From: Suraj Jitindar Singh <surajjs@amazon.com>
To: <linux-ext4@vger.kernel.org>
Cc: <tytso@mit.edu>, <sblbir@amazon.com>, <sjitindarsingh@gmail.com>,
"Suraj Jitindar Singh" <surajjs@amazon.com>,
<stable@vger.kernel.org>
Subject: [PATCH 2/3] ext4: fix potential race between s_group_info online resizing and access
Date: Tue, 18 Feb 2020 19:08:50 -0800 [thread overview]
Message-ID: <20200219030851.2678-3-surajjs@amazon.com> (raw)
In-Reply-To: <20200219030851.2678-1-surajjs@amazon.com>
During an online resize an array of pointers to s_group_info gets replaced
so it can get enlarged. If there is a concurrent access to the array in
ext4_get_group_info() and this memory has been reused then this can lead to
an invalid memory access.
Link: https://bugzilla.kernel.org/show_bug.cgi?id=206443
Signed-off-by: Suraj Jitindar Singh <surajjs@amazon.com>
Cc: stable@vger.kernel.org
---
fs/ext4/ext4.h | 6 +++---
fs/ext4/mballoc.c | 10 ++++++----
2 files changed, 9 insertions(+), 7 deletions(-)
diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h
index 236fc6500340..3f4aaaae7da6 100644
--- a/fs/ext4/ext4.h
+++ b/fs/ext4/ext4.h
@@ -2994,13 +2994,13 @@ static inline
struct ext4_group_info *ext4_get_group_info(struct super_block *sb,
ext4_group_t group)
{
- struct ext4_group_info ***grp_info;
+ struct ext4_group_info **grp_info;
long indexv, indexh;
BUG_ON(group >= EXT4_SB(sb)->s_groups_count);
- grp_info = EXT4_SB(sb)->s_group_info;
indexv = group >> (EXT4_DESC_PER_BLOCK_BITS(sb));
indexh = group & ((EXT4_DESC_PER_BLOCK(sb)) - 1);
- return grp_info[indexv][indexh];
+ grp_info = sbi_array_rcu_deref(EXT4_SB(sb), s_group_info, indexv);
+ return grp_info[indexh];
}
/*
diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c
index f64838187559..0d9b17afc85f 100644
--- a/fs/ext4/mballoc.c
+++ b/fs/ext4/mballoc.c
@@ -2356,7 +2356,7 @@ int ext4_mb_alloc_groupinfo(struct super_block *sb, ext4_group_t ngroups)
{
struct ext4_sb_info *sbi = EXT4_SB(sb);
unsigned size;
- struct ext4_group_info ***new_groupinfo;
+ struct ext4_group_info ***old_groupinfo, ***new_groupinfo;
size = (ngroups + EXT4_DESC_PER_BLOCK(sb) - 1) >>
EXT4_DESC_PER_BLOCK_BITS(sb);
@@ -2369,13 +2369,15 @@ int ext4_mb_alloc_groupinfo(struct super_block *sb, ext4_group_t ngroups)
ext4_msg(sb, KERN_ERR, "can't allocate buddy meta group");
return -ENOMEM;
}
- if (sbi->s_group_info) {
+ old_groupinfo = sbi->s_group_info;
+ if (sbi->s_group_info)
memcpy(new_groupinfo, sbi->s_group_info,
sbi->s_group_info_size * sizeof(*sbi->s_group_info));
- kvfree(sbi->s_group_info);
- }
sbi->s_group_info = new_groupinfo;
+ rcu_assign_pointer(sbi->s_group_info, new_groupinfo);
sbi->s_group_info_size = size / sizeof(*sbi->s_group_info);
+ if (old_groupinfo)
+ ext4_kvfree_array_rcu(old_groupinfo);
ext4_debug("allocated s_groupinfo array for %d meta_bg's\n",
sbi->s_group_info_size);
return 0;
--
2.17.1
next prev parent reply other threads:[~2020-02-19 3:10 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-02-19 3:08 [PATCH 0/3] ext4: Fix potential races when performing online resizing Suraj Jitindar Singh
2020-02-19 3:08 ` [PATCH 1/3] ext4: introduce macro sbi_array_rcu_deref() to access rcu protected fields Suraj Jitindar Singh
2020-02-19 3:16 ` Jitindar SIngh, Suraj
2020-02-19 3:34 ` Singh, Balbir
2020-02-20 5:04 ` Theodore Y. Ts'o
2020-02-19 3:08 ` Suraj Jitindar Singh [this message]
2020-02-19 20:20 ` [PATCH 2/3] ext4: fix potential race between s_group_info online resizing and access Singh, Balbir
2020-02-20 5:13 ` Theodore Y. Ts'o
2020-02-19 3:08 ` [PATCH 3/3] ext4: fix potential race between s_flex_groups " Suraj Jitindar Singh
2020-02-20 6:14 ` [PATCH 0/3] ext4: Fix potential races when performing online resizing Theodore Y. Ts'o
2020-02-21 0:07 ` Jitindar SIngh, Suraj
-- strict thread matches above, loose matches on Subject: below --
2020-02-21 5:34 [PATCH -v2 0/3] Fix various races in " Theodore Ts'o
2020-02-21 5:34 ` [PATCH 2/3] ext4: fix potential race between s_group_info online resizing and access Theodore Ts'o
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200219030851.2678-3-surajjs@amazon.com \
--to=surajjs@amazon.com \
--cc=linux-ext4@vger.kernel.org \
--cc=sblbir@amazon.com \
--cc=sjitindarsingh@gmail.com \
--cc=stable@vger.kernel.org \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.