[Cluster-devel] [GFS2 PATCH] GFS2: don't set rgrp gl_object until it's inserted into rgrp tree

[Steven Whitehouse <swhiteho@redhat.com>]

Hi,

Acked-by: Steven Whitehouse <swhiteho@redhat.com>

Steve.

On 09/06/16 21:27, Bob Peterson wrote:
> Hi,
>
> Before this patch, function read_rindex_entry would set a rgrp
> glock's gl_object pointer to itself before inserting the rgrp into
> the rgrp rbtree. The problem is: if another process was also reading
> the rgrp in, and had already inserted its newly created rgrp, then
> the second call to read_rindex_entry would overwrite that value,
> then return a bad return code to the caller. Later, other functions
> would reference the now-freed rgrp memory by way of gl_object.
> In some cases, that could result in gfs2_rgrp_brelse being called
> twice for the same rgrp: once for the failed attempt and once for
> the "real" rgrp release. Eventually the kernel would panic.
> There are also a number of other things that could go wrong when
> a kernel module is accessing freed storage. For example, this could
> result in rgrp corruption because the fake rgrp would point to a
> fake bitmap in memory too, causing gfs2_inplace_reserve to search
> some random memory for free blocks, and find some, since we were
> never setting rgd->rd_bits to NULL before freeing it.
>
> This patch fixes the problem by not setting gl_object until we
> have successfully inserted the rgrp into the rbtree. Also, it sets
> rd_bits to NULL as it frees them, which will ensure any accidental
> access to the wrong rgrp will result in a kernel panic rather than
>
> Signed-off-by: Bob Peterson <rpeterso@redhat.com>
> ---
> diff --git a/fs/gfs2/rgrp.c b/fs/gfs2/rgrp.c
> index 5bd2169..960aaf4 100644
> --- a/fs/gfs2/rgrp.c
> +++ b/fs/gfs2/rgrp.c
> @@ -722,6 +722,7 @@ void gfs2_clear_rgrpd(struct gfs2_sbd *sdp)
>   
>   		gfs2_free_clones(rgd);
>   		kfree(rgd->rd_bits);
> +		rgd->rd_bits = NULL;
>   		return_all_reservations(rgd);
>   		kmem_cache_free(gfs2_rgrpd_cachep, rgd);
>   	}
> @@ -916,9 +917,6 @@ static int read_rindex_entry(struct gfs2_inode *ip)
>   	if (error)
>   		goto fail;
>   
> -	rgd->rd_gl->gl_object = rgd;
> -	rgd->rd_gl->gl_vm.start = (rgd->rd_addr * bsize) & PAGE_MASK;
> -	rgd->rd_gl->gl_vm.end = PAGE_ALIGN((rgd->rd_addr + rgd->rd_length) * bsize) - 1;
>   	rgd->rd_rgl = (struct gfs2_rgrp_lvb *)rgd->rd_gl->gl_lksb.sb_lvbptr;
>   	rgd->rd_flags &= ~(GFS2_RDF_UPTODATE | GFS2_RDF_PREFERRED);
>   	if (rgd->rd_data > sdp->sd_max_rg_data)
> @@ -926,14 +924,20 @@ static int read_rindex_entry(struct gfs2_inode *ip)
>   	spin_lock(&sdp->sd_rindex_spin);
>   	error = rgd_insert(rgd);
>   	spin_unlock(&sdp->sd_rindex_spin);
> -	if (!error)
> +	if (!error) {
> +		rgd->rd_gl->gl_object = rgd;
> +		rgd->rd_gl->gl_vm.start = (rgd->rd_addr * bsize) & PAGE_MASK;
> +		rgd->rd_gl->gl_vm.end = PAGE_ALIGN((rgd->rd_addr +
> +						    rgd->rd_length) * bsize) - 1;
>   		return 0;
> +	}
>   
>   	error = 0; /* someone else read in the rgrp; free it and ignore it */
>   	gfs2_glock_put(rgd->rd_gl);
>   
>   fail:
>   	kfree(rgd->rd_bits);
> +	rgd->rd_bits = NULL;
>   	kmem_cache_free(gfs2_rgrpd_cachep, rgd);
>   	return error;
>   }
>