This is a note to let you know that I've just added the patch titled
dm thin: fix use-after-free in metadata_pre_commit_callback
to the 5.5-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
dm-thin-fix-use-after-free-in-metadata_pre_commit_callback.patch
and it can be found in the queue-5.5 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From a4a8d286586d4b28c8517a51db8d86954aadc74b Mon Sep 17 00:00:00 2001
From: Mike Snitzer <snitzer@xxxxxxxxxx>
Date: Mon, 13 Jan 2020 12:29:04 -0500
Subject: dm thin: fix use-after-free in metadata_pre_commit_callback
From: Mike Snitzer <snitzer@xxxxxxxxxx>
commit a4a8d286586d4b28c8517a51db8d86954aadc74b upstream.
dm-thin uses struct pool to hold the state of the pool. There may be
multiple pool_c's pointing to a given pool, each pool_c represents a
loaded target. pool_c's may be created and destroyed arbitrarily and the
pool contains a reference count of pool_c's pointing to it.
Since commit 694cfe7f31db3 ("dm thin: Flush data device before
committing metadata") a pointer to pool_c is passed to
dm_pool_register_pre_commit_callback and this function stores it in
pmd->pre_commit_context. If this pool_c is freed, but pool is not
(because there is another pool_c referencing it), we end up in a
situation where pmd->pre_commit_context structure points to freed
pool_c. It causes a crash in metadata_pre_commit_callback.
Fix this by moving the dm_pool_register_pre_commit_callback() from
pool_ctr() to pool_preresume(). This way the in-core thin-pool metadata
is only ever armed with callback data whose lifetime matches the
active thin-pool target.
In should be noted that this fix preserves the ability to load a
thin-pool table that uses a different data block device (that contains
the same data) -- though it is unclear if that capability is still
useful and/or needed.
Fixes: 694cfe7f31db3 ("dm thin: Flush data device before committing metadata")
Cc: stable@xxxxxxxxxxxxxxx
Reported-by: Zdenek Kabelac <zkabelac@xxxxxxxxxx>
Reported-by: Mikulas Patocka <mpatocka@xxxxxxxxxx>
Signed-off-by: Mike Snitzer <snitzer@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
drivers/md/dm-thin.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
--- a/drivers/md/dm-thin.c
+++ b/drivers/md/dm-thin.c
@@ -3408,10 +3408,6 @@ static int pool_ctr(struct dm_target *ti
if (r)
goto out_flags_changed;
- dm_pool_register_pre_commit_callback(pt->pool->pmd,
- metadata_pre_commit_callback,
- pt);
-
pt->callbacks.congested_fn = pool_is_congested;
dm_table_add_target_callbacks(ti->table, &pt->callbacks);
@@ -3574,6 +3570,9 @@ static int pool_preresume(struct dm_targ
if (r)
return r;
+ dm_pool_register_pre_commit_callback(pool->pmd,
+ metadata_pre_commit_callback, pt);
+
r = maybe_resize_data_dev(ti, &need_commit1);
if (r)
return r;
Patches currently in stable-queue which might be from snitzer@xxxxxxxxxx are
queue-5.5/dm-crypt-fix-benbi-iv-constructor-crash-if-used-in-authenticated-mode.patch
queue-5.5/dm-fix-potential-for-q-make_request_fn-null-pointer.patch
queue-5.5/dm-crypt-fix-gfp-flags-passed-to-skcipher_request_alloc.patch
queue-5.5/dm-writecache-fix-incorrect-flush-sequence-when-doing-ssd-mode-commit.patch
queue-5.5/dm-thin-metadata-use-pool-locking-at-end-of-dm_pool_metadata_close.patch
queue-5.5/dm-thin-fix-use-after-free-in-metadata_pre_commit_callback.patch
queue-5.5/dm-zoned-support-zone-sizes-smaller-than-128mib.patch
queue-5.5/dm-space-map-common-fix-to-ensure-new-block-isn-t-already-in-use.patch
