]> git.ipfire.org Git - thirdparty/linux.git/commitdiff
projects / thirdparty / linux.git / commitdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: e7ae89a)
erofs: fix use-after-free on sbi->sync_decompress
authorGao Xiang <hsiangkao@linux.alibaba.com>
Fri, 22 May 2026 08:27:16 +0000 (16:27 +0800)
committerGao Xiang <hsiangkao@linux.alibaba.com>
Fri, 29 May 2026 04:32:56 +0000 (12:32 +0800)
z_erofs_decompress_kickoff() can race with filesystem unmount, causing
a use-after-free on sbi->sync_decompress.

When I/O completes, z_erofs_endio() calls z_erofs_decompress_kickoff()
to queue z_erofs_decompressqueue_work() asynchronously. Then, after all
folios are unlocked, unmount workflow can proceed and sbi will be freed
before accessing to sbi->sync_decompress.

Thread (unmount)        I/O completion        kworker
                        queue_work
                                              z_erofs_decompressqueue_work
                                               (all folios are unlocked)
cleanup_mnt
 ..
 erofs_kill_sb
  erofs_sb_free
   kfree(sbi)
                        access sbi->sync_decompress  // UAF!!

Fixes: 40452ffca3c1 ("erofs: add sysfs node to control sync decompression strategy")
Reported-by: syzbot+52bae5c495dbe261a0bc@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=52bae5c495dbe261a0bc
Reviewed-by: Chao Yu <chao@kernel.org>
Reviewed-by: Jianan Huang <jnhuang95@gmail.com>
Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
fs/erofs/zdata.c patch | blob | blame | history

diff --git a/fs/erofs/zdata.c b/fs/erofs/zdata.c
index 27ab7bd844ec7837b9d0cf80e5911e5ad9faeaa2..c6240dccbb0f096497f7a4b3deff909d3ce19291 100644 (file)
--- a/fs/erofs/zdata.c
+++ b/fs/erofs/zdata.c
@@ -1455,6 +1455,9 @@ static void z_erofs_decompress_kickoff(struct z_erofs_decompressqueue *io,
        if (atomic_add_return(bios, &io->pending_bios))
                return;
        if (z_erofs_in_atomic()) {
+               /* See `sync_decompress` in sysfs-fs-erofs for more details */
+               if (sbi->sync_decompress == EROFS_SYNC_DECOMPRESS_AUTO)
+                       sbi->sync_decompress = EROFS_SYNC_DECOMPRESS_FORCE_ON;
 #ifdef CONFIG_EROFS_FS_PCPU_KTHREAD
                struct kthread_worker *worker;
 
@@ -1471,9 +1474,6 @@ static void z_erofs_decompress_kickoff(struct z_erofs_decompressqueue *io,
 #else
                queue_work(z_erofs_workqueue, &io->u.work);
 #endif
-               /* See `sync_decompress` in sysfs-fs-erofs for more details */
-               if (sbi->sync_decompress == EROFS_SYNC_DECOMPRESS_AUTO)
-                       sbi->sync_decompress = EROFS_SYNC_DECOMPRESS_FORCE_ON;
                return;
        }
        gfp_flag = memalloc_noio_save();
A mirror of Linus' kernel repository