CVE-2022-49834

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> nilfs2: fix use-after-free bug of ns_writer on remount<br /> <br /> If a nilfs2 filesystem is downgraded to read-only due to metadata<br /> corruption on disk and is remounted read/write, or if emergency read-only<br /> remount is performed, detaching a log writer and synchronizing the<br /> filesystem can be done at the same time.<br /> <br /> In these cases, use-after-free of the log writer (hereinafter<br /> nilfs-&gt;ns_writer) can happen as shown in the scenario below:<br /> <br /> Task1 Task2<br /> -------------------------------- ------------------------------<br /> nilfs_construct_segment<br /> nilfs_segctor_sync<br /> init_wait<br /> init_waitqueue_entry<br /> add_wait_queue<br /> schedule<br /> nilfs_remount (R/W remount case)<br /> nilfs_attach_log_writer<br /> nilfs_detach_log_writer<br /> nilfs_segctor_destroy<br /> kfree<br /> finish_wait<br /> _raw_spin_lock_irqsave<br /> __raw_spin_lock_irqsave<br /> do_raw_spin_lock<br /> debug_spin_lock_before ns_writer is freed by Task2. After Task1<br /> waked up, Task1 accesses nilfs-&gt;ns_writer which is already freed. This<br /> scenario diagram is based on the Shigeru Yoshida&amp;#39;s post [1].<br /> <br /> This patch fixes the issue by not detaching nilfs-&gt;ns_writer on remount so<br /> that this UAF race doesn&amp;#39;t happen. Along with this change, this patch<br /> also inserts a few necessary read-only checks with superblock instance<br /> where only the ns_writer pointer was used to check if the filesystem is<br /> read-only.