From mboxrd@z Thu Jan 1 00:00:00 1970 From: Chao Yu Subject: Re: f2fs: Possible use-after-free when umount filesystem Date: Fri, 25 Jul 2014 11:22:20 +0800 Message-ID: <002a01cfa7b7$d79edc40$86dc94c0$@samsung.com> References: <52F320FC.50803@ispras.ru> <534BC29B.3020408@ispras.ru> <53CCF1EC.30008@ispras.ru> <53CDC9AF.2050605@cn.fujitsu.com> <53CE3722.60307@ispras.ru> <000001cfa61b$c693b350$53bb19f0$@samsung.com> <53CF2E61.3000601@cn.fujitsu.com> <53D0DC8C.7050406@ispras.ru> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: base64 Return-path: Received: from sog-mx-3.v43.ch3.sourceforge.com ([172.29.43.193] helo=mx.sourceforge.net) by sfs-ml-1.v29.ch3.sourceforge.com with esmtp (Exim 4.76) (envelope-from ) id 1XAW76-0000GT-A7 for linux-f2fs-devel@lists.sourceforge.net; Fri, 25 Jul 2014 03:24:08 +0000 Received: from mailout4.samsung.com ([203.254.224.34]) by sog-mx-3.v43.ch3.sourceforge.com with esmtps (TLSv1:RC4-MD5:128) (Exim 4.76) id 1XAW73-0007qS-Or for linux-f2fs-devel@lists.sourceforge.net; Fri, 25 Jul 2014 03:24:08 +0000 Received: from epcpsbgm2.samsung.com (epcpsbgm2 [203.254.230.27]) by mailout4.samsung.com (Oracle Communications Messaging Server 7u4-24.01(7.0.4.24.0) 64bit (built Nov 17 2011)) with ESMTP id <0N99006SH03PU070@mailout4.samsung.com> for linux-f2fs-devel@lists.sourceforge.net; Fri, 25 Jul 2014 12:23:50 +0900 (KST) In-reply-to: <53D0DC8C.7050406@ispras.ru> Content-language: zh-cn List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: linux-f2fs-devel-bounces@lists.sourceforge.net To: 'Andrey Tsyvarev' , 'Gu Zheng' Cc: 'Jaegeuk Kim' , 'linux-kernel' , 'Alexey Khoroshilov' , linux-f2fs-devel@lists.sourceforge.net SGksCgpUbyBBbmRyZXk6ClRoYW5rcyBmb3IgeW91ciB0ZXN0IG9uIHRoaXMgcGF0Y2ghCgpUbyBH dToKSWYgeW91IGRvIG5vdCBvYmplY3QsIGxldCBtZSBtYWtlIGFuZCByZXNlbmQgYSBwYXRjaCBi