APPLIED: [SRU][Trusty][CVE-2017-18204][PATCH] ocfs2: should wait dio before inode lock in ocfs2_setattr()
Stefan Bader
stefan.bader at canonical.com
Fri Apr 20 12:01:34 UTC 2018
On 19.04.2018 18:32, Kleber Sacilotto de Souza wrote:
> From: alex chen <alex.chen at huawei.com>
>
> CVE-2017-18204
>
> we should wait dio requests to finish before inode lock in
> ocfs2_setattr(), otherwise the following deadlock will happen:
>
> process 1 process 2 process 3
> truncate file 'A' end_io of writing file 'A' receiving the bast messages
> ocfs2_setattr
> ocfs2_inode_lock_tracker
> ocfs2_inode_lock_full
> inode_dio_wait
> __inode_dio_wait
> -->waiting for all dio
> requests finish
> dlm_proxy_ast_handler
> dlm_do_local_bast
> ocfs2_blocking_ast
> ocfs2_generic_handle_bast
> set OCFS2_LOCK_BLOCKED flag
> dio_end_io
> dio_bio_end_aio
> dio_complete
> ocfs2_dio_end_io
> ocfs2_dio_end_io_write
> ocfs2_inode_lock
> __ocfs2_cluster_lock
> ocfs2_wait_for_mask
> -->waiting for OCFS2_LOCK_BLOCKED
> flag to be cleared, that is waiting
> for 'process 1' unlocking the inode lock
> inode_dio_end
> -->here dec the i_dio_count, but will never
> be called, so a deadlock happened.
>
> Link: http://lkml.kernel.org/r/59F81636.70508@huawei.com
> Signed-off-by: Alex Chen <alex.chen at huawei.com>
> Reviewed-by: Jun Piao <piaojun at huawei.com>
> Reviewed-by: Joseph Qi <jiangqi903 at gmail.com>
> Acked-by: Changwei Ge <ge.changwei at h3c.com>
> Cc: Mark Fasheh <mfasheh at versity.com>
> Cc: Joel Becker <jlbec at evilplan.org>
> Cc: Junxiao Bi <junxiao.bi at oracle.com>
> Cc: <stable at vger.kernel.org>
> Signed-off-by: Andrew Morton <akpm at linux-foundation.org>
> Signed-off-by: Linus Torvalds <torvalds at linux-foundation.org>
> (backported from commit 28f5a8a7c033cbf3e32277f4cc9c6afd74f05300)
> [ klebers: adjusted for context. ]
> Signed-off-by: Kleber Sacilotto de Souza <kleber.souza at canonical.com>
> ---
Applied to trusty/master-next
> fs/ocfs2/file.c | 9 +++++++--
> 1 file changed, 7 insertions(+), 2 deletions(-)
>
> diff --git a/fs/ocfs2/file.c b/fs/ocfs2/file.c
> index 7f4733187958..79e2fbd1db23 100644
> --- a/fs/ocfs2/file.c
> +++ b/fs/ocfs2/file.c
> @@ -1131,6 +1131,13 @@ int ocfs2_setattr(struct dentry *dentry, struct iattr *attr)
> dquot_initialize(inode);
> size_change = S_ISREG(inode->i_mode) && attr->ia_valid & ATTR_SIZE;
> if (size_change) {
> + /*
> + * Here we should wait dio to finish before inode lock
> + * to avoid a deadlock between ocfs2_setattr() and
> + * ocfs2_dio_end_io_write()
> + */
> + inode_dio_wait(inode);
> +
> status = ocfs2_rw_lock(inode, 1);
> if (status < 0) {
> mlog_errno(status);
> @@ -1150,8 +1157,6 @@ int ocfs2_setattr(struct dentry *dentry, struct iattr *attr)
> if (status)
> goto bail_unlock;
>
> - inode_dio_wait(inode);
> -
> if (i_size_read(inode) > attr->ia_size) {
> if (ocfs2_should_order_data(inode)) {
> status = ocfs2_begin_ordered_truncate(inode,
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ubuntu.com/archives/kernel-team/attachments/20180420/d4cf2996/attachment.sig>
More information about the kernel-team
mailing list