[Devel] [PATCH RHEL8 COMMIT] ext4: Fix high probable use-after-free

Thu, 17 Jun 2021 12:42:10 -0700 

The commit is pushed to "branch-rh8-4.18.0-240.1.1.vz8.5.x-ovz" and will appear 
at https://src.openvz.org/scm/ovz/vzkernel.git
after rh8-4.18.0-240.1.1.vz8.5.44
------>
commit 762801fc70906210823e70f09240afa974d361f8
Author: Kirill Tkhai <[email protected]>
Date:   Fri Mar 6 18:28:54 2020 +0300

    ext4: Fix high probable use-after-free
    
    Here we have even worse race than in mainstream.
    
    https://jira.sw.ru/browse/PSBM-101798
    
    Fixes: 86521524314e "ext4: replace ext4_kvmalloc() with kvmalloc()"
    Signed-off-by: Kirill Tkhai <[email protected]>
    
    (cherry picked from vz7 commit 601cc650f4ef ("ext4: Fix high probable
    use-after-free"))
    
    Fixes: vz8 commit 5e0235ca2ae8 ("ext4: replace ext4_kvmalloc() with
    kvmalloc()")
    
    In the scope of https://jira.sw.ru/browse/PSBM-127850
    Signed-off-by: Konstantin Khorenko <[email protected]>
---
 fs/ext4/super.c | 12 +++++++-----
 1 file changed, 7 insertions(+), 5 deletions(-)

diff --git a/fs/ext4/super.c b/fs/ext4/super.c
index 5398e022f088..7a2accfef466 100644
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -2534,7 +2534,7 @@ int ext4_alloc_group_desc_bh_array(struct super_block 
*sb, ext4_group_t ngroup)
 {
        struct ext4_sb_info *sbi = EXT4_SB(sb);
        unsigned long num_desc = DIV_ROUND_UP(ngroup,  EXT4_DESC_PER_BLOCK(sb));
-       struct buffer_head **n_group_desc;
+       struct buffer_head **o_group_desc, **n_group_desc;
 
        if (num_desc <= sbi->s_gdb_count)
                return 0;
@@ -2546,11 +2546,13 @@ int ext4_alloc_group_desc_bh_array(struct super_block 
*sb, ext4_group_t ngroup)
                return -ENOMEM;
        }
 
-       memcpy(n_group_desc, sbi->s_group_desc,
-               sbi->s_gdb_count * sizeof(struct buffer_head *));
-       kvfree(sbi->s_group_desc);
+       o_group_desc = sbi->s_group_desc;
+       memcpy(n_group_desc, o_group_desc,
+              sbi->s_gdb_count * sizeof(struct buffer_head *));
+       WRITE_ONCE(sbi->s_group_desc, n_group_desc);
 
-       sbi->s_group_desc = n_group_desc;
+       /* FIXME: rcu is needed here. See ms commit 1d0c3924a92e */
+       kvfree(o_group_desc);
        return 0;
 }
 
_______________________________________________
Devel mailing list
[email protected]
https://lists.openvz.org/mailman/listinfo/devel

Reply via email to