On Tue, May 28, 2024 at 06:26:37AM +0900, Ryusuke Konishi wrote: > commit f5d4e04634c9cf68bdf23de08ada0bb92e8befe7 upstream. > > Patch series "nilfs2: fix log writer related issues". > > This bug fix series covers three nilfs2 log writer-related issues, > including a timer use-after-free issue and potential deadlock issue on > unmount, and a potential freeze issue in event synchronization found > during their analysis. Details are described in each commit log. > > This patch (of 3): > > A use-after-free issue has been reported regarding the timer sc_timer on > the nilfs_sc_info structure. > > The problem is that even though it is used to wake up a sleeping log > writer thread, sc_timer is not shut down until the nilfs_sc_info structure > is about to be freed, and is used regardless of the thread's lifetime. > > Fix this issue by limiting the use of sc_timer only while the log writer > thread is alive. > > Link: https://lkml.kernel.org/r/20240520132621.4054-1-konishi.ryusuke@xxxxxxxxx > Link: https://lkml.kernel.org/r/20240520132621.4054-2-konishi.ryusuke@xxxxxxxxx > Fixes: fdce895ea5dd ("nilfs2: change sc_timer from a pointer to an embedded one in struct nilfs_sc_info") > Signed-off-by: Ryusuke Konishi <konishi.ryusuke@xxxxxxxxx> > Reported-by: "Bai, Shuangpeng" <sjb7183@xxxxxxx> > Closes: https://groups.google.com/g/syzkaller/c/MK_LYqtt8ko/m/8rgdWeseAwAJ > Tested-by: Ryusuke Konishi <konishi.ryusuke@xxxxxxxxx> > Cc: <stable@xxxxxxxxxxxxxxx> > Signed-off-by: Andrew Morton <akpm@xxxxxxxxxxxxxxxxxxxx> > --- > Please apply this patch to the stable trees indicated by the subject > prefix instead of the patch that failed. > > This patch is tailored to replace a call to timer_shutdown_sync(), which > does not yet exist in these versions, with an equivalent function call, > and is applicable from v4.15 to v6.1. > > Also, all the builds and tests I did on each stable tree passed. Now queued up, thanks. greg k-h
