Skip to content

Commit

Permalink
Linux: Fix zfs_prune panics
Browse files Browse the repository at this point in the history
by protecting against sb->s_shrink eviction on umount with newer kernels

deactivate_locked_super calls shrinker_free and only then
sops->kill_sb cb, resulting in UAF on umount when trying
to reach for the shrinker functions in zpl_prune_sb of
in-umount dataset

Signed-off-by: Pavel Snajdr <[email protected]>
  • Loading branch information
snajpa committed Nov 20, 2024
1 parent f1dfc9d commit 38893b6
Showing 1 changed file with 12 additions and 1 deletion.
13 changes: 12 additions & 1 deletion module/os/linux/zfs/zpl_super.c
Original file line number Diff line number Diff line change
Expand Up @@ -384,7 +384,18 @@ zpl_prune_sb(uint64_t nr_to_scan, void *arg)
struct super_block *sb = (struct super_block *)arg;
int objects = 0;

(void) -zfs_prune(sb, nr_to_scan, &objects);
/*
* deactivate_locked_super calls shrinker_free and only then
* sops->kill_sb cb, resulting in UAF on umount when trying to reach
* for the shrinker functions in zpl_prune_sb of in-umount dataset.

Check failure on line 390 in module/os/linux/zfs/zpl_super.c

View workflow job for this annotation

GitHub Actions / checkstyle

improper block comment

Check failure on line 390 in module/os/linux/zfs/zpl_super.c

View workflow job for this annotation

GitHub Actions / checkstyle

indent by spaces instead of tabs
* Increment if s_active is not zero, but don't prune if it is -
* umount could be underway.
*/
if (atomic_inc_not_zero(&sb->s_active)) {
(void) -zfs_prune(sb, nr_to_scan, &objects);
atomic_dec(&sb->s_active);
}

}

const struct super_operations zpl_super_operations = {
Expand Down

0 comments on commit 38893b6

Please sign in to comment.