git.proxmox.com Git - mirror_ubuntu-bionic-kernel.git/commit

author	Theodore Ts'o <tytso@mit.edu>
	Fri, 12 Oct 2018 13:28:09 +0000 (09:28 -0400)
committer	Juerg Haefliger <juergh@canonical.com>
	Wed, 24 Jul 2019 01:57:17 +0000 (19:57 -0600)
commit	74255a2c11d2a9884e2ab7c73ee3a03b15fff909
tree	2912155e3d71001e095028415f46132e0382c91a	tree
parent	2ced03ef3bfa0d533a006c67c7a504f3d34c81f3	commit \| diff

ext4: fix use-after-free race in ext4_remount()'s error path

BugLink: https://bugs.launchpad.net/bugs/1836802
commit 33458eaba4dfe778a426df6a19b7aad2ff9f7eec upstream.

It's possible for ext4_show_quota_options() to try reading
s_qf_names[i] while it is being modified by ext4_remount() --- most
notably, in ext4_remount's error path when the original values of the
quota file name gets restored.

Reported-by: syzbot+a2872d6feea6918008a9@syzkaller.appspotmail.com
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org # 3.2+
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Andrea Righi <andrea.righi@canonical.com>
Signed-off-by: Khalid Elmously <khalid.elmously@canonical.com>

fs/ext4/ext4.h		diff \| blob \| blame \| history
fs/ext4/super.c		diff \| blob \| blame \| history