[PATCH 5.4 18/80] gfs2: fix glock reference problem in gfs2_trans_remove_revoke

From: Greg Kroah-Hartman
Date: Thu Dec 19 2019 - 13:54:06 EST

Next message: Greg Kroah-Hartman: "[PATCH 5.4 02/80] mmc: block: Make card_busy_detect() a bit more generic"
Previous message: Greg Kroah-Hartman: "[PATCH 5.4 19/80] xtensa: fix TLB sanity checker"
In reply to: Greg Kroah-Hartman: "[PATCH 5.4 19/80] xtensa: fix TLB sanity checker"
Next in thread: Greg Kroah-Hartman: "[PATCH 5.4 02/80] mmc: block: Make card_busy_detect() a bit more generic"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Bob Peterson <rpeterso@xxxxxxxxxx>

commit fe5e7ba11fcf1d75af8173836309e8562aefedef upstream.

Commit 9287c6452d2b fixed a situation in which gfs2 could use a glock
after it had been freed. To do that, it temporarily added a new glock
reference by calling gfs2_glock_hold in function gfs2_add_revoke.
However, if the bd element was removed by gfs2_trans_remove_revoke, it
failed to drop the additional reference.

This patch adds logic to gfs2_trans_remove_revoke to properly drop the
additional glock reference.

Fixes: 9287c6452d2b ("gfs2: Fix occasional glock use-after-free")
Cc: stable@xxxxxxxxxxxxxxx # v5.2+
Signed-off-by: Bob Peterson <rpeterso@xxxxxxxxxx>
Signed-off-by: Andreas Gruenbacher <agruenba@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>

---
fs/gfs2/log.c | 8 ++++++++
fs/gfs2/log.h | 1 +
fs/gfs2/lops.c | 5 +----
fs/gfs2/trans.c | 2 ++
4 files changed, 12 insertions(+), 4 deletions(-)

--- a/fs/gfs2/log.c
+++ b/fs/gfs2/log.c
@@ -609,6 +609,14 @@ void gfs2_add_revoke(struct gfs2_sbd *sd
list_add(&bd->bd_list, &sdp->sd_log_revokes);
}

+void gfs2_glock_remove_revoke(struct gfs2_glock *gl)
+{
+ if (atomic_dec_return(&gl->gl_revokes) == 0) {
+ clear_bit(GLF_LFLUSH, &gl->gl_flags);
+ gfs2_glock_queue_put(gl);
+ }
+}
+
void gfs2_write_revokes(struct gfs2_sbd *sdp)
{
struct gfs2_trans *tr;
--- a/fs/gfs2/log.h
+++ b/fs/gfs2/log.h
@@ -77,6 +77,7 @@ extern void gfs2_ail1_flush(struct gfs2_
extern void gfs2_log_shutdown(struct gfs2_sbd *sdp);
extern int gfs2_logd(void *data);
extern void gfs2_add_revoke(struct gfs2_sbd *sdp, struct gfs2_bufdata *bd);
+extern void gfs2_glock_remove_revoke(struct gfs2_glock *gl);
extern void gfs2_write_revokes(struct gfs2_sbd *sdp);

#endif /* __LOG_DOT_H__ */
--- a/fs/gfs2/lops.c
+++ b/fs/gfs2/lops.c
@@ -882,10 +882,7 @@ static void revoke_lo_after_commit(struc
bd = list_entry(head->next, struct gfs2_bufdata, bd_list);
list_del_init(&bd->bd_list);
gl = bd->bd_gl;
- if (atomic_dec_return(&gl->gl_revokes) == 0) {
- clear_bit(GLF_LFLUSH, &gl->gl_flags);
- gfs2_glock_queue_put(gl);
- }
+ gfs2_glock_remove_revoke(gl);
kmem_cache_free(gfs2_bufdata_cachep, bd);
}
}
--- a/fs/gfs2/trans.c
+++ b/fs/gfs2/trans.c
@@ -262,6 +262,8 @@ void gfs2_trans_remove_revoke(struct gfs
list_del_init(&bd->bd_list);
gfs2_assert_withdraw(sdp, sdp->sd_log_num_revoke);
sdp->sd_log_num_revoke--;
+ if (bd->bd_gl)
+ gfs2_glock_remove_revoke(bd->bd_gl);
kmem_cache_free(gfs2_bufdata_cachep, bd);
tr->tr_num_revoke--;
if (--n == 0)

Next message: Greg Kroah-Hartman: "[PATCH 5.4 02/80] mmc: block: Make card_busy_detect() a bit more generic"
Previous message: Greg Kroah-Hartman: "[PATCH 5.4 19/80] xtensa: fix TLB sanity checker"
In reply to: Greg Kroah-Hartman: "[PATCH 5.4 19/80] xtensa: fix TLB sanity checker"
Next in thread: Greg Kroah-Hartman: "[PATCH 5.4 02/80] mmc: block: Make card_busy_detect() a bit more generic"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]