[Devel] [PATCH RH9 12/30] ms/ext4: fix potential race between online resizing and write operations

Andrey Zhadchenko andrey.zhadchenko at virtuozzo.com
Tue Sep 28 21:49:03 MSK 2021 

From: Theodore Ts'o <tytso at mit.edu>

ms commit 1d0c3924a92e

During an online resize an array of pointers to buffer heads gets
replaced so it can get enlarged.  If there is a racing block
allocation or deallocation which uses the old array, and the old array
has gotten reused this can lead to a GPF or some other random kernel
memory getting modified.

Link: https://bugzilla.kernel.org/show_bug.cgi?id=206443
Link: https://lore.kernel.org/r/20200221053458.730016-2-tytso@mit.edu
Reported-by: Suraj Jitindar Singh <surajjs at amazon.com>
Signed-off-by: Theodore Ts'o <tytso at mit.edu>
Cc: stable at kernel.org

https://jira.sw.ru/browse/PSBM-101798
[ktkhai: adopted for our kernel]

Signed-off-by: Kirill Tkhai <ktkhai at virtuozzo.com>
[VvS RHEL7.8 rebase] context changes

Ported to vz8 in the scope of https://jira.sw.ru/browse/PSBM-127850

Cherry-picked from vz7 commit ac708c29a6ed ("ms/ext4: fix potential race
between online resizing and write operations").
In fact - only 1 hunk for ext4_alloc_group_desc_bh_array() has been
taken, the patch itself has been already backported by RedHat.

mFixes: 762801fc7090 ("ext4: Fix high probable use-after-free")

Signed-off-by: Konstantin Khorenko <khorenko at virtuozzo.com>

(cherry picked from vz8 commit 2b8aba6c7903855b74c9c682ccd913827762463a)
Signed-off-by: Andrey Zhadchenko <andrey.zhadchenko at virtuozzo.com>
---
 fs/ext4/super.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

diff --git a/fs/ext4/super.c b/fs/ext4/super.c
index 0186d04..e17a930 100644
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -2773,13 +2773,14 @@ int ext4_alloc_group_desc_bh_array(struct super_block *sb, ext4_group_t ngroup)
 		return -ENOMEM;
 	}
 
-	o_group_desc = sbi->s_group_desc;
+	rcu_read_lock();
+	o_group_desc = rcu_dereference(EXT4_SB(sb)->s_group_desc);
 	memcpy(n_group_desc, o_group_desc,
 	       sbi->s_gdb_count * sizeof(struct buffer_head *));
-	WRITE_ONCE(sbi->s_group_desc, n_group_desc);
+	rcu_read_unlock();
+	rcu_assign_pointer(EXT4_SB(sb)->s_group_desc, n_group_desc);
 
-	/* FIXME: rcu is needed here. See ms commit 1d0c3924a92e */
-	kvfree(o_group_desc);
+	ext4_kvfree_array_rcu(o_group_desc);
 	return 0;
 }
 
-- 
1.8.3.1

More information about the Devel mailing list