Re: [PATCH] ocfs2: fix use-after-free in ocfs2_inode_lock_full_nested during unmount

Next message: Abel Vesa: "Re: [PATCH v3 2/3] arm64: dts: qcom: Add Eliza-specific PM7750BA dtsi"
Previous message: kernel test robot: "Re: [PATCH v8 4/4] kunit: Add documentation for warning backtrace suppression API"
In reply to: Jiakai Xu: "Re: [PATCH] ocfs2: fix use-after-free in ocfs2_inode_lock_full_nested during unmount"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jiakai Xu

Date: Wed May 13 2026 - 02:14:10 EST

> In generic_shutdown_super(), it clears SB_ACTIVE.
> So it seems we can check this flag.

Hi Joseph,

Thank you for the suggestion. I looked into the SB_ACTIVE approach,
but it seems like it still cannot fully close the TOCTOU window.
Let me explain my understanding:

generic_shutdown_super() clears SB_ACTIVE and then calls put_super(),
so checking sb->s_flags & SB_ACTIVE in ocfs2_inode_lock_full_nested()
would access the superblock itself (which is still alive), not osb.
That part is safe. However, consider this race:

Thread A (inotify_add_watch) Thread B (umount)
───────────────────────────── ─────────────────────
read sb->s_flags → SB_ACTIVE set
generic_shutdown_super()
→ clear SB_ACTIVE
→ put_super
→ kfree(osb)
osb = OCFS2_SB(sb) → osb is freed
→ use osb → UAF

So even with the SB_ACTIVE check at the beginning of
ocfs2_inode_lock_full_nested(), there is still a window between
the flag check and the actual dereference of osb where the
filesystem teardown can complete and free the osb structure.

To be honest, I'm finding it difficult to come up with a clean
solution for this race. I wonder if you or anyone in the community
might have ideas on how to best address it.

Any guidance would be greatly appreciated.

Best regards,
Jiakai