[PATCH RFC] ubifs: Fix use-after-free in ubifs_tnc_end_commit
Ryder Wang
rydercoding at hotmail.com
Tue Oct 29 02:56:58 PDT 2024
> Thanks for reporting that :-). I noticed it a period time ago too, and I
> found 'c->znext', 'c->cnext' and 'znode->cnext' won't be accessed (in
> write mode) by other tasks, because there is only one function
> do_commit() modifying them and do_commit() can be executed by at most
> one task in any time.
It looks the race condition can really happen in this case from the issue reporter.
1. do_commit (ubifs_bg_thread): it can finally touch unprotected znode while calling the function write_index().
2. ubifs_evict_inode (other kernel thread than ubifs_bg_thread): it can finally touch the znode in the function tnc_delete(). Even there is mutex protection for tnc_delete(), but it has no meaning because of do_commit (at the point 1) doesn't have such mutex protection while calling write_index().
More information about the linux-mtd
mailing list