YXNlIG9uIHRoZSBvbmUgd2hpY2gKc2tpcCBpbnZhbGlkYXRpbmcgcGFnZXMuCgpSZWdhcmRzLApZ dQoKPiAtLS0tLU9yaWdpbmFsIE1lc3NhZ2UtLS0tLQo+IEZyb206IEFuZHJleSBUc3l2YXJldiBb bWFpbHRvOnRzeXZhcmV2QGlzcHJhcy5ydV0KPiBTZW50OiBUaHVyc2RheSwgSnVseSAyNCwgMjAx NCA2OjE1IFBNCj4gVG86IEd1IFpoZW5nOyBDaGFvIFl1Cj4gQ2M6ICdKYWVnZXVrIEtpbSc7ICds aW51eC1rZXJuZWwnOyAnQWxleGV5IEtob3Jvc2hpbG92JzsKPiBsaW51eC1mMmZzLWRldmVsQGxp c3RzLnNvdXJjZWZvcmdlLm5ldAo+IFN1YmplY3Q6IFJlOiBbZjJmcy1kZXZdIGYyZnM6IFBvc3Np YmxlIHVzZS1hZnRlci1mcmVlIHdoZW4gdW1vdW50IGZpbGVzeXN0ZW0KPiAKPiBIaSwKPiAKPiBX aXRoIHBhdGNoIHNraXBwaW5nIGludmFsaWRhdGluZyBwYWdlcyBmb3Igbm9kZV9pbm9kZSBhbmQg bWV0YV9pbm9kZQo+IHVzZS1hZnRlci1mcmVlIGVycm9yIGRpc2FwcGVhcnMgdG9vLgo+IAo+IDIz LjA3LjIwMTQgNzozOSwgR3UgWmhlbmcg0L/QuNGI0LXRgjoKPiA+IEhpLAo+ID4gT24gMDcvMjMv MjAxNCAxMDoxMiBBTSwgQ2hhbyBZdSB3cm90ZToKPiA+Cj4gPj4gSGkgQW5kcmV5IEd1LAo+ID4+ Cj4gPj4+IC0tLS0tT3JpZ2luYWwgTWVzc2FnZS0tLS0tCj4gPj4+IEZyb206IEFuZHJleSBUc3l2 YXJldiBbbWFpbHRvOnRzeXZhcmV2QGlzcHJhcy5ydV0KPiA+Pj4gU2VudDogVHVlc2RheSwgSnVs eSAyMiwgMjAxNCA2OjA0IFBNCj4gPj4+IFRvOiBHdSBaaGVuZwo+ID4+PiBDYzogSmFlZ2V1ayBL aW07IGxpbnV4LWtlcm5lbDsgQWxleGV5IEtob3Jvc2hpbG92OyBsaW51eC1mMmZzLWRldmVsQGxp c3RzLnNvdXJjZWZvcmdlLm5ldAo+ID4+PiBTdWJqZWN0OiBSZTogW2YyZnMtZGV2XSBmMmZzOiBQ b3NzaWJsZSB1c2UtYWZ0ZXItZnJlZSB3aGVuIHVtb3VudCBmaWxlc3lzdGVtCj4gPj4+Cj4gPj4+ IEhpIEd1LAo+ID4+Pgo+ID4+Pj4+IEludmVzdGlnYXRpb24gc2hvd3MsIHRoYXQgZjJmc19ldmlj dF9pbm9kZSwgd2hlbiBjYWxsZWQgZm9yICdtZXRhX2lub2RlJywgdXNlcwo+ID4+PiBpbnZhbGlk YXRlX21hcHBpbmdfcGFnZXMoKSBmb3IgJ25vZGVfaW5vZGUnLgo+ID4+Pj4+IEJ1dCAnbm9kZV9p bm9kZScgaXMgZGVsZXRlZCBiZWZvcmUgJ21ldGFfaW5vZGUnIGluIGYyZnNfcHV0X3N1cGVyIHZp YSBpcHV0KCkuCj4gPj4+Pj4KPiA+Pj4+PiBJdCBzZWVtcyB0aGF0IGluIGNvbW1vbiB1c2FnZSBz Y2VuYXJpbyB0aGlzIHVzZS1hZnRlci1mcmVlIGlzIGJlbmlnbiwgYmVjYXVzZSAnbm9kZV9pbm9k