lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Fri, 19 Jun 2020 06:46:08 -0700 From: Christoph Hellwig <hch@...radead.org> To: Dave Chinner <david@...morbit.com> Cc: Yu Kuai <yukuai3@...wei.com>, darrick.wong@...cle.com, linux-xfs@...r.kernel.org, linux-kernel@...r.kernel.org, yi.zhang@...wei.com Subject: Re: [PATCH] xfs: fix use-after-free on CIL context on shutdown On Thu, Jun 11, 2020 at 12:45:03PM +1000, Dave Chinner wrote: > > From: Dave Chinner <dchinner@...hat.com> > > xlog_wait() on the CIL context can reference a freed context if the > waiter doesn't get scheduled before the CIL context is freed. This > can happen when a task is on the hard throttle and the CIL push > aborts due to a shutdown. This was detected by generic/019: > > thread 1 thread 2 > > __xfs_trans_commit > xfs_log_commit_cil > <CIL size over hard throttle limit> > xlog_wait > schedule > xlog_cil_push_work > wake_up_all > <shutdown aborts commit> > xlog_cil_committed > kmem_free > > remove_wait_queue > spin_lock_irqsave --> UAF > > Fix it by moving the wait queue to the CIL rather than keeping it in > in the CIL context that gets freed on push completion. Because the > wait queue is now independent of the CIL context and we might have > multiple contexts in flight at once, only wake the waiters on the > push throttle when the context we are pushing is over the hard > throttle size threshold. > > Fixes: 0e7ab7efe7745 ("xfs: Throttle commits on delayed background CIL push") > Reported-by: Yu Kuai <yukuai3@...wei.com> > Signed-off-by: Dave Chinner <dchinner@...hat.com> Looks good: Reviewed-by: Christoph Hellwig <hch@....de>
Powered by blists - more mailing lists