fix-use-after-free-race-in-ext4_remount-error-path

   1 ext4: fix use-after-free race in ext4_remount()'s error path
   2
   3 It's possible for ext4_show_quota_options() to try reading
   4 s_qf_names[i] while it is being modified by ext4_remount() --- most
   5 notably, in ext4_remount's error path when the original values of the
   6 quota file name gets restored.
   7
   8 Reported-by: syzbot+a2872d6feea6918008a9@syzkaller.appspotmail.com
   9 Signed-off-by: Theodore Ts'o <tytso@mit.edu>
  10 Cc: stable@kernel.org
  11 ---
  12  fs/ext4/super.c | 2 ++
  13  1 file changed, 2 insertions(+)
  14
  15 diff --git a/fs/ext4/super.c b/fs/ext4/super.c
  16 index faf293ed8060..11a1bfae0937 100644
  17 --- a/fs/ext4/super.c
  18 +++ b/fs/ext4/super.c
  19 @@ -2048,11 +2048,13 @@ static inline void ext4_show_quota_options(struct seq_file *seq,
  20                 seq_printf(seq, ",jqfmt=%s", fmtname);
  21         }
  22
  23 +       down_read(&sb->s_umount);
  24         if (sbi->s_qf_names[USRQUOTA])
  25                 seq_show_option(seq, "usrjquota", sbi->s_qf_names[USRQUOTA]);
  26
  27         if (sbi->s_qf_names[GRPQUOTA])
  28                 seq_show_option(seq, "grpjquota", sbi->s_qf_names[GRPQUOTA]);
  29 +       up_read(&sb->s_umount);
  30  #endif
  31  }
  32