[Cluster-devel] [GFS2 PATCH] GFS2: don't set rgrp gl_object until it's inserted into rgrp tree

cluster-devel.redhat.com archive mirror
 help / color / mirror / Atom feed

* [Cluster-devel] [GFS2 PATCH] GFS2: don't set rgrp gl_object until it's inserted into rgrp tree
       [not found] <207295868.17586762.1465504023478.JavaMail.zimbra@redhat.com>
@ 2016-06-09 20:27 ` Bob Peterson
  2016-06-10 10:31   ` Steven Whitehouse
  0 siblings, 1 reply; 2+ messages in thread
From: Bob Peterson @ 2016-06-09 20:27 UTC (permalink / raw)
  To: cluster-devel.redhat.com

Hi,

Before this patch, function read_rindex_entry would set a rgrp
glock's gl_object pointer to itself before inserting the rgrp into
the rgrp rbtree. The problem is: if another process was also reading
the rgrp in, and had already inserted its newly created rgrp, then
the second call to read_rindex_entry would overwrite that value,
then return a bad return code to the caller. Later, other functions
would reference the now-freed rgrp memory by way of gl_object.
In some cases, that could result in gfs2_rgrp_brelse being called
twice for the same rgrp: once for the failed attempt and once for
the "real" rgrp release. Eventually the kernel would panic.
There are also a number of other things that could go wrong when
a kernel module is accessing freed storage. For example, this could
result in rgrp corruption because the fake rgrp would point to a
fake bitmap in memory too, causing gfs2_inplace_reserve to search
some random memory for free blocks, and find some, since we were
never setting rgd->rd_bits to NULL before freeing it.

This patch fixes the problem by not setting gl_object until we
have successfully inserted the rgrp into the rbtree. Also, it sets
rd_bits to NULL as it frees them, which will ensure any accidental
access to the wrong rgrp will result in a kernel panic rather than

Signed-off-by: Bob Peterson <rpeterso@redhat.com>
---
diff --git a/fs/gfs2/rgrp.c b/fs/gfs2/rgrp.c
index 5bd2169..960aaf4 100644
--- a/fs/gfs2/rgrp.c
+++ b/fs/gfs2/rgrp.c
@@ -722,6 +722,7 @@ void gfs2_clear_rgrpd(struct gfs2_sbd *sdp)

 		gfs2_free_clones(rgd);
 		kfree(rgd->rd_bits);
+		rgd->rd_bits = NULL;
 		return_all_reservations(rgd);
 		kmem_cache_free(gfs2_rgrpd_cachep, rgd);
 	}
@@ -916,9 +917,6 @@ static int read_rindex_entry(struct gfs2_inode *ip)
 	if (error)
 		goto fail;

-	rgd->rd_gl->gl_object = rgd;
-	rgd->rd_gl->gl_vm.start = (rgd->rd_addr * bsize) & PAGE_MASK;
-	rgd->rd_gl->gl_vm.end = PAGE_ALIGN((rgd->rd_addr + rgd->rd_length) * bsize) - 1;
 	rgd->rd_rgl = (struct gfs2_rgrp_lvb *)rgd->rd_gl->gl_lksb.sb_lvbptr;
 	rgd->rd_flags &= ~(GFS2_RDF_UPTODATE | GFS2_RDF_PREFERRED);
 	if (rgd->rd_data > sdp->sd_max_rg_data)
@@ -926,14 +924,20 @@ static int read_rindex_entry(struct gfs2_inode *ip)
 	spin_lock(&sdp->sd_rindex_spin);
 	error = rgd_insert(rgd);
 	spin_unlock(&sdp->sd_rindex_spin);
-	if (!error)
+	if (!error) {
+		rgd->rd_gl->gl_object = rgd;
+		rgd->rd_gl->gl_vm.start = (rgd->rd_addr * bsize) & PAGE_MASK;
+		rgd->rd_gl->gl_vm.end = PAGE_ALIGN((rgd->rd_addr +
+						    rgd->rd_length) * bsize) - 1;
 		return 0;
+	}

 	error = 0; /* someone else read in the rgrp; free it and ignore it */
 	gfs2_glock_put(rgd->rd_gl);

 fail:
 	kfree(rgd->rd_bits);
+	rgd->rd_bits = NULL;
 	kmem_cache_free(gfs2_rgrpd_cachep, rgd);
 	return error;
 }

^ permalink raw reply related	[flat|nested] 2+ messages in thread

* [Cluster-devel] [GFS2 PATCH] GFS2: don't set rgrp gl_object until it's inserted into rgrp tree
  2016-06-09 20:27 ` [Cluster-devel] [GFS2 PATCH] GFS2: don't set rgrp gl_object until it's inserted into rgrp tree Bob Peterson
@ 2016-06-10 10:31   ` Steven Whitehouse
  0 siblings, 0 replies; 2+ messages in thread
From: Steven Whitehouse @ 2016-06-10 10:31 UTC (permalink / raw)
  To: cluster-devel.redhat.com

Hi,

Acked-by: Steven Whitehouse <swhiteho@redhat.com>

Steve.

