From: Kirill Tkhai <[email protected]> Here we have even worse race than in mainstream.
https://jira.sw.ru/browse/PSBM-101798 Fixes: 86521524314e "ext4: replace ext4_kvmalloc() with kvmalloc()" Signed-off-by: Kirill Tkhai <[email protected]> (cherry picked from vz7 commit 601cc650f4ef ("ext4: Fix high probable use-after-free")) Fixes: vz8 commit 5e0235ca2ae8 ("ext4: replace ext4_kvmalloc() with kvmalloc()") In the scope of https://jira.sw.ru/browse/PSBM-127850 Signed-off-by: Konstantin Khorenko <[email protected]> --- fs/ext4/super.c | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/fs/ext4/super.c b/fs/ext4/super.c index 5398e022f088..7a2accfef466 100644 --- a/fs/ext4/super.c +++ b/fs/ext4/super.c @@ -2534,7 +2534,7 @@ int ext4_alloc_group_desc_bh_array(struct super_block *sb, ext4_group_t ngroup) { struct ext4_sb_info *sbi = EXT4_SB(sb); unsigned long num_desc = DIV_ROUND_UP(ngroup, EXT4_DESC_PER_BLOCK(sb)); - struct buffer_head **n_group_desc; + struct buffer_head **o_group_desc, **n_group_desc; if (num_desc <= sbi->s_gdb_count) return 0; @@ -2546,11 +2546,13 @@ int ext4_alloc_group_desc_bh_array(struct super_block *sb, ext4_group_t ngroup) return -ENOMEM; } - memcpy(n_group_desc, sbi->s_group_desc, - sbi->s_gdb_count * sizeof(struct buffer_head *)); - kvfree(sbi->s_group_desc); + o_group_desc = sbi->s_group_desc; + memcpy(n_group_desc, o_group_desc, + sbi->s_gdb_count * sizeof(struct buffer_head *)); + WRITE_ONCE(sbi->s_group_desc, n_group_desc); - sbi->s_group_desc = n_group_desc; + /* FIXME: rcu is needed here. See ms commit 1d0c3924a92e */ + kvfree(o_group_desc); return 0; } -- 2.28.0 _______________________________________________ Devel mailing list [email protected] https://lists.openvz.org/mailman/listinfo/devel
