On 6/5/25 15:18, Zhiguo Niu wrote:
> The decompress_io_ctx may be released asynchronously after
> I/O completion. If this file is deleted immediately after read,
> and the kworker of processing post_read_wq has not been executed yet
> due to high workloads, It is possible that the inode(f2fs_inode_info)
> is evicted and freed before it is used f2fs_free_dic.
>
> The UAF case as below:
> Thread A Thread B
> - f2fs_decompress_end_io
> - f2fs_put_dic
> - queue_work
> add free_dic work to post_read_wq
> - do_unlink
> - iput
> - evict
> - call_rcu
> This file is deleted after read.
>
> Thread C kworker to process post_read_wq
> - rcu_do_batch
> - f2fs_free_inode
> - kmem_cache_free
> inode is freed by rcu
> - process_scheduled_works
> - f2fs_late_free_dic
> - f2fs_free_dic
> - f2fs_release_decomp_mem
> read (dic->inode)->i_compress_algorithm
>
> This patch use igrab before f2fs_free_dic and iput after free the dic when
> dic free
> action is done by kworker.
>
> Cc: Daeho Jeong <daehoje...@google.com>
> Fixes: bff139b49d9f ("f2fs: handle decompress only post processing in
> softirq")
> Signed-off-by: Zhiguo Niu <zhiguo....@unisoc.com>
> Signed-off-by: Baocong Liu <baocong....@unisoc.com>
Reviewed-by: Chao Yu <c...@kernel.org>
Thanks,
_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
