Jan Kara ccd3c4373e jbd2: fix use after free in jbd2_log_do_checkpoint() ... The code cleaning transaction's lists of checkpoint buffers has a bug where it increases bh refcount only after releasing journal->j_list_lock. Thus the following race is possible: CPU0 CPU1 jbd2_log_do_checkpoint() jbd2_journal_try_to_free_buffers() __journal_try_to_free_buffer(bh) ... while (transaction->t_checkpoint_io_list) ... if (buffer_locked(bh)) { <-- IO completes now, buffer gets unlocked --> spin_unlock(&journal->j_list_lock); spin_lock(&journal->j_list_lock); __jbd2_journal_remove_checkpoint(jh); spin_unlock(&journal->j_list_lock); try_to_free_buffers(page); get_bh(bh) <-- accesses freed bh Fix the problem by grabbing bh reference before unlocking journal->j_list_lock. Fixes: dc6e8d669c ("jbd2: don't call get_bh() before calling __jbd2_journal_remove_checkpoint()") Fixes: be1158cc61 ("jbd2: fold __process_buffer() into jbd2_log_do_checkpoint()") Reported-by: syzbot+7f4a27091759e2fe7453@syzkaller.appspotmail.com CC: stable@vger.kernel.org Reviewed-by: Lukas Czerner <lczerner@redhat.com> Signed-off-by: Jan Kara <jack@suse.cz> Signed-off-by: Theodore Ts'o <tytso@mit.edu>		2018-10-05 18:44:40 -04:00
..
checkpoint.c	jbd2: fix use after free in jbd2_log_do_checkpoint()	2018-10-05 18:44:40 -04:00
commit.c	jbd2: replace current_kernel_time64 with ktime equivalent	2018-07-29 15:51:47 -04:00
journal.c	jbd2: remove NULL check before calling kmem_cache_destroy()	2018-05-20 22:38:26 -04:00
Kconfig	jbd2: remove debug dependency on debug_fs and update Kconfig help text	2013-06-12 23:07:51 -04:00
Makefile
recovery.c	jbd2: clarify bad journal block checksum message	2018-02-18 21:33:13 -05:00
revoke.c	treewide: kmalloc() -> kmalloc_array()	2018-06-12 16:19:22 -07:00
transaction.c	jbd2: don't mark block as modified if the handle is out of credits	2018-06-16 20:21:45 -04:00