CVE-2022-49834

In the Linux kernel, the following vulnerability has been resolved:

nilfs2: fix use-after-free bug of ns_writer on remount

If a nilfs2 filesystem is downgraded to read-only due to metadata corruption on disk and is remounted read/write, or if emergency read-only remount is performed, detaching a log writer and synchronizing the filesystem can be done at the same time.

In these cases, use-after-free of the log writer (hereinafter nilfs->ns_writer) can happen as shown in the scenario below:

Task1 Task2 -------------------------------- ------------------------------ nilfsconstructsegment nilfssegctorsync initwait initwaitqueueentry addwaitqueue schedule nilfsremount (R/W remount case) nilfsattachlogwriter nilfsdetachlogwriter nilfssegctordestroy kfree finishwait _rawspinlockirqsave _rawspinlockirqsave dorawspinlock debugspinlockbefore <-- use-after-free

While Task1 is sleeping, nilfs->nswriter is freed by Task2. After Task1 waked up, Task1 accesses nilfs->nswriter which is already freed. This scenario diagram is based on the Shigeru Yoshida's post [1].

This patch fixes the issue by not detaching nilfs->nswriter on remount so that this UAF race doesn't happen. Along with this change, this patch also inserts a few necessary read-only checks with superblock instance where only the nswriter pointer was used to check if the filesystem is read-only.