On 09/06/16 21:27, Bob Peterson wrote:
> Hi,
>
> Before this patch, function read_rindex_entry would set a rgrp
> glock's gl_object pointer to itself before inserting the rgrp into
> the rgrp rbtree. The problem is: if another process was also reading
> the rgrp in, and had already inserted its newly created rgrp, then
> the second call to read_rindex_entry would overwrite that value,
> then return a bad return code to the caller. Later, other functions
> would reference the now-freed rgrp memory by way of gl_object.
> In some cases, that could result in gfs2_rgrp_brelse being called
> twice for the same rgrp: once for the failed attempt and once for
> the "real" rgrp release. Eventually the kernel would panic.
> There are also a number of other things that could go wrong when
> a kernel module is accessing freed storage. For example, this could
> result in rgrp corruption because the fake rgrp would point to a
> fake bitmap in memory too, causing gfs2_inplace_reserve to search
> some random memory for free blocks, and find some, since we were
> never setting rgd->rd_bits to NULL before freeing it.
>
> This patch fixes the problem by not setting gl_object until we
> have successfully inserted the rgrp into the rbtree. Also, it sets
> rd_bits to NULL as it frees them, which will ensure any accidental
> access to the wrong rgrp will result in a kernel panic rather than
>
> Signed-off-by: Bob Peterson <rpeterso@redhat.com>
> ---
> diff --git a/fs/gfs2/rgrp.c b/fs/gfs2/rgrp.c
> index 5bd2169..960aaf4 100644
> --- a/fs/gfs2/rgrp.c
> +++ b/fs/gfs2/rgrp.c
> @@ -722,6 +722,7 @@ void gfs2_clear_rgrpd(struct gfs2_sbd *sdp)
>   
>   		gfs2_free_clones(rgd);
>   		kfree(rgd->rd_bits);
> +		rgd->rd_bits = NULL;
>   		return_all_reservations(rgd);
>   		kmem_cache_free(gfs2_rgrpd_cachep, rgd);
>   	}
> @@ -916,9 +917,6 @@ static int read_rindex_entry(struct gfs2_inode *ip)
>   	if (error)
>   		goto fail;
>   
> -	rgd->rd_gl->gl_object = rgd;
> -	rgd->rd_gl->gl_vm.start = (rgd->rd_addr * bsize) & PAGE_MASK;
> -	rgd->rd_gl->gl_vm.end = PAGE_ALIGN((rgd->rd_addr + rgd->rd_length) * bsize) - 1;
>   	rgd->rd_rgl = (struct gfs2_rgrp_lvb *)rgd->rd_gl->gl_lksb.sb_lvbptr;
>   	rgd->rd_flags &= ~(GFS2_RDF_UPTODATE | GFS2_RDF_PREFERRED);
>   	if (rgd->rd_data > sdp->sd_max_rg_data)
> @@ -926,14 +924,20 @@ static int read_rindex_entry(struct gfs2_inode *ip)
>   	spin_lock(&sdp->sd_rindex_spin);
>   	error = rgd_insert(rgd);
>   	spin_unlock(&sdp->sd_rindex_spin);
> -	if (!error)
> +	if (!error) {
> +		rgd->rd_gl->gl_object = rgd;
> +		rgd->rd_gl->gl_vm.start = (rgd->rd_addr * bsize) & PAGE_MASK;
> +		rgd->rd_gl->gl_vm.end = PAGE_ALIGN((rgd->rd_addr +
> +						    rgd->rd_length) * bsize) - 1;
>   		return 0;
> +	}
>   
>   	error = 0; /* someone else read in the rgrp; free it and ignore it */
>   	gfs2_glock_put(rgd->rd_gl);
>   
>   fail:
>   	kfree(rgd->rd_bits);
> +	rgd->rd_bits = NULL;
>   	kmem_cache_free(gfs2_rgrpd_cachep, rgd);
>   	return error;
>   }
>



^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2016-06-10 10:31 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
     [not found] <207295868.17586762.1465504023478.JavaMail.zimbra@redhat.com>
2016-06-09 20:27 ` [Cluster-devel] [GFS2 PATCH] GFS2: don't set rgrp gl_object until it's inserted into rgrp tree Bob Peterson
2016-06-10 10:31   ` Steven Whitehouse

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).