Skip to content
Commit 612e7239 authored by Ritesh Harjani's avatar Ritesh Harjani Committed by Bruce Ashfield
Browse files

jbd2: fix use-after-free of transaction_t race

commit 9032f97796fe8d3d98d8f6cc19919458f7cb4aec from
https://github.com/altera-opensource/linux-socfpga.git

[upstream commit cc16eeca]

jbd2_journal_wait_updates() is called with j_state_lock held. But if
there is a commit in progress, then this transaction might get committed
and freed via jbd2_journal_commit_transaction() ->
jbd2_journal_free_transaction(), when we release j_state_lock.
So check for journal->j_running_transaction everytime we release and
acquire j_state_lock to avoid use-after-free issue.

Link: https://lore.kernel.org/r/948c2fed518ae739db6a8f7f83f1d58b504f87d0.1644497105.git.ritesh.list@gmail.com


Fixes: 4f981868 ("jbd2: refactor wait logic for transaction updates into a common function")
Cc: stable@kernel.org
Reported-and-tested-by: default avatar <syzbot+afa2ca5171d93e44b348@syzkaller.appspotmail.com>
Reviewed-by: default avatarJan Kara <jack@suse.cz>
Signed-off-by: default avatarRitesh Harjani <riteshh@linux.ibm.com>
Signed-off-by: default avatarTheodore Ts'o <tytso@mit.edu>
Signed-off-by: default avatarWenlin Kang <wenlin.kang@windriver.com>
Signed-off-by: default avatarBruce Ashfield <bruce.ashfield@gmail.com>
parent 0a58e31e
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment