android/android_kernel_xiaomi_sm8450
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
7e4c72dbaf
android_kernel_xiaomi_sm8450/fs/btrfs
History
Filipe Manana 7e4c72dbaf btrfs: fix use-after-free after failure to create a snapshot 
commit 28b21c558a3753171097193b6f6602a94169093a upstream.

At ioctl.c:create_snapshot(), we allocate a pending snapshot structure and
then attach it to the transaction's list of pending snapshots. After that
we call btrfs_commit_transaction(), and if that returns an error we jump
to 'fail' label, where we kfree() the pending snapshot structure. This can
result in a later use-after-free of the pending snapshot:

1) We allocated the pending snapshot and added it to the transaction's
   list of pending snapshots;

2) We call btrfs_commit_transaction(), and it fails either at the first
   call to btrfs_run_delayed_refs() or btrfs_start_dirty_block_groups().
   In both cases, we don't abort the transaction and we release our
   transaction handle. We jump to the 'fail' label and free the pending
   snapshot structure. We return with the pending snapshot still in the
   transaction's list;

3) Another task commits the transaction. This time there's no error at
   all, and then during the transaction commit it accesses a pointer
   to the pending snapshot structure that the snapshot creation task
   has already freed, resulting in a user-after-free.

This issue could actually be detected by smatch, which produced the
following warning:

  fs/btrfs/ioctl.c:843 create_snapshot() warn: '&pending_snapshot->list' not removed from list

So fix this by not having the snapshot creation ioctl directly add the
pending snapshot to the transaction's list. Instead add the pending
snapshot to the transaction handle, and then at btrfs_commit_transaction()
we add the snapshot to the list only when we can guarantee that any error
returned after that point will result in a transaction abort, in which
case the ioctl code can safely free the pending snapshot and no one can
access it anymore.

CC: stable@vger.kernel.org # 5.10+
Signed-off-by: Filipe Manana <fdmanana@suse.com>
Signed-off-by: David Sterba <dsterba@suse.com>
Signed-off-by: Hugo SIMELIERE <hsimeliere.opensource@witekio.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2024-09-12 11:06:44 +02:00
..
tests btrfs: remove pointless and double ulist frees in error paths of qgroup tests 2022-11-25 17:45:40 +01:00
acl.c btrfs: cleanup btrfs_setxattr_trans and drop transaction parameter 2019-04-29 19:02:44 +02:00
async-thread.c btrfs: fix memory ordering between normal and ordered work functions 2021-11-26 10:39:20 +01:00
async-thread.h Btrfs: fix crash during unmount due to race with delayed inode workers 2020-03-23 17:01:51 +01:00
backref.c btrfs: fix information leak in btrfs_ioctl_logical_to_ino() 2024-05-02 16:23:44 +02:00
backref.h btrfs: sink iterator parameter to btrfs_ioctl_logical_to_ino 2022-12-08 11:23:53 +01:00
block-group.c btrfs: add handling for RAID1C23/DUP to btrfs_reduce_alloc_profile 2023-07-27 08:44:14 +02:00
block-group.h btrfs: fix race between writes to swap files and scrub 2021-03-09 11:11:11 +01:00
block-rsv.c btrfs: don't free qgroup space unless specified 2023-05-17 11:48:13 +02:00
block-rsv.h btrfs: Remove __ prefix from btrfs_block_rsv_release 2020-03-23 17:01:55 +01:00
btrfs_inode.h btrfs: fix race between marking inode needs to be logged and log syncing 2021-09-03 10:09:28 +02:00
check-integrity.c btrfs: check-integrity: remove unnecessary failure messages during memory allocation 2020-07-27 12:55:21 +02:00
check-integrity.h btrfs: remove btrfsic_submit_bh() 2020-03-23 17:01:39 +01:00
compression.c btrfs: mark compressed range uptodate only if all bio succeed 2021-08-04 12:46:39 +02:00
compression.h btrfs: compression: move declarations to header 2020-10-07 12:06:55 +02:00
ctree.c btrfs: fix extent buffer leak after tree mod log failure at split_node() 2023-08-11 11:57:31 +02:00
ctree.h btrfs: unify lookup return value when dir entry is missing 2024-03-01 13:16:47 +01:00
delalloc-space.c btrfs: don't arbitrarily slow down delalloc if we're committing 2023-11-28 16:54:57 +00:00
delalloc-space.h btrfs: make btrfs_delalloc_reserve_space take btrfs_inode 2020-07-27 12:55:36 +02:00
delayed-inode.c btrfs: change BUG_ON to assertion when checking for delayed_node root 2024-09-04 13:17:37 +02:00
delayed-inode.h btrfs: delayed-inode: Replace zero-length array with flexible-array member 2020-03-23 17:01:53 +01:00
delayed-ref.c btrfs: account for new extents being deleted in total_bytes_pinned 2021-03-04 11:38:30 +01:00
delayed-ref.h btrfs: handle space_info::total_bytes_pinned inside the delayed ref itself 2021-03-04 11:38:30 +01:00
dev-replace.c btrfs: dev-replace: properly validate device names 2024-03-06 14:37:49 +00:00
dev-replace.h btrfs: add __pure attribute to functions 2019-11-18 12:46:52 +01:00
dir-item.c btrfs: unify lookup return value when dir entry is missing 2024-03-01 13:16:47 +01:00
discard.c btrfs: merge critical sections of discard lock in workfn 2021-01-19 18:27:24 +01:00
discard.h btrfs: discard: Use the correct style for SPDX License Identifier 2020-04-20 17:43:42 +02:00
disk-io.c btrfs: fix leak of qgroup extent records after transaction abort 2024-07-05 09:12:25 +02:00
disk-io.h btrfs: move btrfs_find_highest_objectid/btrfs_find_free_objectid to disk-io.c 2023-05-30 12:57:51 +01:00
export.c btrfs: export: handle invalid inode or root reference in btrfs_get_parent() 2024-04-13 12:59:43 +02:00
export.h btrfs: fix type of parameter generation in btrfs_get_dentry 2022-11-10 18:14:25 +01:00
extent_io.c btrfs: reset destination buffer when read_extent_buffer() gets invalid range 2023-10-10 21:53:30 +02:00
extent_io.h btrfs: fix qgroup reserve overflow the qgroup limit 2022-04-13 21:01:08 +02:00
extent_map.c Btrfs: fix race between using extent maps and merging them 2020-02-12 17:16:46 +01:00
extent_map.h btrfs: remove extent_map::bdev 2019-11-18 23:43:44 +01:00
extent-io-tree.h btrfs: remove struct extent_io_ops 2020-10-07 12:13:25 +02:00
extent-tree.c btrfs: don't warn if discard range is not aligned to sector 2024-02-23 08:41:57 +01:00
file-item.c btrfs: handle memory allocation failure in btrfs_csum_one_bio 2023-06-21 15:45:36 +02:00
file.c btrfs: fix fallocate to use file_modified to update permissions consistently 2022-04-20 09:23:19 +02:00
free-space-cache.c btrfs: rename bitmap_set_bits() -> btrfs_bitmap_set_bits() 2024-09-04 13:17:31 +02:00
free-space-cache.h btrfs: let btrfs_return_cluster_to_free_space() return void 2020-07-27 12:55:21 +02:00
free-space-tree.c btrfs: fix possible free space tree corruption with online conversion 2021-02-03 23:28:40 +01:00
free-space-tree.h btrfs: rename btrfs_block_group_cache 2019-11-18 17:51:51 +01:00
inode-item.c btrfs: Make btrfs_find_name_in_ext_backref return struct btrfs_inode_extref 2019-09-09 14:59:16 +02:00
inode-map.c btrfs: move btrfs_find_highest_objectid/btrfs_find_free_objectid to disk-io.c 2023-05-30 12:57:51 +01:00
inode-map.h btrfs: move btrfs_find_highest_objectid/btrfs_find_free_objectid to disk-io.c 2023-05-30 12:57:51 +01:00
inode.c btrfs: handle invalid root reference found in may_destroy_subvol() 2024-09-04 13:17:37 +02:00
ioctl.c btrfs: fix use-after-free after failure to create a snapshot 2024-09-12 11:06:44 +02:00
Kconfig btrfs: disable build on platforms having page size 256K 2021-07-14 16:55:56 +02:00
locking.c btrfs: add nesting tags to the locking helpers 2020-10-07 12:12:16 +02:00
locking.h btrfs: introduce BTRFS_NESTING_NEW_ROOT for adding new roots 2020-10-07 12:12:17 +02:00
lzo.c btrfs: compression: inline free_workspace 2019-11-18 12:46:59 +01:00
Makefile Btrfs: move all reflink implementation code into its own file 2020-03-23 17:01:54 +01:00
misc.h btrfs: rename tree_entry to rb_simple_node and export it 2020-05-25 11:25:19 +02:00
ordered-data.c btrfs: remove inode argument from btrfs_start_ordered_extent 2020-10-07 12:13:22 +02:00
ordered-data.h btrfs: remove inode argument from btrfs_start_ordered_extent 2020-10-07 12:13:22 +02:00
orphan.c
print-tree.c btrfs: print-tree: parent bytenr must be aligned to sector size 2023-05-17 11:48:13 +02:00
print-tree.h btrfs: print the actual offset in btrfs_root_name 2021-01-27 11:55:06 +01:00
props.c btrfs: simplify iget helpers 2020-05-25 11:25:37 +02:00
props.h btrfs: delete unused function btrfs_set_prop_trans 2019-04-29 19:02:54 +02:00
qgroup.c btrfs: delete pointless BUG_ON check on quota root in btrfs_qgroup_account_extent() 2024-09-04 13:17:37 +02:00
qgroup.h btrfs: export and rename qgroup_reserve_meta 2021-03-11 14:17:22 +01:00
raid56.c btrfs: raid56: don't trust any cached sector in __raid56_parity_recover() 2022-08-21 15:16:27 +02:00
raid56.h btrfs: constify map parameter for nr_parity_stripes and nr_data_stripes 2019-07-01 13:34:58 +02:00
rcu-string.h btrfs: replace strncpy() with strscpy() 2023-01-14 10:16:40 +01:00
reada.c btrfs: fix readahead hang and use-after-free after removing a device 2020-10-26 15:03:59 +01:00
ref-verify.c btrfs: ref-verify: free ref cache before clearing mount opt 2024-02-23 08:41:57 +01:00
ref-verify.h btrfs: ref-verify: Use btrfs_ref to refactor btrfs_ref_tree_mod() 2019-04-29 19:02:49 +02:00
reflink.c btrfs: fix unexpected error path when reflinking an inline extent 2022-04-08 14:40:04 +02:00
reflink.h Btrfs: move all reflink implementation code into its own file 2020-03-23 17:01:54 +01:00
relocation.c btrfs: unset reloc control if transaction commit fails in prepare_to_relocate() 2023-06-14 11:10:01 +02:00
root-tree.c btrfs: fix silent failure when deleting root reference 2022-08-31 17:15:21 +02:00
scrub.c btrfs: scrub: try harder to mark RAID56 block groups read-only 2023-06-21 15:45:36 +02:00
send.c btrfs: send: handle unexpected data in header buffer in begin_cmd() 2024-09-04 13:17:37 +02:00
send.h btrfs: send: avoid copying file data 2020-10-07 12:13:17 +02:00
space-info.c btrfs: prevent __btrfs_dump_space_info() to underflow its free space 2021-09-30 10:11:00 +02:00
space-info.h btrfs: handle space_info::total_bytes_pinned inside the delayed ref itself 2021-03-04 11:38:30 +01:00
struct-funcs.c btrfs: use unaligned helpers for stack and header set/get helpers 2020-10-07 12:13:23 +02:00
super.c Revert "btrfs: add dmesg output for first mount and last unmount of a filesystem" 2023-12-13 18:27:07 +01:00
sysfs.c btrfs: sysfs: normalize the error handling branch in btrfs_init_sysfs() 2022-12-02 17:40:06 +01:00
sysfs.h btrfs: split and refactor btrfs_sysfs_remove_devices_dir 2020-10-07 12:12:21 +02:00
transaction.c btrfs: fix use-after-free after failure to create a snapshot 2024-09-12 11:06:44 +02:00
transaction.h btrfs: fix use-after-free after failure to create a snapshot 2024-09-12 11:06:44 +02:00
tree-checker.c btrfs: tree-checker: add dev extent item checks 2024-09-04 13:17:30 +02:00
tree-checker.h btrfs: get fs_info from eb in btrfs_check_chunk_valid 2019-04-29 19:02:39 +02:00
tree-defrag.c btrfs: remove unused btrfs_root::defrag_trans_start 2020-07-27 12:55:28 +02:00
tree-log.c btrfs: unify lookup return value when dir entry is missing 2024-03-01 13:16:47 +01:00
tree-log.h btrfs: make fast fsyncs wait only for writeback 2020-10-07 12:06:56 +02:00
ulist.c
ulist.h
uuid-tree.c btrfs: simplify root lookup by id 2020-05-25 11:25:36 +02:00
volumes.c btrfs: add missing mutex_unlock in btrfs_relocate_sys_chunks() 2024-05-25 16:19:06 +02:00
volumes.h btrfs: add a helper to read the superblock metadata_uuid 2023-09-23 11:01:09 +02:00
xattr.c btrfs: check if root is readonly while setting security xattr 2022-08-31 17:15:22 +02:00
xattr.h btrfs: cleanup btrfs_setxattr_trans and drop transaction parameter 2019-04-29 19:02:44 +02:00
zlib.c btrfs: zlib: zero-initialize zlib workspace 2023-02-15 17:22:22 +01:00
zstd.c btrfs: compression: inline free_workspace 2019-11-18 12:46:59 +01:00