[Devel] [PATCH RHEL8 COMMIT] ms/ext4: fix potential race between online resizing and write operations

Konstantin Khorenko khorenko at virtuozzo.com
Thu Jun 17 18:41:06 MSK 2021 

The commit is pushed to "branch-rh8-4.18.0-240.1.1.vz8.5.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh8-4.18.0-240.1.1.vz8.5.44
------>
commit d496aa2f8ba036a9d60fab2694a7d9ccf4d5b0d2
Author: Theodore Ts'o <tytso at mit.edu>
Date:   Fri Mar 6 18:28:55 2020 +0300

    ms/ext4: fix potential race between online resizing and write operations
    
    ms commit 1d0c3924a92e
    
    During an online resize an array of pointers to buffer heads gets
    replaced so it can get enlarged.  If there is a racing block
    allocation or deallocation which uses the old array, and the old array
    has gotten reused this can lead to a GPF or some other random kernel
    memory getting modified.
    
    Link: https://bugzilla.kernel.org/show_bug.cgi?id=206443
    Link: https://lore.kernel.org/r/20200221053458.730016-2-tytso@mit.edu
    Reported-by: Suraj Jitindar Singh <surajjs at amazon.com>
    Signed-off-by: Theodore Ts'o <tytso at mit.edu>
    Cc: stable at kernel.org
    
    https://jira.sw.ru/browse/PSBM-101798
    [ktkhai: adopted for our kernel]
    
    Signed-off-by: Kirill Tkhai <ktkhai at virtuozzo.com>
    [VvS RHEL7.8 rebase] context changes
    
    Ported to vz8 in the scope of https://jira.sw.ru/browse/PSBM-127850
    
    Cherry-picked from vz7 commit ac708c29a6ed ("ms/ext4: fix potential race
    between online resizing and write operations").
    In fact - only 1 hunk for ext4_alloc_group_desc_bh_array() has been
    taken, the patch itself has been already backported by RedHat.
    
    Fixes: 762801fc7090 ("ext4: Fix high probable use-after-free")
    
    Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>
---
 fs/ext4/super.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/fs/ext4/super.c b/fs/ext4/super.c
index 7a2accfef466..50d6f574419b 100644
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -2546,13 +2546,14 @@ int ext4_alloc_group_desc_bh_array(struct super_block *sb, ext4_group_t ngroup)
 		return -ENOMEM;
 	}
 
-	o_group_desc = sbi->s_group_desc;
+	rcu_read_lock();
+	o_group_desc = rcu_dereference(EXT4_SB(sb)->s_group_desc);
 	memcpy(n_group_desc, o_group_desc,
 	       sbi->s_gdb_count * sizeof(struct buffer_head *));
-	WRITE_ONCE(sbi->s_group_desc, n_group_desc);
+	rcu_read_unlock();
+	rcu_assign_pointer(EXT4_SB(sb)->s_group_desc, n_group_desc);
 
-	/* FIXME: rcu is needed here. See ms commit 1d0c3924a92e */
-	kvfree(o_group_desc);
+	ext4_kvfree_array_rcu(o_group_desc);
 	return 0;
 }

More information about the Devel mailing list