| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue, 5 May 2020 23:06:50 +0800
From: Jia-Ju Bai <baijiaju1990@...il.com>
To: shaggy@...nel.org, Markus.Elfring@....de
Cc: jfs-discussion@...ts.sourceforge.net, linux-kernel@...r.kernel.org,
Jia-Ju Bai <baijiaju1990@...il.com>
Subject: [PATCH v2] fs: jfs: fix possible data races in txExit()
The functions txEnd() and txExit() can be concurrently executed in the
following call contexts:
Thread1:
jfs_lazycommit()
txLazyCommit()
txEnd()
Thread2:
exit_jfs_fs()
txExit()
In txEnd():
struct tblock *tblk = tid_to_tblock(tid);
// #define tid_to_tblock(tid) (&TxBlock[tid])
In txExit():
vfree(TxBlock);
TxBlock = NULL;
Data races can occur for the global variable TxBlock, and they
can cause use-after-free bugs and null-pointer dereferences.
These data races were found by our concurrency fuzzer.
Thus call txExit() after the filesystem stops the threads
that run jfs_lazycommit().
Signed-off-by: Jia-Ju Bai <baijiaju1990@...il.com>
---
v2:
* Change the description.
Thank Markus Elfring for good advice.
fs/jfs/super.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/jfs/super.c b/fs/jfs/super.c
index b2dc4d1f9dcc..8c80397df336 100644
--- a/fs/jfs/super.c
+++ b/fs/jfs/super.c
@@ -1027,13 +1027,13 @@ static void __exit exit_jfs_fs(void)
jfs_info("exit_jfs_fs called");
- txExit();
metapage_exit();
kthread_stop(jfsIOthread);
for (i = 0; i < commit_threads; i++)
kthread_stop(jfsCommitThread[i]);
kthread_stop(jfsSyncThread);
+ txExit();
#ifdef PROC_FS_JFS
jfs_proc_clean();
#endif
--
2.17.1
Powered by blists - more mailing lists