->j_state_lock);
16 journal->j_flags |= JBD2_UNMOUNT;
18 write_unlock(&journal->j_state_lock);
19 wake_up(&journal->j_wait_commit); TASK 2 wakes up here:
22 checks JBD2_UNMOUNT flag and calls goto end-loop;
25 write_unlock(&journal->j_state_lock);
26 journal->j_task = NULL; --> If this thread gets
27 pre-empted here, then TASK 1 wait_event will
28 exit even before this thread is completely
30 wait_event(journal->j_wait_done_commit, journal->j_task == NULL);
32 write_lock(&journal->j_state_lock);
33 write_unlock(&journal->j_state_lock);
38 wake_up(&journal->j_wait_done_commit); --> this step
39 now results into use after free issue.
42 Signed-off-by: Sahitya Tummala <stummala@codeaurora.org>
43 Signed-off-by: Theodore Ts'o <tytso@mit.edu>
45 fs/jbd2/journal.c | 2 +-
46 1 file changed, 1 insertion(+), 1 deletion(-)
48 diff --git a/fs/jbd2/journal.c b/fs/jbd2/journal.c
49 index a097048..85d1483 100644
50 --- a/fs/jbd2/journal.c
51 +++ b/fs/jbd2/journal.c
52 @@ -276,11 +276,11 @@ static int kjournald2(void *arg)
56 - write_unlock(&journal->j_state_lock);
57 del_timer_sync(&journal->j_commit_timer);
58 journal->j_task = NULL;
59 wake_up(&journal->j_wait_done_commit);
60 jbd_debug(1, "Journal thread exiting.\n");
61 + write_unlock(&journal->j_state_lock);
66 Qualcomm India Private Limited, on behalf of Qualcomm Innovation Center, Inc.
67 Qualcomm Innovation Center, Inc. is a member of Code Aurora Forum, a Linux Foundation Collaborative Project.