[Devel] [PATCH RH9 12/30] ms/ext4: fix potential race between online resizing and write operations

Tue, 28 Sep 2021 15:50:45 -0700 

From: Theodore Ts'o <ty...@mit.edu>

ms commit 1d0c3924a92e

During an online resize an array of pointers to buffer heads gets
replaced so it can get enlarged.  If there is a racing block
allocation or deallocation which uses the old array, and the old array
has gotten reused this can lead to a GPF or some other random kernel
memory getting modified.

Link: https://bugzilla.kernel.org/show_bug.cgi?id=206443
Link: https://lore.kernel.org/r/20200221053458.730016-2-ty...@mit.edu
Reported-by: Suraj Jitindar Singh <sura...@amazon.com>
Signed-off-by: Theodore Ts'o <ty...@mit.edu>
Cc: sta...@kernel.org

https://jira.sw.ru/browse/PSBM-101798
[ktkhai: adopted for our kernel]

Signed-off-by: Kirill Tkhai <ktk...@virtuozzo.com>
[VvS RHEL7.8 rebase] context changes

Ported to vz8 in the scope of https://jira.sw.ru/browse/PSBM-127850

Cherry-picked from vz7 commit ac708c29a6ed ("ms/ext4: fix potential race
between online resizing and write operations").
In fact - only 1 hunk for ext4_alloc_group_desc_bh_array() has been
taken, the patch itself has been already backported by RedHat.

mFixes: 762801fc7090 ("ext4: Fix high probable use-after-free")

Signed-off-by: Konstantin Khorenko <khore...@virtuozzo.com>

(cherry picked from vz8 commit 2b8aba6c7903855b74c9c682ccd913827762463a)
Signed-off-by: Andrey Zhadchenko <andrey.zhadche...@virtuozzo.com>
---
 fs/ext4/super.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/fs/ext4/super.c b/fs/ext4/super.c
index 0186d04..e17a930 100644
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -2773,13 +2773,14 @@ int ext4_alloc_group_desc_bh_array(struct super_block 
*sb, ext4_group_t ngroup)
                return -ENOMEM;
        }
 
-       o_group_desc = sbi->s_group_desc;
+       rcu_read_lock();
+       o_group_desc = rcu_dereference(EXT4_SB(sb)->s_group_desc);
        memcpy(n_group_desc, o_group_desc,
               sbi->s_gdb_count * sizeof(struct buffer_head *));
-       WRITE_ONCE(sbi->s_group_desc, n_group_desc);
+       rcu_read_unlock();
+       rcu_assign_pointer(EXT4_SB(sb)->s_group_desc, n_group_desc);
 
-       /* FIXME: rcu is needed here. See ms commit 1d0c3924a92e */
-       kvfree(o_group_desc);
+       ext4_kvfree_array_rcu(o_group_desc);
        return 0;
 }
 
-- 
1.8.3.1

_______________________________________________
Devel mailing list
Devel@openvz.org
https://lists.openvz.org/mailman/listinfo/devel

Reply via email to