ext4: fix mmp use after free during unmount

In ext4_put_super, we call brelse on the buffer head containing
the ext4 superblock, but then try to use it when we stop the
mmp thread, because when the thread shuts down it does:

write_mmp_block
  ext4_mmp_csum_set
    ext4_has_metadata_csum
      WARN_ON_ONCE(ext4_has_feature_metadata_csum(sb)...)

which reaches into sb->s_fs_info->s_es->s_feature_ro_compat,
which lives in the superblock buffer s_sbh which we just released.

Fix this by moving the brelse down to a point where we are no
longer using it.

Reported-by: Wang Shu <shuwang@redhat.com>
Signed-off-by: Eric Sandeen <sandeen@redhat.com>
---

Note: found by inspection after a bug report via KASAN,
compile-tested only.



--
To unsubscribe from this list: send the line "unsubscribe linux-ext4" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

On Oct 20, 2016, at 12:19 PM, Eric Sandeen <sandeen@redhat.com> wrote:
> 
> In ext4_put_super, we call brelse on the buffer head containing
> the ext4 superblock, but then try to use it when we stop the
> mmp thread, because when the thread shuts down it does:
> 
> write_mmp_block
>  ext4_mmp_csum_set
>    ext4_has_metadata_csum
>      WARN_ON_ONCE(ext4_has_feature_metadata_csum(sb)...)
> 
> which reaches into sb->s_fs_info->s_es->s_feature_ro_compat,
> which lives in the superblock buffer s_sbh which we just released.
> 
> Fix this by moving the brelse down to a point where we are no
> longer using it.
> 
> Reported-by: Wang Shu <shuwang@redhat.com>
> Signed-off-by: Eric Sandeen <sandeen@redhat.com>

Reviewed-by: Andreas Dilger <adilger@dilger.ca>

> ---
> 
> Note: found by inspection after a bug report via KASAN,
> compile-tested only.
> 
> diff --git a/fs/ext4/super.c b/fs/ext4/super.c
> index 6db81fb..f273212 100644
> --- a/fs/ext4/super.c
> +++ b/fs/ext4/super.c
> @@ -862,7 +862,6 @@ static void ext4_put_super(struct super_block *sb)
> 	percpu_counter_destroy(&sbi->s_dirs_counter);
> 	percpu_counter_destroy(&sbi->s_dirtyclusters_counter);
> 	percpu_free_rwsem(&sbi->s_journal_flag_rwsem);
> -	brelse(sbi->s_sbh);
> #ifdef CONFIG_QUOTA
> 	for (i = 0; i < EXT4_MAXQUOTAS; i++)
> 		kfree(sbi->s_qf_names[i]);
> @@ -894,6 +893,9 @@ static void ext4_put_super(struct super_block *sb)
> 	}
> 	if (sbi->s_mmp_tsk)
> 		kthread_stop(sbi->s_mmp_tsk);
> +
> +	/* Don't let this go until everything is done with the ext4 super */
> +	brelse(sbi->s_sbh);
> 	sb->s_fs_info = NULL;
> 	/*
> 	 * Now that we are completely done shutting down the
> 
> 
> --
> To unsubscribe from this list: send the line "unsubscribe linux-ext4" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html


Cheers, Andreas

On Thu, Oct 20, 2016 at 02:26:38PM -0600, Andreas Dilger wrote:
> On Oct 20, 2016, at 12:19 PM, Eric Sandeen <sandeen@redhat.com> wrote:
> > 
> > In ext4_put_super, we call brelse on the buffer head containing
> > the ext4 superblock, but then try to use it when we stop the
> > mmp thread, because when the thread shuts down it does:
> > 
> > write_mmp_block
> >  ext4_mmp_csum_set
> >    ext4_has_metadata_csum
> >      WARN_ON_ONCE(ext4_has_feature_metadata_csum(sb)...)
> > 
> > which reaches into sb->s_fs_info->s_es->s_feature_ro_compat,
> > which lives in the superblock buffer s_sbh which we just released.
> > 
> > Fix this by moving the brelse down to a point where we are no
> > longer using it.
> > 
> > Reported-by: Wang Shu <shuwang@redhat.com>
> > Signed-off-by: Eric Sandeen <sandeen@redhat.com>
> 
> Reviewed-by: Andreas Dilger <adilger@dilger.ca>

Applied, thanks.

					- Ted
--
To unsubscribe from this list: send the line "unsubscribe linux-ext4" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html