Received: by 2002:a25:1506:0:0:0:0:0 with SMTP id 6csp119732ybv; Tue, 18 Feb 2020 19:10:44 -0800 (PST) X-Google-Smtp-Source: APXvYqz13I7sgWckt8QWYm5QNiMJm1jQSkjy3r+s7GRv4nIwLVgI5tZMruGdMbnKLfVItWart/7h X-Received: by 2002:aca:b2c5:: with SMTP id b188mr3394305oif.163.1582081844215; Tue, 18 Feb 2020 19:10:44 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1582081844; cv=none; d=google.com; s=arc-20160816; b=rv73WveuoClZJ2QgSI3ME8s4sGK5JYex+5BqOhTFkaCpQ69SKhHNpQG41yzajbEMLv M7ZWdmzL4YTAnYu6sYrlJRrPmqTRhzJ/BOOB809Q06MAau/geShMcWMHtBbYwHKXDHD5 SNYygUL1FbAuUVTFfTChIbFdRrE7DK3SM2aFTx5fP5twpkt4bKbyGvsgg/B9LoU6LVux FH41kynUTQISAm/4u9vPT64t6CdqyUWDAT+Tt7phSyWUa9HmXLmHxesE8rOLEVVx+1E1 Cm37LlFlCxN0q8WXXnC1ZMx6IVkYtoinSz8j2WDPL0U6mXNs4J4yXPKLfxenqhm6uFik K/3w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:ironport-sdr:dkim-signature; bh=DhMXLWHV7d0ROSCfd/lCm0V7ffWZv48HScuqDT9+n30=; b=njKOiztGAQ68iatOWVyfDk2uwaL1qJPAYaRw5h1QpT0FRCMDMjUDYCimMK7lmBofrJ UjjsfyHSTlzAdSNL2Yo3lgQIJyLENW301c75FzgDVkxPFS3AnBnC+5l3llpZBHXnf/y9 FuvhcLiQxLM5hXP3AiXg9+aTqWCE/OzchpLZXOAeg5PVwbe8OUF+wEPGfkWT0RoEbN0m pKK3kguKm8MzXQEbvm0QkbKfXP5r3B5HzySRaNymRAZ3LIzxB5FIk+oNfykj0xQjM66I KWw7PtTzagMMytvTfcMGj1ANtVRysN7QTQVT8rd9aNU+o6Osafafiwo6f11zJcZMjqxa /HhA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@amazon.com header.s=amazon201209 header.b=p4EHHQoz; spf=pass (google.com: best guess record for domain of linux-ext4-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=amazon.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id k202si8501552oih.244.2020.02.18.19.10.33; Tue, 18 Feb 2020 19:10:44 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-ext4-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@amazon.com header.s=amazon201209 header.b=p4EHHQoz; spf=pass (google.com: best guess record for domain of linux-ext4-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=amazon.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728211AbgBSDK3 (ORCPT + 99 others); Tue, 18 Feb 2020 22:10:29 -0500 Received: from smtp-fw-9101.amazon.com ([207.171.184.25]:23187 "EHLO smtp-fw-9101.amazon.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728203AbgBSDK2 (ORCPT ); Tue, 18 Feb 2020 22:10:28 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazon201209; t=1582081828; x=1613617828; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version; bh=DhMXLWHV7d0ROSCfd/lCm0V7ffWZv48HScuqDT9+n30=; b=p4EHHQoztmHOVq17tJdK3NUqmzuzr56Q1P0QSXTrWRBbaCjGghyoa5vp b8dPuzZw6PKmyjpSvkEe03FYpqERdMmdAURGx8jtmHa8RrfyGs2FePR0e iWl8Cl9Kb1mHrNJtY3FGKzrvUVqb3unkO1kE8cXtTNd43Rt7BBIKfgzoJ E=; IronPort-SDR: 5+qfslswfqxx2QKJijJrc0FF/YD8iucDC3YBnqtR0poUqW5sBF5qtHaHn8MC3jPlLsFgmBMDs2 Y/3K5vltLOzQ== X-IronPort-AV: E=Sophos;i="5.70,458,1574121600"; d="scan'208";a="17534441" Received: from sea32-co-svc-lb4-vlan3.sea.corp.amazon.com (HELO email-inbound-relay-1a-e34f1ddc.us-east-1.amazon.com) ([10.47.23.38]) by smtp-border-fw-out-9101.sea19.amazon.com with ESMTP; 19 Feb 2020 03:10:25 +0000 Received: from EX13MTAUWC001.ant.amazon.com (iad55-ws-svc-p15-lb9-vlan2.iad.amazon.com [10.40.159.162]) by email-inbound-relay-1a-e34f1ddc.us-east-1.amazon.com (Postfix) with ESMTPS id BA401A2B89; Wed, 19 Feb 2020 03:10:23 +0000 (UTC) Received: from EX13D30UWC001.ant.amazon.com (10.43.162.128) by EX13MTAUWC001.ant.amazon.com (10.43.162.135) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Wed, 19 Feb 2020 03:10:22 +0000 Received: from u3c3f5cfe23135f.ant.amazon.com (10.43.161.235) by EX13D30UWC001.ant.amazon.com (10.43.162.128) with Microsoft SMTP Server (TLS) id 15.0.1367.3; Wed, 19 Feb 2020 03:10:22 +0000 From: Suraj Jitindar Singh To: CC: , , , "Suraj Jitindar Singh" , Subject: [PATCH 2/3] ext4: fix potential race between s_group_info online resizing and access Date: Tue, 18 Feb 2020 19:08:50 -0800 Message-ID: <20200219030851.2678-3-surajjs@amazon.com> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20200219030851.2678-1-surajjs@amazon.com> References: <20200219030851.2678-1-surajjs@amazon.com> MIME-Version: 1.0 Content-Type: text/plain X-Originating-IP: [10.43.161.235] X-ClientProxiedBy: EX13D33UWB004.ant.amazon.com (10.43.161.225) To EX13D30UWC001.ant.amazon.com (10.43.162.128) Sender: linux-ext4-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-ext4@vger.kernel.org During an online resize an array of pointers to s_group_info gets replaced so it can get enlarged. If there is a concurrent access to the array in ext4_get_group_info() and this memory has been reused then this can lead to an invalid memory access. Link: https://bugzilla.kernel.org/show_bug.cgi?id=206443 Signed-off-by: Suraj Jitindar Singh Cc: stable@vger.kernel.org --- fs/ext4/ext4.h | 6 +++--- fs/ext4/mballoc.c | 10 ++++++---- 2 files changed, 9 insertions(+), 7 deletions(-) diff --git a/fs/ext4/ext4.h b/fs/ext4/ext4.h index 236fc6500340..3f4aaaae7da6 100644 --- a/fs/ext4/ext4.h +++ b/fs/ext4/ext4.h @@ -2994,13 +2994,13 @@ static inline struct ext4_group_info *ext4_get_group_info(struct super_block *sb, ext4_group_t group) { - struct ext4_group_info ***grp_info; + struct ext4_group_info **grp_info; long indexv, indexh; BUG_ON(group >= EXT4_SB(sb)->s_groups_count); - grp_info = EXT4_SB(sb)->s_group_info; indexv = group >> (EXT4_DESC_PER_BLOCK_BITS(sb)); indexh = group & ((EXT4_DESC_PER_BLOCK(sb)) - 1); - return grp_info[indexv][indexh]; + grp_info = sbi_array_rcu_deref(EXT4_SB(sb), s_group_info, indexv); + return grp_info[indexh]; } /* diff --git a/fs/ext4/mballoc.c b/fs/ext4/mballoc.c index f64838187559..0d9b17afc85f 100644 --- a/fs/ext4/mballoc.c +++ b/fs/ext4/mballoc.c @@ -2356,7 +2356,7 @@ int ext4_mb_alloc_groupinfo(struct super_block *sb, ext4_group_t ngroups) { struct ext4_sb_info *sbi = EXT4_SB(sb); unsigned size; - struct ext4_group_info ***new_groupinfo; + struct ext4_group_info ***old_groupinfo, ***new_groupinfo; size = (ngroups + EXT4_DESC_PER_BLOCK(sb) - 1) >> EXT4_DESC_PER_BLOCK_BITS(sb); @@ -2369,13 +2369,15 @@ int ext4_mb_alloc_groupinfo(struct super_block *sb, ext4_group_t ngroups) ext4_msg(sb, KERN_ERR, "can't allocate buddy meta group"); return -ENOMEM; } - if (sbi->s_group_info) { + old_groupinfo = sbi->s_group_info; + if (sbi->s_group_info) memcpy(new_groupinfo, sbi->s_group_info, sbi->s_group_info_size * sizeof(*sbi->s_group_info)); - kvfree(sbi->s_group_info); - } sbi->s_group_info = new_groupinfo; + rcu_assign_pointer(sbi->s_group_info, new_groupinfo); sbi->s_group_info_size = size / sizeof(*sbi->s_group_info); + if (old_groupinfo) + ext4_kvfree_array_rcu(old_groupinfo); ext4_debug("allocated s_groupinfo array for %d meta_bg's\n", sbi->s_group_info_size); return 0; -- 2.17.1