[Devel] [PATCH vz8] ext4: Fix high probable use-after-free
Konstantin Khorenko
khorenko at virtuozzo.com
Thu Jun 17 00:52:01 MSK 2021
From: Kirill Tkhai <ktkhai at virtuozzo.com>
Here we have even worse race than in mainstream.
https://jira.sw.ru/browse/PSBM-101798
Fixes: 86521524314e "ext4: replace ext4_kvmalloc() with kvmalloc()"
Signed-off-by: Kirill Tkhai <ktkhai at virtuozzo.com>
(cherry picked from vz7 commit 601cc650f4ef ("ext4: Fix high probable
use-after-free"))
Fixes: vz8 commit 5e0235ca2ae8 ("ext4: replace ext4_kvmalloc() with
kvmalloc()")
In the scope of https://jira.sw.ru/browse/PSBM-127850
Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>
---
fs/ext4/super.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/fs/ext4/super.c b/fs/ext4/super.c
index 5398e022f088..7a2accfef466 100644
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -2534,7 +2534,7 @@ int ext4_alloc_group_desc_bh_array(struct super_block *sb, ext4_group_t ngroup)
{
struct ext4_sb_info *sbi = EXT4_SB(sb);
unsigned long num_desc = DIV_ROUND_UP(ngroup, EXT4_DESC_PER_BLOCK(sb));
- struct buffer_head **n_group_desc;
+ struct buffer_head **o_group_desc, **n_group_desc;
if (num_desc <= sbi->s_gdb_count)
return 0;
@@ -2546,11 +2546,13 @@ int ext4_alloc_group_desc_bh_array(struct super_block *sb, ext4_group_t ngroup)
return -ENOMEM;
}
- memcpy(n_group_desc, sbi->s_group_desc,
- sbi->s_gdb_count * sizeof(struct buffer_head *));
- kvfree(sbi->s_group_desc);
+ o_group_desc = sbi->s_group_desc;
+ memcpy(n_group_desc, o_group_desc,
+ sbi->s_gdb_count * sizeof(struct buffer_head *));
+ WRITE_ONCE(sbi->s_group_desc, n_group_desc);
- sbi->s_group_desc = n_group_desc;
+ /* FIXME: rcu is needed here. See ms commit 1d0c3924a92e */
+ kvfree(o_group_desc);
return 0;
}
--
2.28.0
More information about the Devel
mailing list