ZScKPiA+Pj4gcmVtYWlucyBwYXJ0aWFsbHkgdmFsaWQgZGF0YSBldmVuIGFmdGVyIGttZW1fY2Fj aGVfZnJlZSgpLgo+ID4+Pj4+IEJ1dCB0aGluZ3MgbWF5IGNoYW5nZSBpZiwgd2hpbGUgJ21ldGFf aW5vZGUnIGlzIGV2aWN0ZWQgaW4gb25lIGYyZnMgZmlsZXN5c3RlbSwgYW5vdGhlcgo+IChtb3Vu dGVkKQo+ID4+PiBmMmZzIGZpbGVzeXN0ZW0gcmVxdWVzdHMgaW5vZGUgZnJvbSBjYWNoZSwgYW5k IGZvcm1lbHkKPiA+Pj4+PiAnbm9kZV9pbm9kZScgb2YgdGhlIGZpcnN0IGZpbGVzeXN0ZW0gaXMg cmV0dXJuZWQuCj4gPj4+PiBUaGUgYW5hbHlzaXMgc2VlbXMgcmVhc29uYWJsZS4gSGF2ZSB5b3Ug dHJpZWQgdG8gc3dhcCB0aGUgcmVjbGFpbSBvcmRlciBvZiBub2RlX2luZGUKPiA+Pj4+IGFuZCBt ZXRhX2lub2RlPwo+ID4+Pj4KPiA+Pj4+IGRpZmYgLS1naXQgYS9mcy9mMmZzL3N1cGVyLmMgYi9m cy9mMmZzL3N1cGVyLmMKPiA+Pj4+IGluZGV4IDg3MGZlMTkuLmUxMTQ0MTggMTAwNjQ0Cj4gPj4+ PiAtLS0gYS9mcy9mMmZzL3N1cGVyLmMKPiA+Pj4+ICsrKyBiL2ZzL2YyZnMvc3VwZXIuYwo+ID4+ Pj4gQEAgLTQzMCw4ICs0MzAsOCBAQCBzdGF0aWMgdm9pZCBmMmZzX3B1dF9zdXBlcihzdHJ1Y3Qg c3VwZXJfYmxvY2sgKnNiKQo+ID4+Pj4gICAgICAgICAgIGlmIChzYmktPnNfZGlydHkgJiYgZ2V0 X3BhZ2VzKHNiaSwgRjJGU19ESVJUWV9OT0RFUykpCj4gPj4+PiAgICAgICAgICAgICAgICAgICB3 cml0ZV9jaGVja3BvaW50KHNiaSwgdHJ1ZSk7Cj4gPj4+Pgo+ID4+Pj4gLSAgICAgICBpcHV0KHNi aS0+bm9kZV9pbm9kZSk7Cj4gPj4+PiAgICAgICAgICAgaXB1dChzYmktPm1ldGFfaW5vZGUpOwo+ ID4+Pj4gKyAgICAgICBpcHV0KHNiaS0+bm9kZV9pbm9kZSk7Cj4gPj4+Pgo+ID4+Pj4gICAgICAg ICAgIC8qIGRlc3Ryb3kgZjJmcyBpbnRlcm5hbCBtb2R1bGVzICovCj4gPj4+PiAgICAgICAgICAg ZGVzdHJveV9ub2RlX21hbmFnZXIoc2JpKTsKPiA+Pj4+Cj4gPj4+PiBUaGFua3MsCj4gPj4+PiBH dQo+ID4+PiBXaXRoIHJlY2xhaW0gb3JkZXIgb2Ygbm9kZV9pbm9kZSBhbmQgbWV0YV9pbm9kZSBz d2FwcGVkLCB1c2UtYWZ0ZXItZnJlZQo+ID4+PiBlcnJvciBkaXNhcHBlYXJzLgo+ID4+Pgo+ID4+ PiBCdXQgc2hvdWxkbid0IGluaXRpYWxpemF0aW9uIG9yZGVyIG9mIHRoZXNlIGlub2RlcyBiZSBz d2FwcGVkIHRvbz8KPiA+Pj4gQXMgbWV0YV9pbm9kZSB1c2VzIG5vZGVfaW5vZGUsIGl0IHNlZW1z IGxvZ2ljYWwgdGhhdCBpdCBzaG91bGQgYmUKPiA+Pj4gaW5pdGlhbGl6ZWQgYWZ0ZXIgaXQuCj4g