ext4: fix use-after-free race in ext4_remount()'s error path

It's possible for ext4_show_quota_options() to try reading s_qf_names[i] while it is being modified by ext4_remount() --- most notably, in ext4_remount's error path when the original values of the quota file name gets restored. Reported-by: syzbot+a2872d6feea6918008a9@syzkaller.appspotmail.com Signed-off-by: Theodore Ts'o <tytso@mit.edu> Cc: stable@kernel.org # 3.2+
author: Theodore Ts'o <tytso@mit.edu> 2018-10-12 15:28:09 +0200
committer: Theodore Ts'o <tytso@mit.edu> 2018-10-12 15:28:09 +0200
commit: 33458eaba4dfe778a426df6a19b7aad2ff9f7eec (patch)
tree: f4732bd54c93bd877209855b3148db771da85b55 /fs/ext4/ext4.h
parent: ext4: cache NULL when both default_acl and acl are NULL (diff)
download: linux-33458eaba4dfe778a426df6a19b7aad2ff9f7eec.tar.xz
linux-33458eaba4dfe778a426df6a19b7aad2ff9f7eec.zip
1 files changed, 2 insertions, 1 deletions
diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h
index 86e1bacac757..12f90d48ba61 100644
--- a/fs/ext4/ext4.h
+++ b/fs/ext4/ext4.h
@@ -1405,7 +1405,8 @@ struct ext4_sb_info {
 	u32 s_min_batch_time;
 	struct block_device *journal_bdev;
 #ifdef CONFIG_QUOTA
-	char *s_qf_names[EXT4_MAXQUOTAS];	/* Names of quota files with journalled quota */
+	/* Names of quota files with journalled quota */
+	char __rcu *s_qf_names[EXT4_MAXQUOTAS];
 	int s_jquota_fmt;			/* Format of quota to use */
 #endif
 	unsigned int s_want_extra_isize; /* New inodes should reserve # bytes */
author	Theodore Ts'o <tytso@mit.edu>	2018-10-12 15:28:09 +0200
committer	Theodore Ts'o <tytso@mit.edu>	2018-10-12 15:28:09 +0200
commit	33458eaba4dfe778a426df6a19b7aad2ff9f7eec (patch)
tree	f4732bd54c93bd877209855b3148db771da85b55 /fs/ext4/ext4.h
parent	ext4: cache NULL when both default_acl and acl are NULL (diff)
download	linux-33458eaba4dfe778a426df6a19b7aad2ff9f7eec.tar.xz linux-33458eaba4dfe778a426df6a19b7aad2ff9f7eec.zip