From: Theodore Ts'o <[email protected]> ms commit 1d0c3924a92e
During an online resize an array of pointers to buffer heads gets replaced so it can get enlarged. If there is a racing block allocation or deallocation which uses the old array, and the old array has gotten reused this can lead to a GPF or some other random kernel memory getting modified. Link: https://bugzilla.kernel.org/show_bug.cgi?id=206443 Link: https://lore.kernel.org/r/[email protected] Reported-by: Suraj Jitindar Singh <[email protected]> Signed-off-by: Theodore Ts'o <[email protected]> Cc: [email protected] https://jira.sw.ru/browse/PSBM-101798 [ktkhai: adopted for our kernel] Signed-off-by: Kirill Tkhai <[email protected]> [VvS RHEL7.8 rebase] context changes Ported to vz8 in the scope of https://jira.sw.ru/browse/PSBM-127850 Cherry-picked from vz7 commit ac708c29a6ed ("ms/ext4: fix potential race between online resizing and write operations"). In fact - only 1 hunk for ext4_alloc_group_desc_bh_array() has been taken, the patch itself has been already backported by RedHat. Fixes: 762801fc7090 ("ext4: Fix high probable use-after-free") Signed-off-by: Konstantin Khorenko <[email protected]> --- fs/ext4/super.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/fs/ext4/super.c b/fs/ext4/super.c index 7a2accfef466..50d6f574419b 100644 --- a/fs/ext4/super.c +++ b/fs/ext4/super.c @@ -2546,13 +2546,14 @@ int ext4_alloc_group_desc_bh_array(struct super_block *sb, ext4_group_t ngroup) return -ENOMEM; } - o_group_desc = sbi->s_group_desc; + rcu_read_lock(); + o_group_desc = rcu_dereference(EXT4_SB(sb)->s_group_desc); memcpy(n_group_desc, o_group_desc, sbi->s_gdb_count * sizeof(struct buffer_head *)); - WRITE_ONCE(sbi->s_group_desc, n_group_desc); + rcu_read_unlock(); + rcu_assign_pointer(EXT4_SB(sb)->s_group_desc, n_group_desc); - /* FIXME: rcu is needed here. See ms commit 1d0c3924a92e */ - kvfree(o_group_desc); + ext4_kvfree_array_rcu(o_group_desc); return 0; } -- 2.28.0 _______________________________________________ Devel mailing list [email protected] https://lists.openvz.org/mailman/listinfo/devel
