Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 0809e108 authored by Bob Peterson's avatar Bob Peterson Committed by Greg Kroah-Hartman
Browse files

gfs2: fix glock reference problem in gfs2_trans_remove_revoke 



[ Upstream commit fe5e7ba11fcf1d75af8173836309e8562aefedef ]

Commit 9287c6452d2b fixed a situation in which gfs2 could use a glock
after it had been freed. To do that, it temporarily added a new glock
reference by calling gfs2_glock_hold in function gfs2_add_revoke.
However, if the bd element was removed by gfs2_trans_remove_revoke, it
failed to drop the additional reference.

This patch adds logic to gfs2_trans_remove_revoke to properly drop the
additional glock reference.

Fixes: 9287c6452d2b ("gfs2: Fix occasional glock use-after-free")
Cc: stable@vger.kernel.org # v5.2+
Signed-off-by: default avatarBob Peterson <rpeterso@redhat.com>
Signed-off-by: default avatarAndreas Gruenbacher <agruenba@redhat.com>
Signed-off-by: default avatarSasha Levin <sashal@kernel.org>
parent 2de11b2e

fs/gfs2/log.c

+8 −0
Original line number Original line Diff line number Diff line
@@ -613,6 +613,14 @@ void gfs2_add_revoke(struct gfs2_sbd *sdp, struct gfs2_bufdata *bd) 
	list_add(&bd->bd_list, &sdp->sd_log_le_revoke);

	list_add(&bd->bd_list, &sdp->sd_log_le_revoke);

}

}





void gfs2_glock_remove_revoke(struct gfs2_glock *gl)

{

	if (atomic_dec_return(&gl->gl_revokes) == 0) {

		clear_bit(GLF_LFLUSH, &gl->gl_flags);

		gfs2_glock_queue_put(gl);

	}

}



void gfs2_write_revokes(struct gfs2_sbd *sdp)

void gfs2_write_revokes(struct gfs2_sbd *sdp)

{

{

	struct gfs2_trans *tr;

	struct gfs2_trans *tr;

fs/gfs2/log.h

+1 −0
Original line number Original line Diff line number Diff line
@@ -80,6 +80,7 @@ extern void gfs2_ail1_flush(struct gfs2_sbd *sdp, struct writeback_control *wbc) 
extern void gfs2_log_shutdown(struct gfs2_sbd *sdp);

extern void gfs2_log_shutdown(struct gfs2_sbd *sdp);

extern int gfs2_logd(void *data);

extern int gfs2_logd(void *data);

extern void gfs2_add_revoke(struct gfs2_sbd *sdp, struct gfs2_bufdata *bd);

extern void gfs2_add_revoke(struct gfs2_sbd *sdp, struct gfs2_bufdata *bd);

extern void gfs2_glock_remove_revoke(struct gfs2_glock *gl);

extern void gfs2_write_revokes(struct gfs2_sbd *sdp);

extern void gfs2_write_revokes(struct gfs2_sbd *sdp);





#endif /* __LOG_DOT_H__ */
 
#endif /* __LOG_DOT_H__ */

fs/gfs2/lops.c

+1 −4
Original line number Original line Diff line number Diff line
@@ -662,10 +662,7 @@ static void revoke_lo_after_commit(struct gfs2_sbd *sdp, struct gfs2_trans *tr) 
		bd = list_entry(head->next, struct gfs2_bufdata, bd_list);

		bd = list_entry(head->next, struct gfs2_bufdata, bd_list);

		list_del_init(&bd->bd_list);

		list_del_init(&bd->bd_list);

		gl = bd->bd_gl;

		gl = bd->bd_gl;

		if (atomic_dec_return(&gl->gl_revokes) == 0) {

		gfs2_glock_remove_revoke(gl);

			clear_bit(GLF_LFLUSH, &gl->gl_flags);

			gfs2_glock_queue_put(gl);

		}

		kmem_cache_free(gfs2_bufdata_cachep, bd);

		kmem_cache_free(gfs2_bufdata_cachep, bd);

	}

	}

}

}

fs/gfs2/trans.c

+2 −0
Original line number Original line Diff line number Diff line
@@ -266,6 +266,8 @@ void gfs2_trans_add_unrevoke(struct gfs2_sbd *sdp, u64 blkno, unsigned int len) 
			list_del_init(&bd->bd_list);

			list_del_init(&bd->bd_list);

			gfs2_assert_withdraw(sdp, sdp->sd_log_num_revoke);

			gfs2_assert_withdraw(sdp, sdp->sd_log_num_revoke);

			sdp->sd_log_num_revoke--;

			sdp->sd_log_num_revoke--;

			if (bd->bd_gl)

				gfs2_glock_remove_revoke(bd->bd_gl);

			kmem_cache_free(gfs2_bufdata_cachep, bd);

			kmem_cache_free(gfs2_bufdata_cachep, bd);

			tr->tr_num_revoke_rm++;

			tr->tr_num_revoke_rm++;

			if (--n == 0)

			if (--n == 0)