gfs2: Fix use-after-free in gfs2_logd after withdraw
When the gfs2_logd daemon withdrew, the withdraw sequence called into make_fs_ro() to make the file system read-only. That caused the journal descriptors to be freed. However, those journal descriptors were used by gfs2_logd's call to gfs2_ail_flush_reqd(). This caused a use-after free and NULL pointer dereference. This patch changes function gfs2_logd() so that it stops all logd work until the thread is told to stop. Once a withdraw is done, it only does an interruptible sleep. Signed-off-by: Bob Peterson <rpeterso@redhat.com> Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
This commit is contained in:
parent
53af80ce0e
commit
d22f69a08d
|
@ -1131,6 +1131,10 @@ int gfs2_logd(void *data)
|
|||
|
||||
while (!kthread_should_stop()) {
|
||||
|
||||
if (gfs2_withdrawn(sdp)) {
|
||||
msleep_interruptible(HZ);
|
||||
continue;
|
||||
}
|
||||
/* Check for errors writing to the journal */
|
||||
if (sdp->sd_log_error) {
|
||||
gfs2_lm(sdp,
|
||||
|
@ -1139,6 +1143,7 @@ int gfs2_logd(void *data)
|
|||
"prevent further damage.\n",
|
||||
sdp->sd_fsname, sdp->sd_log_error);
|
||||
gfs2_withdraw(sdp);
|
||||
continue;
|
||||
}
|
||||
|
||||
did_flush = false;
|
||||
|
|
Loading…
Reference in New Issue