summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorBob Peterson <rpeterso@redhat.com>2020-04-24 12:17:33 -0500
committerAndreas Gruenbacher <agruenba@redhat.com>2020-05-08 15:15:12 +0200
commitd22f69a08dcb0f469170cda1976d5938cb0e5dcf (patch)
tree33275d568ea935b355f4c7c59ad4bf1c7a9887f6
parent53af80ce0eaeb0fc4ce4b565c30e3a16e8e05de0 (diff)
downloadlinux-d22f69a08dcb0f469170cda1976d5938cb0e5dcf.tar.gz
linux-d22f69a08dcb0f469170cda1976d5938cb0e5dcf.tar.bz2
linux-d22f69a08dcb0f469170cda1976d5938cb0e5dcf.zip
gfs2: Fix use-after-free in gfs2_logd after withdraw
When the gfs2_logd daemon withdrew, the withdraw sequence called into make_fs_ro() to make the file system read-only. That caused the journal descriptors to be freed. However, those journal descriptors were used by gfs2_logd's call to gfs2_ail_flush_reqd(). This caused a use-after free and NULL pointer dereference. This patch changes function gfs2_logd() so that it stops all logd work until the thread is told to stop. Once a withdraw is done, it only does an interruptible sleep. Signed-off-by: Bob Peterson <rpeterso@redhat.com> Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
-rw-r--r--fs/gfs2/log.c5
1 files changed, 5 insertions, 0 deletions
diff --git a/fs/gfs2/log.c b/fs/gfs2/log.c
index 3a75843ae580..cf0b80c78c82 100644
--- a/fs/gfs2/log.c
+++ b/fs/gfs2/log.c
@@ -1131,6 +1131,10 @@ int gfs2_logd(void *data)
while (!kthread_should_stop()) {
+ if (gfs2_withdrawn(sdp)) {
+ msleep_interruptible(HZ);
+ continue;
+ }
/* Check for errors writing to the journal */
if (sdp->sd_log_error) {
gfs2_lm(sdp,
@@ -1139,6 +1143,7 @@ int gfs2_logd(void *data)
"prevent further damage.\n",
sdp->sd_fsname, sdp->sd_log_error);
gfs2_withdraw(sdp);
+ continue;
}
did_flush = false;