From patchwork Fri May 20 11:20:42 2011 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Lukas Czerner X-Patchwork-Id: 96587 Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 667B7B6F8B for ; Fri, 20 May 2011 21:21:00 +1000 (EST) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S935453Ab1ETLU7 (ORCPT ); Fri, 20 May 2011 07:20:59 -0400 Received: from mx1.redhat.com ([209.132.183.28]:52934 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S934708Ab1ETLU7 (ORCPT ); Fri, 20 May 2011 07:20:59 -0400 Received: from int-mx10.intmail.prod.int.phx2.redhat.com (int-mx10.intmail.prod.int.phx2.redhat.com [10.5.11.23]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id p4KBKvno028726 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Fri, 20 May 2011 07:20:57 -0400 Received: from dhcp-27-109.brq.redhat.com (dhcp-1-233.brq.redhat.com [10.34.1.233]) by int-mx10.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id p4KBKoRs015510; Fri, 20 May 2011 07:20:55 -0400 From: Lukas Czerner To: linux-ext4@vger.kernel.org Cc: sandeen@redhat.com, tytso@mit.edu, Lukas Czerner Subject: [PATCH 4/4 v2] ext4: fix possible use-after-free ext4_remove_li_request() Date: Fri, 20 May 2011 13:20:42 +0200 Message-Id: <1305890442-16361-4-git-send-email-lczerner@redhat.com> In-Reply-To: <1305890442-16361-1-git-send-email-lczerner@redhat.com> References: <1305890442-16361-1-git-send-email-lczerner@redhat.com> X-Scanned-By: MIMEDefang 2.68 on 10.5.11.23 Sender: linux-ext4-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-ext4@vger.kernel.org We need to take reference to the s_li_request after we take a mutex, because it might be freed since then, hence result in accessing old already freed memory. Also we should protect the whole ext4_remove_li_request() because ext4_li_info might be in the process of being freed in ext4_lazyinit_thread(). Signed-off-by: Lukas Czerner Reviewed-by: Eric Sandeen --- [v2]: Add reviewed by Eric Sandeen fs/ext4/super.c | 10 ++++++---- 1 files changed, 6 insertions(+), 4 deletions(-) diff --git a/fs/ext4/super.c b/fs/ext4/super.c index 72df905..f4d3333 100644 --- a/fs/ext4/super.c +++ b/fs/ext4/super.c @@ -2720,14 +2720,16 @@ static void ext4_remove_li_request(struct ext4_li_request *elr) static void ext4_unregister_li_request(struct super_block *sb) { - struct ext4_li_request *elr = EXT4_SB(sb)->s_li_request; - - if (!ext4_li_info) + mutex_lock(&ext4_li_mtx); + if (!ext4_li_info) { + mutex_unlock(&ext4_li_mtx); return; + } mutex_lock(&ext4_li_info->li_list_mtx); - ext4_remove_li_request(elr); + ext4_remove_li_request(EXT4_SB(sb)->s_li_request); mutex_unlock(&ext4_li_info->li_list_mtx); + mutex_unlock(&ext4_li_mtx); } static struct task_struct *ext4_lazyinit_task;