gfs2: Fix NULL pointer dereference in gfs2_log_flush

PlaidCat · PlaidCat · commit 066164b440dc · 2024-12-11T18:06:06.000-05:00
jira LE-2157 cve CVE-2024-42079 Rebuild_History Non-Buildable kernel-5.14.0-503.14.1.el9_5 commit-author Andreas Gruenbacher <agruenba@redhat.com> commit 3526490 Empty-Commit: Cherry-Pick Conflicts during history rebuild. Will be included in final tarball splat. Ref for failed cherry-pick at: ciq/ciq_backports/kernel-5.14.0-503.14.1.el9_5/35264909.failed In gfs2_jindex_free(), set sdp->sd_jdesc to NULL under the log flush lock to provide exclusion against gfs2_log_flush(). In gfs2_log_flush(), check if sdp->sd_jdesc is non-NULL before dereferencing it. Otherwise, we could run into a NULL pointer dereference when outstanding glock work races with an unmount (glock_work_func -> run_queue -> do_xmote -> inode_go_sync -> gfs2_log_flush). Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com> (cherry picked from commit 3526490) Signed-off-by: Jonathan Maple <jmaple@ciq.com> # Conflicts: # fs/gfs2/log.c
diff --git a/ciq/ciq_backports/kernel-5.14.0-503.14.1.el9_5/35264909.failed b/ciq/ciq_backports/kernel-5.14.0-503.14.1.el9_5/35264909.failed
@@ -0,0 +1,71 @@
+gfs2: Fix NULL pointer dereference in gfs2_log_flush
+
+jira LE-2157
+cve CVE-2024-42079
+Rebuild_History Non-Buildable kernel-5.14.0-503.14.1.el9_5
+commit-author Andreas Gruenbacher <agruenba@redhat.com>
+commit 35264909e9d1973ab9aaa2a1b07cda70f12bb828
+Empty-Commit: Cherry-Pick Conflicts during history rebuild.
+Will be included in final tarball splat. Ref for failed cherry-pick at:
+ciq/ciq_backports/kernel-5.14.0-503.14.1.el9_5/35264909.failed
+
+In gfs2_jindex_free(), set sdp->sd_jdesc to NULL under the log flush
+lock to provide exclusion against gfs2_log_flush().
+
+In gfs2_log_flush(), check if sdp->sd_jdesc is non-NULL before
+dereferencing it.  Otherwise, we could run into a NULL pointer
+dereference when outstanding glock work races with an unmount
+(glock_work_func -> run_queue -> do_xmote -> inode_go_sync ->
+gfs2_log_flush).
+
+	Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
+(cherry picked from commit 35264909e9d1973ab9aaa2a1b07cda70f12bb828)
+	Signed-off-by: Jonathan Maple <jmaple@ciq.com>
+
+# Conflicts:
+#	fs/gfs2/log.c
+diff --cc fs/gfs2/log.c
+index fd86c9f54bf4,a6dd68b458ce..000000000000
+--- a/fs/gfs2/log.c
++++ b/fs/gfs2/log.c
+@@@ -1097,13 -1103,14 +1097,19 @@@ repeat
+  			goto out_withdraw;
+  
+  	gfs2_ordered_write(sdp);
+ -	if (gfs2_withdrawing_or_withdrawn(sdp))
+ +	if (gfs2_withdrawn(sdp))
+  		goto out_withdraw;
+  	lops_before_commit(sdp, tr);
+ -	if (gfs2_withdrawing_or_withdrawn(sdp))
+ +	if (gfs2_withdrawn(sdp))
+  		goto out_withdraw;
+++<<<<<<< HEAD
+ +	gfs2_log_submit_bio(&sdp->sd_jdesc->jd_log_bio, REQ_OP_WRITE);
+ +	if (gfs2_withdrawn(sdp))
+++=======
++ 	if (sdp->sd_jdesc)
++ 		gfs2_log_submit_bio(&sdp->sd_jdesc->jd_log_bio, REQ_OP_WRITE);
++ 	if (gfs2_withdrawing_or_withdrawn(sdp))
+++>>>>>>> 35264909e9d1 (gfs2: Fix NULL pointer dereference in gfs2_log_flush)
+  		goto out_withdraw;
+  
+  	if (sdp->sd_log_head != sdp->sd_log_flush_head) {
+* Unmerged path fs/gfs2/log.c
+diff --git a/fs/gfs2/super.c b/fs/gfs2/super.c
+index e7843110531e..1b16abc441c2 100644
+--- a/fs/gfs2/super.c
++++ b/fs/gfs2/super.c
+@@ -67,9 +67,13 @@ void gfs2_jindex_free(struct gfs2_sbd *sdp)
+ 	sdp->sd_journals = 0;
+ 	spin_unlock(&sdp->sd_jindex_spin);
+ 
++	down_write(&sdp->sd_log_flush_lock);
+ 	sdp->sd_jdesc = NULL;
++	up_write(&sdp->sd_log_flush_lock);
++
+ 	while (!list_empty(&list)) {
+ 		jd = list_first_entry(&list, struct gfs2_jdesc, jd_list);
++		BUG_ON(jd->jd_log_bio);
+ 		gfs2_free_journal_extents(jd);
+ 		list_del(&jd->jd_list);
+ 		iput(jd->jd_inode);
