On Thu, Aug 15, 2019 at 07:47:19PM +0800, zhangyi (F) wrote:
> Remount process will release system zone which was allocated before if
> "noblock_validity" is specified. If we mount an ext4 file system to two
> mountpoints with default mount options, and then remount one of them
> with "noblock_validity", it may trigger a use after free problem when
> someone accessing the other one.
>
> # mount /dev/sda foo
> # mount /dev/sda bar
>
> User access mountpoint "foo" | Remount mountpoint "bar"
> |
> ext4_map_blocks() | ext4_remount()
> check_block_validity() | ext4_setup_system_zone()
> ext4_data_block_valid() | ext4_release_system_zone()
> | free system_blks rb nodes
> access system_blks rb nodes |
> trigger use after free |
>
> This problem can also be reproduced by one mountpint, At the same time,
> add_system_zone() can get called during remount as well so there can be
> racing ext4_data_block_valid() reading the rbtree at the same time.
>
> This patch add RCU to protect system zone from releasing or building
> when doing a remount which inverse current "noblock_validity" mount
> option. It assign the rbtree after the whole tree was complete and
> do actual freeing after rcu grace period, avoid any intermediate state.
>
> Signed-off-by: zhangyi (F) <yi.zhang@xxxxxxxxxx>
> Reviewed-by: Jan Kara <jack@xxxxxxx>
Applied, thanks!
I changed the patch summary to:
ext4: fix potential use after free after remounting with noblock_validity
I also added:
Reported-by: syzbot+1e470567330b7ad711d5@xxxxxxxxxxxxxxxxxxxxxxxxx
since this had been noted by Syzkaller:
https://syzkaller.appspot.com/bug?extid=1e470567330b7ad711d5
Cheers,
- Ted
