diff options
author | Andreas Gruenbacher <agruenba@redhat.com> | 2024-03-11 17:51:59 +0300 |
---|---|---|
committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2024-07-05 10:38:00 +0300 |
commit | f54f9d5368a4e92ede7dd078a62788dae3a7c6ef (patch) | |
tree | 766277fdac5c86c9cfddeb0ad12607c9d71f4e07 | |
parent | c0d3009668ab23ada0f3716b1db9a741eb11c25e (diff) | |
download | linux-f54f9d5368a4e92ede7dd078a62788dae3a7c6ef.tar.xz |
gfs2: Fix NULL pointer dereference in gfs2_log_flush
[ Upstream commit 35264909e9d1973ab9aaa2a1b07cda70f12bb828 ]
In gfs2_jindex_free(), set sdp->sd_jdesc to NULL under the log flush
lock to provide exclusion against gfs2_log_flush().
In gfs2_log_flush(), check if sdp->sd_jdesc is non-NULL before
dereferencing it. Otherwise, we could run into a NULL pointer
dereference when outstanding glock work races with an unmount
(glock_work_func -> run_queue -> do_xmote -> inode_go_sync ->
gfs2_log_flush).
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
-rw-r--r-- | fs/gfs2/log.c | 3 | ||||
-rw-r--r-- | fs/gfs2/super.c | 4 |
2 files changed, 6 insertions, 1 deletions
diff --git a/fs/gfs2/log.c b/fs/gfs2/log.c index 8cddf955ebc0..a6dd68b458ce 100644 --- a/fs/gfs2/log.c +++ b/fs/gfs2/log.c @@ -1108,7 +1108,8 @@ repeat: lops_before_commit(sdp, tr); if (gfs2_withdrawing_or_withdrawn(sdp)) goto out_withdraw; - gfs2_log_submit_bio(&sdp->sd_jdesc->jd_log_bio, REQ_OP_WRITE); + if (sdp->sd_jdesc) + gfs2_log_submit_bio(&sdp->sd_jdesc->jd_log_bio, REQ_OP_WRITE); if (gfs2_withdrawing_or_withdrawn(sdp)) goto out_withdraw; diff --git a/fs/gfs2/super.c b/fs/gfs2/super.c index 2d780b4701a2..ee61fcb7f200 100644 --- a/fs/gfs2/super.c +++ b/fs/gfs2/super.c @@ -67,9 +67,13 @@ void gfs2_jindex_free(struct gfs2_sbd *sdp) sdp->sd_journals = 0; spin_unlock(&sdp->sd_jindex_spin); + down_write(&sdp->sd_log_flush_lock); sdp->sd_jdesc = NULL; + up_write(&sdp->sd_log_flush_lock); + while (!list_empty(&list)) { jd = list_first_entry(&list, struct gfs2_jdesc, jd_list); + BUG_ON(jd->jd_log_bio); gfs2_free_journal_extents(jd); list_del(&jd->jd_list); iput(jd->jd_inode); |