From: Bob Peterson <rpeterso@redhat.com>
Date: Fri, 24 Apr 2020 17:17:33 +0000 (-0500)
Subject: gfs2: Fix use-after-free in gfs2_logd after withdraw
X-Git-Tag: v5.15~3898^2~10
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=d22f69a08dcb0f469170cda1976d5938cb0e5dcf;p=platform%2Fkernel%2Flinux-starfive.git

gfs2: Fix use-after-free in gfs2_logd after withdraw

When the gfs2_logd daemon withdrew, the withdraw sequence called
into make_fs_ro() to make the file system read-only. That caused the
journal descriptors to be freed. However, those journal descriptors
were used by gfs2_logd's call to gfs2_ail_flush_reqd(). This caused
a use-after free and NULL pointer dereference.

This patch changes function gfs2_logd() so that it stops all logd
work until the thread is told to stop. Once a withdraw is done,
it only does an interruptible sleep.

Signed-off-by: Bob Peterson <rpeterso@redhat.com>
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
---

diff --git a/fs/gfs2/log.c b/fs/gfs2/log.c
index 3a75843..cf0b80c 100644
--- a/fs/gfs2/log.c
+++ b/fs/gfs2/log.c
@@ -1131,6 +1131,10 @@ int gfs2_logd(void *data)
 
 	while (!kthread_should_stop()) {
 
+		if (gfs2_withdrawn(sdp)) {
+			msleep_interruptible(HZ);
+			continue;
+		}
 		/* Check for errors writing to the journal */
 		if (sdp->sd_log_error) {
 			gfs2_lm(sdp,
@@ -1139,6 +1143,7 @@ int gfs2_logd(void *data)
 				"prevent further damage.\n",
 				sdp->sd_fsname, sdp->sd_log_error);
 			gfs2_withdraw(sdp);
+			continue;
 		}
 
 		did_flush = false;