git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Ritesh Harjani <riteshh@linux.ibm.com>
	Thu, 10 Feb 2022 15:37:11 +0000 (21:07 +0530)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Mon, 28 Mar 2022 08:03:21 +0000 (10:03 +0200)
commit	bff94c57bd130e3062afa94414c2294871314096
tree	e2931db327fea30c73a642702a007a50d90b4953	tree \| snapshot
parent	abc9ad36df16e27ac1c665085157f1a082d39bac	commit \| diff

jbd2: fix use-after-free of transaction_t race

commit cc16eecae687912238ee6efbff71ad31e2bc414e upstream.

jbd2_journal_wait_updates() is called with j_state_lock held. But if
there is a commit in progress, then this transaction might get committed
and freed via jbd2_journal_commit_transaction() ->
jbd2_journal_free_transaction(), when we release j_state_lock.
So check for journal->j_running_transaction everytime we release and
acquire j_state_lock to avoid use-after-free issue.

Link: https://lore.kernel.org/r/948c2fed518ae739db6a8f7f83f1d58b504f87d0.1644497105.git.ritesh.list@gmail.com
Fixes: 4f98186848707f53 ("jbd2: refactor wait logic for transaction updates into a common function")
Cc: stable@kernel.org
Reported-and-tested-by: syzbot+afa2ca5171d93e44b348@syzkaller.appspotmail.com
Reviewed-by: Jan Kara <jack@suse.cz>
Signed-off-by: Ritesh Harjani <riteshh@linux.ibm.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>