[PATCH AUTOSEL 5.15 4/9] gfs2: fix an oops in gfs2_permission

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Al Viro <viro@zeniv.linux.org.uk>,
	Andreas Gruenbacher <agruenba@redhat.com>,
	Sasha Levin <sashal@kernel.org>,
	swhiteho@redhat.com, rpeterso@redhat.com,
	cluster-devel@redhat.com
Subject: [PATCH AUTOSEL 5.15 4/9] gfs2: fix an oops in gfs2_permission
Date: Sun, 12 Nov 2023 08:28:24 -0500	[thread overview]
Message-ID: <20231112132830.176228-4-sashal@kernel.org> (raw)
In-Reply-To: <20231112132830.176228-1-sashal@kernel.org>

From: Al Viro <viro@zeniv.linux.org.uk>

[ Upstream commit 0abd1557e21c617bd13fc18f7725fc6363c05913 ]

In RCU mode, we might race with gfs2_evict_inode(), which zeroes
->i_gl.  Freeing of the object it points to is RCU-delayed, so
if we manage to fetch the pointer before it's been replaced with
NULL, we are fine.  Check if we'd fetched NULL and treat that
as "bail out and tell the caller to get out of RCU mode".

Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 fs/gfs2/inode.c | 11 +++++++++--
 fs/gfs2/super.c |  2 +-
 2 files changed, 10 insertions(+), 3 deletions(-)

diff --git a/fs/gfs2/inode.c b/fs/gfs2/inode.c
index 97ee17843b4d0..682418d9c8e72 100644
--- a/fs/gfs2/inode.c
+++ b/fs/gfs2/inode.c
@@ -1850,14 +1850,21 @@ int gfs2_permission(struct user_namespace *mnt_userns, struct inode *inode,
 {
 	struct gfs2_inode *ip;
 	struct gfs2_holder i_gh;
+	struct gfs2_glock *gl;
 	int error;
 
 	gfs2_holder_mark_uninitialized(&i_gh);
 	ip = GFS2_I(inode);
-	if (gfs2_glock_is_locked_by_me(ip->i_gl) == NULL) {
+	gl = rcu_dereference(ip->i_gl);
+	if (unlikely(!gl)) {
+		/* inode is getting torn down, must be RCU mode */
+		WARN_ON_ONCE(!(mask & MAY_NOT_BLOCK));
+		return -ECHILD;
+        }
+	if (gfs2_glock_is_locked_by_me(gl) == NULL) {
 		if (mask & MAY_NOT_BLOCK)
 			return -ECHILD;
-		error = gfs2_glock_nq_init(ip->i_gl, LM_ST_SHARED, LM_FLAG_ANY, &i_gh);
+		error = gfs2_glock_nq_init(gl, LM_ST_SHARED, LM_FLAG_ANY, &i_gh);
 		if (error)
 			return error;
 	}
diff --git a/fs/gfs2/super.c b/fs/gfs2/super.c
index 51b44da4a0d64..268651ac9fc84 100644
--- a/fs/gfs2/super.c
+++ b/fs/gfs2/super.c
@@ -1436,7 +1436,7 @@ static void gfs2_evict_inode(struct inode *inode)
 		wait_on_bit_io(&ip->i_flags, GIF_GLOP_PENDING, TASK_UNINTERRUPTIBLE);
 		gfs2_glock_add_to_lru(ip->i_gl);
 		gfs2_glock_put_eventually(ip->i_gl);
-		ip->i_gl = NULL;
+		rcu_assign_pointer(ip->i_gl, NULL);
 	}
 }
 
-- 
2.42.0

next prev parent reply	other threads:[~2023-11-12 13:30 UTC|newest]

Thread overview: 9+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-11-12 13:28 [PATCH AUTOSEL 5.15 1/9] media: gspca: cpia1: shift-out-of-bounds in set_flicker Sasha Levin
2023-11-12 13:28 ` [PATCH AUTOSEL 5.15 2/9] media: vivid: avoid integer overflow Sasha Levin
2023-11-12 13:28 ` [PATCH AUTOSEL 5.15 3/9] gfs2: ignore negated quota changes Sasha Levin
2023-11-12 13:28 ` Sasha Levin [this message]
2023-11-12 13:28 ` [PATCH AUTOSEL 5.15 5/9] media: cobalt: Use FIELD_GET() to extract Link Width Sasha Levin
2023-11-12 13:28 ` [PATCH AUTOSEL 5.15 6/9] media: ccs: Fix driver quirk struct documentation Sasha Levin
2023-11-12 13:28 ` [PATCH AUTOSEL 5.15 7/9] media: imon: fix access to invalid resource for the second interface Sasha Levin
2023-11-12 13:28 ` [PATCH AUTOSEL 5.15 8/9] drm/amd: Fix UBSAN array-index-out-of-bounds for Powerplay headers Sasha Levin
2023-11-12 13:28 ` [PATCH AUTOSEL 5.15 9/9] drm/amd/display: Avoid NULL dereference of timing generator Sasha Levin

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:97ee17843b4d dfblob:682418d9c8e7 dfblob:51b44da4a0d6
dfblob:268651ac9fc8 )
 OR (
bs:"[PATCH AUTOSEL 5.15 4/9] gfs2: fix an oops in gfs2_permission" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20231112132830.176228-4-sashal@kernel.org \
    --to=sashal@kernel.org \
    --cc=agruenba@redhat.com \
    --cc=cluster-devel@redhat.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=rpeterso@redhat.com \
    --cc=stable@vger.kernel.org \
    --cc=swhiteho@redhat.com \
    --cc=viro@zeniv.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox