git.baikalelectronics.ru Git - kernel.git/commit

author	Jingbo Xu <jefflexu@linux.alibaba.com>
	Fri, 21 Oct 2022 02:31:53 +0000 (10:31 +0800)
committer	Gao Xiang <hsiangkao@linux.alibaba.com>
	Thu, 10 Nov 2022 01:53:20 +0000 (09:53 +0800)
commit	bab0118ab55b70accdb69df2923838a56d992fc8
tree	158096b93d6c55fa5ab086c824a676a44b52284e	tree \| snapshot
parent	4a59e8012036d68917a4545b317f1d0f718492bb	commit \| diff

erofs: fix use-after-free of fsid and domain_id string

When erofs instance is remounted with fsid or domain_id mount option
specified, the original fsid and domain_id string pointer in sbi->opt
is directly overridden with the fsid and domain_id string in the new
fs_context, without freeing the original fsid and domain_id string.
What's worse, when the new fsid and domain_id string is transferred to
sbi, they are not reset to NULL in fs_context, and thus they are freed
when remount finishes, while sbi is still referring to these strings.

Reconfiguration for fsid and domain_id seems unusual. Thus clarify this
restriction explicitly and dump a warning when users are attempting to
do this.

Besides, to fix the use-after-free issue, move fsid and domain_id from
erofs_mount_opts to outside.

Fixes: 1b52c0576b1f ("erofs: register fscache volume")
Fixes: 46b294cf3a65 ("erofs: introduce fscache-based domain")
Signed-off-by: Jingbo Xu <jefflexu@linux.alibaba.com>
Reviewed-by: Jia Zhu <zhujia.zj@bytedance.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Link: https://lore.kernel.org/r/20221021023153.1330-1-jefflexu@linux.alibaba.com
Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>

fs/erofs/fscache.c		diff \| blob \| history
fs/erofs/internal.h		diff \| blob \| history
fs/erofs/super.c		diff \| blob \| history
fs/erofs/sysfs.c		diff \| blob \| history