ext4: fix timer use-after-free on failed mount - kernel

diff options

author	Xiaxi Shen <[email protected]>	2024-07-15 04:33:36 +0000
committer	Theodore Ts'o <[email protected]>	2024-08-27 01:20:57 +0000
commit	0ce160c5bdb67081a62293028dc85758a8efb22a (patch)
tree	968ea990521a3da476706e0b69af411f3b2202c6 /fs/ext4/fast_commit.c
parent	ext4: use seq_putc() in two functions (diff)
download	kernel-0ce160c5bdb67081a62293028dc85758a8efb22a.tar.gz kernel-0ce160c5bdb67081a62293028dc85758a8efb22a.zip

ext4: fix timer use-after-free on failed mount

Syzbot has found an ODEBUG bug in ext4_fill_super The del_timer_sync function cancels the s_err_report timer, which reminds about filesystem errors daily. We should guarantee the timer is no longer active before kfree(sbi). When filesystem mounting fails, the flow goes to failed_mount3, where an error occurs when ext4_stop_mmpd is called, causing a read I/O failure. This triggers the ext4_handle_error function that ultimately re-arms the timer, leaving the s_err_report timer active before kfree(sbi) is called. Fix the issue by canceling the s_err_report timer after calling ext4_stop_mmpd. Signed-off-by: Xiaxi Shen <[email protected]> Reported-and-tested-by: [email protected] Closes: https://syzkaller.appspot.com/bug?extid=59e0101c430934bc9a36 Link: https://patch.msgid.link/[email protected] Signed-off-by: Theodore Ts'o <[email protected]> Cc: [email protected]

Diffstat (limited to 'fs/ext4/fast_commit.c')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: