jbd2: fix use-after-free of transaction_t race
commit 9032f97796fe8d3d98d8f6cc19919458f7cb4aec from https://github.com/altera-opensource/linux-socfpga.git [upstream commit cc16eeca] jbd2_journal_wait_updates() is called with j_state_lock held. But if there is a commit in progress, then this transaction might get committed and freed via jbd2_journal_commit_transaction() -> jbd2_journal_free_transaction(), when we release j_state_lock. So check for journal->j_running_transaction everytime we release and acquire j_state_lock to avoid use-after-free issue. Link: https://lore.kernel.org/r/948c2fed518ae739db6a8f7f83f1d58b504f87d0.1644497105.git.ritesh.list@gmail.com Fixes: 4f981868 ("jbd2: refactor wait logic for transaction updates into a common function") Cc: stable@kernel.org Reported-and-tested-by: <syzbot+afa2ca5171d93e44b348@syzkaller.appspotmail.com> Reviewed-by: Jan Kara <jack@suse.cz> Signed-off-by: Ritesh Harjani <riteshh@linux.ibm.com> Signed-off-by: Theodore Ts'o <tytso@mit.edu> Signed-off-by: Wenlin Kang <wenlin.kang@windriver.com> Signed-off-by: Bruce Ashfield <bruce.ashfield@gmail.com>
Please register or sign in to comment