5319 – [ANCK 5.10] BUG: potential UAF of struct nilfs_sc_info in nilfs_segctor_thread()

Bug 5319 - [ANCK 5.10] BUG: potential UAF of struct nilfs_sc_info in nilfs_segctor_thread()

Summary: [ANCK 5.10] BUG: potential UAF of struct nilfs_sc_info in nilfs_segctor_thread()

Status:	RESOLVED FIXED

Alias:	None

Product:	ANCK 5.10 Dev
Classification:	ANCK
Component:	fs (show other bugs)	fs
Sub Component:
Version:	5.10.y-15
Hardware:	All Linux

Importance:	P3-Medium S3-normal
Target Milestone:	---
Assignee:	ljubomir
QA Contact:	shuming

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2023-05-26 09:10 UTC by ljubomir
Modified:	2023-07-10 21:01 UTC (History)
CC List:	2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description ljubomir inspur_group

2023-05-26 09:10:27 UTC

Description of problem:

The finalization of nilfs_segctor_thread() can race with
nilfs_segctor_kill_thread() which terminates that thread, potentially
causing a use-after-free BUG as KASAN detected.

At the end of nilfs_segctor_thread(), it assigns NULL to "sc_task" member
of "struct nilfs_sc_info" to indicate the thread has finished, and then
notifies nilfs_segctor_kill_thread() of this using waitqueue
"sc_wait_task" on the struct nilfs_sc_info.

However, here, immediately after the NULL assignment to "sc_task", it is
possible that nilfs_segctor_kill_thread() will detect it and return to
continue the deallocation, freeing the nilfs_sc_info structure before the
thread does the notification.

Comment 1 小龙 admin

2023-05-26 09:15:37 UTC

The PR Link: https://gitee.com/anolis/cloud-kernel/pulls/1666

Comment 2 Joseph Qi alibaba_cloud_group

2023-06-07 10:04:14 UTC

(In reply to 小龙 from comment #1)
> The PR Link: https://gitee.com/anolis/cloud-kernel/pulls/1666

merged