APPLIED: [SRU][F/J][PATCH v2 0/1] CVE-2023-52760

[Stefan Bader]

On 12.07.24 03:26, Yuxuan Luo wrote:
> [Impact]
> A potential use-after-free may occur in gfs2 file system when unmounting
> the fs, which put the system's control integrity at risk.
> 
> [Backport]
> The fix commit, bdcb8aa434c6 ("gfs2: Fix slab-use-after-free in
> gfs2_qd_dealloc"), addresses two problems:
> 
> 1) UAF caused by gfs2_quota_cleanup() not called if not already
> withdrawn "[otherwise], struct gfs2_sbd will be freed before
> gfs2_qd_dealloc (rcu callback) has run for all gfs2_quota_data objects".
> 2) Double-free by calling gfs2_quota_cleanup() twice if in not read-only
> mode.
> 
> The second issue is introduced by f66af88e3321 ("gfs2: Stop using
> gfs2_make_fs_ro for withdraw") while the first one predate in the very
> old kernels. To solve the first one, only call the gfs2_quota_cleanup()
> if the gfs2_make_fs_ro() is not called since gfs2_make_fs_ro() calls
> gfs2_quota_cleanup() as well.
> 
> [Test]
> Compile and boot tested only.
> 
> [Where things could go wrong]
> Regression might occur when unmounting the fs.
> 
> Juntong Deng (1):
>    gfs2: Fix slab-use-after-free in gfs2_qd_dealloc
> 
>   fs/gfs2/super.c | 2 ++
>   1 file changed, 2 insertions(+)
> 

Applied to jammy,focal:linux/master-next. Thanks.

-Stefan

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0xE8675DEECBEECEA3.asc
Type: application/pgp-keys
Size: 48643 bytes
Desc: OpenPGP public key
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20240719/7dae3f2f/attachment-0001.key>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20240719/7dae3f2f/attachment-0001.sig>