* [PATCH] fs: jfs: fix possible data races in txExit()
@ 2020-05-04 14:02 Jia-Ju Bai
0 siblings, 0 replies; only message in thread
From: Jia-Ju Bai @ 2020-05-04 14:02 UTC (permalink / raw)
To: shaggy; +Cc: jfs-discussion, linux-kernel, Jia-Ju Bai
The functions txEnd() and txExit() can be concurrently executed in the
following call contexts:
Thread1:
jfs_lazycommit()
txLazyCommit()
txEnd()
Thread2:
exit_jfs_fs()
txExit()
In txEnd():
struct tblock *tblk = tid_to_tblock(tid);
// #define tid_to_tblock(tid) (&TxBlock[tid])
In txExit():
vfree(TxBlock);
TxBlock = NULL;
Thus, data races can occur for the global variable TxBlock.
And these data races can cause use-after-free bugs and null-pointer
dereferences.
To fix these data races, txExit() is called after the filesystem stops
the threads that run jfs_lazycommit().
These data races are found by our concurrency fuzzer.
Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
---
fs/jfs/super.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/jfs/super.c b/fs/jfs/super.c
index b2dc4d1f9dcc..8c80397df336 100644
--- a/fs/jfs/super.c
+++ b/fs/jfs/super.c
@@ -1027,13 +1027,13 @@ static void __exit exit_jfs_fs(void)
jfs_info("exit_jfs_fs called");
- txExit();
metapage_exit();
kthread_stop(jfsIOthread);
for (i = 0; i < commit_threads; i++)
kthread_stop(jfsCommitThread[i]);
kthread_stop(jfsSyncThread);
+ txExit();
#ifdef PROC_FS_JFS
jfs_proc_clean();
#endif
--
2.17.1
^ permalink raw reply related [flat|nested] only message in thread
only message in thread, other threads:[~2020-05-04 14:02 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-05-04 14:02 [PATCH] fs: jfs: fix possible data races in txExit() Jia-Ju Bai
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.