redonkable/alistair23-linux
redonkable/alistair23-linux
1
0
Fork 0
Code Releases Activity
alistair23-linux/fs/ext4
History
Junho Ryu 4e8d213980 ext4: fix use-after-free in ext4_mb_new_blocks 
ext4_mb_put_pa should hold pa->pa_lock before accessing pa->pa_count.
While ext4_mb_use_preallocated checks pa->pa_deleted first and then
increments pa->count later, ext4_mb_put_pa decrements pa->pa_count
before holding pa->pa_lock and then sets pa->pa_deleted.

* Free sequence
ext4_mb_put_pa (1):		atomic_dec_and_test pa->pa_count
ext4_mb_put_pa (2):		lock pa->pa_lock
ext4_mb_put_pa (3):			check pa->pa_deleted
ext4_mb_put_pa (4):			set pa->pa_deleted=1
ext4_mb_put_pa (5):		unlock pa->pa_lock
ext4_mb_put_pa (6):		remove pa from a list
ext4_mb_pa_callback:		free pa

* Use sequence
ext4_mb_use_preallocated (1):	iterate over preallocation
ext4_mb_use_preallocated (2):	lock pa->pa_lock
ext4_mb_use_preallocated (3):		check pa->pa_deleted
ext4_mb_use_preallocated (4):		increase pa->pa_count
ext4_mb_use_preallocated (5):	unlock pa->pa_lock
ext4_mb_release_context:	access pa

* Use-after-free sequence
[initial status]		<pa->pa_deleted = 0, pa_count = 1>
ext4_mb_use_preallocated (1):	iterate over preallocation
ext4_mb_use_preallocated (2):	lock pa->pa_lock
ext4_mb_use_preallocated (3):		check pa->pa_deleted
ext4_mb_put_pa (1):		atomic_dec_and_test pa->pa_count
[pa_count decremented]		<pa->pa_deleted = 0, pa_count = 0>
ext4_mb_use_preallocated (4):		increase pa->pa_count
[pa_count incremented]		<pa->pa_deleted = 0, pa_count = 1>
ext4_mb_use_preallocated (5):	unlock pa->pa_lock
ext4_mb_put_pa (2):		lock pa->pa_lock
ext4_mb_put_pa (3):			check pa->pa_deleted
ext4_mb_put_pa (4):			set pa->pa_deleted=1
[race condition!]		<pa->pa_deleted = 1, pa_count = 1>
ext4_mb_put_pa (5):		unlock pa->pa_lock
ext4_mb_put_pa (6):		remove pa from a list
ext4_mb_pa_callback:		free pa
ext4_mb_release_context:	access pa

AddressSanitizer has detected use-after-free in ext4_mb_new_blocks
Bug report: http://goo.gl/rG1On3

Signed-off-by: Junho Ryu <jayr@google.com>
Signed-off-by: "Theodore Ts'o" <tytso@mit.edu>
Cc: stable@vger.kernel.org
2013-12-03 18:10:28 -05:00
..
acl.c ext4: fix the number of credits needed for acl ops with inline data 2013-02-09 15:23:03 -05:00
acl.h
balloc.c ext4: don't count free clusters from a corrupt block group 2013-10-31 11:46:31 -04:00
bitmap.c
block_validity.c
dir.c ext4: Fix misspellings using 'codespell' tool 2013-08-28 14:40:12 -04:00
ext4.h Ext4 updates for 3.13. Mostly bug fixes and cleanups. 2013-11-14 17:19:58 +09:00
ext4_extents.h ext4: isolate ext4_extents.h file 2013-08-28 14:47:06 -04:00
ext4_jbd2.c ext4: call ext4_error_inode() if jbd2_journal_dirty_metadata() fails 2013-12-02 09:31:36 -05:00
ext4_jbd2.h ext4: Fix misspellings using 'codespell' tool 2013-08-28 14:40:12 -04:00
extents.c ext4: remove unreachable code after ext4_can_extents_be_merged() 2013-11-07 22:22:08 -05:00
extents_status.c fs: convert fs shrinkers to new scan/count API 2013-09-10 18:56:31 -04:00
extents_status.h ext4: isolate ext4_extents.h file 2013-08-28 14:47:06 -04:00
file.c direct-io: Handle O_(D)SYNC AIO 2013-09-04 09:23:46 -04:00
fsync.c ext4: Fix fsync error handling after filesystem abort 2013-06-12 22:38:04 -04:00
hash.c ext4: reduce one "if" comparison in ext4_dirhash() 2013-02-01 22:33:21 -05:00
ialloc.c ext4: use prandom_u32() instead of get_random_bytes() 2013-11-08 00:14:53 -05:00
indirect.c ext4: isolate ext4_extents.h file 2013-08-28 14:47:06 -04:00
inline.c ext4: drop set but otherwise unused variable from ext4_add_dirent_to_inline() 2013-10-30 10:53:10 -04:00
inode.c ext4: return non-zero st_blocks for inline data 2013-11-11 22:38:12 -05:00
ioctl.c vfs: pull ext4's double-i_mutex-locking into common code 2013-11-09 00:16:39 -05:00
Kconfig ext4: fix Kconfig documentation for CONFIG_EXT4_DEBUG 2013-04-21 20:32:03 -04:00
Makefile
mballoc.c ext4: fix use-after-free in ext4_mb_new_blocks 2013-12-03 18:10:28 -05:00
mballoc.h ext4: use module parameters instead of debugfs for mballoc_debug 2013-02-09 16:28:20 -05:00
migrate.c ext4: Fix misspellings using 'codespell' tool 2013-08-28 14:40:12 -04:00
mmp.c ext4: use prandom_u32() instead of get_random_bytes() 2013-11-08 00:14:53 -05:00
move_extent.c vfs: pull ext4's double-i_mutex-locking into common code 2013-11-09 00:16:39 -05:00
namei.c ext[34]: fix double put in tmpfile 2013-10-15 12:14:06 -04:00
page-io.c ext4: fix assertion in ext4_add_complete_io() 2013-10-16 08:25:11 -04:00
resize.c ext4: fix corruption when online resizing a fs with 1K block size 2013-07-01 08:12:08 -04:00
super.c ext4: use prandom_u32() instead of get_random_bytes() 2013-11-08 00:14:53 -05:00
symlink.c
truncate.h
xattr.c ext4: avoid bh leak in retry path of ext4_expand_extra_isize_ea() 2013-10-31 23:00:24 -04:00
xattr.h ext4: reserve xattr index for Rich ACL support 2013-04-18 14:53:15 -04:00
xattr_security.c
xattr_trusted.c
xattr_user.c