From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Date: Wed, 25 Apr 2018 16:00:51 +0000 (+0200)
Subject: 3.18-stable patches
X-Git-Tag: v4.16.5~4
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=2dddfccae3e04561662783379092c67ae9b05854;p=thirdparty%2Fkernel%2Fstable-queue.git

3.18-stable patches

added patches:
	jbd2-fix-use-after-free-in-kjournald2.patch
---

diff --git a/queue-3.18/jbd2-fix-use-after-free-in-kjournald2.patch b/queue-3.18/jbd2-fix-use-after-free-in-kjournald2.patch
new file mode 100644
index 00000000000..ea47adb4b57
--- /dev/null
+++ b/queue-3.18/jbd2-fix-use-after-free-in-kjournald2.patch
@@ -0,0 +1,70 @@
+From dbfcef6b0f4012c57bc0b6e0e660d5ed12a5eaed Mon Sep 17 00:00:00 2001
+From: Sahitya Tummala <stummala@codeaurora.org>
+Date: Wed, 1 Feb 2017 20:49:35 -0500
+Subject: jbd2: fix use after free in kjournald2()
+
+From: Sahitya Tummala <stummala@codeaurora.org>
+
+commit dbfcef6b0f4012c57bc0b6e0e660d5ed12a5eaed upstream.
+
+Below is the synchronization issue between unmount and kjournald2
+contexts, which results into use after free issue in kjournald2().
+Fix this issue by using journal->j_state_lock to synchronize the
+wait_event() done in journal_kill_thread() and the wake_up() done
+in kjournald2().
+
+TASK 1:
+umount cmd:
+   |--jbd2_journal_destroy() {
+       |--journal_kill_thread() {
+            write_lock(&journal->j_state_lock);
+	    journal->j_flags |= JBD2_UNMOUNT;
+	    ...
+	    write_unlock(&journal->j_state_lock);
+	    wake_up(&journal->j_wait_commit);	   TASK 2 wakes up here:
+	    					   kjournald2() {
+						     ...
+						     checks JBD2_UNMOUNT flag and calls goto end-loop;
+						     ...
+						     end_loop:
+						       write_unlock(&journal->j_state_lock);
+						       journal->j_task = NULL; --> If this thread gets
+						       pre-empted here, then TASK 1 wait_event will
+						       exit even before this thread is completely
+						       done.
+	    wait_event(journal->j_wait_done_commit, journal->j_task == NULL);
+	    ...
+	    write_lock(&journal->j_state_lock);
+	    write_unlock(&journal->j_state_lock);
+	  }
+       |--kfree(journal);
+     }
+}
+						       wake_up(&journal->j_wait_done_commit); --> this step
+						       now results into use after free issue.
+						   }
+
+Signed-off-by: Sahitya Tummala <stummala@codeaurora.org>
+Signed-off-by: Theodore Ts'o <tytso@mit.edu>
+Cc: Amit Pundir <amit.pundir@linaro.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ fs/jbd2/journal.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/fs/jbd2/journal.c
++++ b/fs/jbd2/journal.c
+@@ -275,11 +275,11 @@ loop:
+ 	goto loop;
+ 
+ end_loop:
+-	write_unlock(&journal->j_state_lock);
+ 	del_timer_sync(&journal->j_commit_timer);
+ 	journal->j_task = NULL;
+ 	wake_up(&journal->j_wait_done_commit);
+ 	jbd_debug(1, "Journal thread exiting.\n");
++	write_unlock(&journal->j_state_lock);
+ 	return 0;
+ }
+ 
diff --git a/queue-3.18/series b/queue-3.18/series
index 366967c6041..e8bf1e5eedd 100644
--- a/queue-3.18/series
+++ b/queue-3.18/series
@@ -5,3 +5,4 @@ ext4-bugfix-for-mmaped-pages-in-mpage_release_unused_pages.patch
 ext4-don-t-update-checksum-of-new-initialized-bitmaps.patch
 perf-return-proper-values-for-user-stack-errors.patch
 mm-filemap.c-fix-null-pointer-in-page_cache_tree_insert.patch
+jbd2-fix-use-after-free-in-kjournald2.patch