PiBUaGUgaW5pdGlhbGl6YXRpb24gb3JkZXIgZG9zZSBub3QgYWZmZWN0IGFueXRoaW5nLCBzbyBz d2FwcGluZyB0aGUgb3JkZXIgZG9zZSBub3QKPiA+IG1ha2UgbW9yZSBzZW5zZSBoZXJlLgo+ID4K PiA+PiBJTU8sIGl0J3Mgbm90IGVhc3kgdG8gZXhjaGFuZ2Ugb3JkZXIgb2YgaW5pdGlhbGl6YXRp b24gYmV0d2VlbiBtZXRhX2lub2RlIGFuZAo+ID4+IG5vZGVfaW5vZGUsIGJlY2F1c2Ugd2Ugc2hv dWxkIHVzZSBtZXRhX2lub2RlIGluIGdldF92YWxpZF9jaGVja3BvaW50IGZvciB2YWxpZAo+ID4+ IGNwIGZpcnN0IGZvciB1c3VhbCB2ZXJpZmljYXRpb24sIHRoZW4gaW5pdCBub2RlX2lub2RlLgo+ ID4gWWVhaCwgYnV0IEkgdGhpbmsganVzdCBtb3Zpbmcgbm9kZV9pbm9kZSdzIGluaXRpYWxpemF0 aW9uIHRvIHRoZSBmcm9udCBvZiBtZXRhX2lub2RlCj4gPiBkb3NlIG5vdCBicmVhayBhbnl0aGlu Zy4KPiA+Cj4gPj4gQXMgSSBjaGVja2VkLCBuaWRzIGZvciBib3RoIG1ldGFfaW5vZGUgYW5kIG5v ZGVfaW5vZGUgYXJlIHJlc2VydmF0aW9uLCBzbyBpdCdzIG5vdAo+ID4+IG5lY2Vzc2FyeSBmb3Ig dXMgdG8gaW52YWxpZGF0ZSBwYWdlcyB3aGljaCB3aWxsIG5ldmVyIGFsbG9jZWQuCj4gPj4KPiA+ PiBIb3cgYWJvdXQgc2tpcHBpbmcgaXQgYXMgZm9sbG93aW5nPwo+ID4gSXQgc2VlbXMgdGhlIHJp Z2h0IHdheSB0byBmaXggdGhpcyBpc3N1ZS4KPiA+Cj4gPiBUbyBBbmRyZXk6Cj4gPiBDb3VsZCB5 b3UgcGxlYXNlIHRyeSB0aGlzIG9uZT8KPiA+Cj4gPiBUaGFua3MsCj4gPiBHdQo+ID4KPiA+PiBk aWZmIC0tZ2l0IGEvZnMvZjJmcy9pbm9kZS5jIGIvZnMvZjJmcy9pbm9kZS5jCj4gPj4gaW5kZXgg MmNmNjk2Mi4uY2FmYmEzYyAxMDA2NDQKPiA+PiAtLS0gYS9mcy9mMmZzL2lub2RlLmMKPiA+PiAr KysgYi9mcy9mMmZzL2lub2RlLmMKPiA+PiBAQCAtMjczLDcgKzI3Myw3IEBAIHZvaWQgZjJmc19l dmljdF9pbm9kZShzdHJ1Y3QgaW5vZGUgKmlub2RlKQo+ID4+Cj4gPj4gICAJaWYgKGlub2RlLT5p X2lubyA9PSBGMkZTX05PREVfSU5PKHNiaSkgfHwKPiA+PiAgIAkJCWlub2RlLT5pX2lubyA9PSBG MkZTX01FVEFfSU5PKHNiaSkpCj4gPj4gLQkJZ290byBub19kZWxldGU7Cj4gPj4gKwkJZ290byBv dXRfY2xlYXI7Cj4gPj4KPiA+PiAgIAlmMmZzX2J1Z19vbihnZXRfZGlydHlfZGVudHMoaW5vZGUp KTsKPiA+PiAgIAlyZW1vdmVfZGlydHlfZGlyX2lub2RlKGlub2RlKTsKPiA+PiBAQCAtMjk1LDYg KzI5NSw3IEBAIHZvaWQgZjJmc19ldmljdF9pbm9kZShzdHJ1Y3QgaW5vZGUgKmlub2RlKQo+ID4+ Cj4gPj4gICAJc2JfZW5kX2ludHdyaXRlKGlub2RlLT5pX3NiKTsKPiA+PiAgIG5vX2RlbGV0ZToK PiA+PiAtCWNsZWFyX2lub2RlKGlub2RlKTsKPiA+PiAgIAlpbnZhbGlkYXRlX21hcHBpbmdfcGFn ZXMoTk9ERV9NQVBQSU5HKHNiaSksIGlub2RlLT5pX2lubywgaW5vZGUtPmlfaW5vKTsKPiA+PiAr b3V0X2NsZWFyOgo+ID4+ICsJY2xlYXJfaW5vZGUoaW5vZGUpOwo+ID4+ICAgfQo+ID4+Cj4gPj4+ IC0tCj4gPj4+IEJlc3QgcmVnYXJkcywKPiA+Pj4KPiA+Pj4gQW5kcmV5IFRzeXZhcmV2Cj4gPj4+ IExpbnV4IFZlcmlmaWNhdGlvbiBDZW50ZXIsIElTUFJBUwo+ID4+PiB3ZWI6aHR0cDovL2xpbnV4 dGVzdGluZy5vcmcKPiA+Pj4KPiA+Pj4KPiA+Pj4gLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tCj4gPj4+ IFdhbnQgZmFzdCBhbmQgZWFzeSBhY2Nlc3MgdG8gYWxsIHRoZSBjb2RlIGluIHlvdXIgZW50ZXJw cmlzZT8gSW5kZXggYW5kCj4gPj4+IHNlYXJjaCB1cCB0byAyMDAsMDAwIGxpbmVzIG9mIGNvZGUg d2l0aCBhIGZyZWUgY29weSBvZiBCbGFjayBEdWNrCj4gPj4+IENvZGUgU2lnaHQgLSB0aGUgc2Ft ZSBzb2Z0d2FyZSB0aGF0IHBvd2VycyB0aGUgd29ybGQncyBsYXJnZXN0IGNvZGUKPiA+Pj4gc2Vh cmNoIG9uIE9obG9oLCB0aGUgQmxhY2sgRHVjayBPcGVuIEh1YiEgVHJ5IGl0IG5vdy4KPiA+Pj4g aHR0cDovL3Auc2YubmV0L3NmdS9iZHMKPiA+Pj4gX19fX19fX19fX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX18KPiA+Pj4gTGludXgtZjJmcy1kZXZlbCBtYWlsaW5nIGxpc3QK PiA+Pj4gTGludXgtZjJmcy1kZXZlbEBsaXN0cy5zb3VyY2Vmb3JnZS5uZXQKPiA+Pj4gaHR0cHM6 Ly9saXN0cy5zb3VyY2Vmb3JnZS5uZXQvbGlzdHMvbGlzdGluZm8vbGludXgtZjJmcy1kZXZlbAo+ ID4+IC4KPiA+Pgo+ID4KPiA+Cj4gCj4gLS0KPiBCZXN0IHJlZ2FyZHMsCj4gCj4gQW5kcmV5IFRz eXZhcmV2Cj4gTGludXggVmVyaWZpY2F0aW9uIENlbnRlciwgSVNQUkFTCj4gd2ViOmh0dHA6Ly9s aW51eHRlc3Rpbmcub3JnCgoKLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0t LS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tLS0tCldhbnQgZmFzdCBhbmQgZWFz eSBhY2Nlc3MgdG8gYWxsIHRoZSBjb2RlIGluIHlvdXIgZW50ZXJwcmlzZT8gSW5kZXggYW5kCnNl YXJjaCB1cCB0byAyMDAsMDAwIGxpbmVzIG9mIGNvZGUgd2l0aCBhIGZyZWUgY29weSBvZiBCbGFj ayBEdWNrCkNvZGUgU2lnaHQgLSB0aGUgc2FtZSBzb2Z0d2FyZSB0aGF0IHBvd2VycyB0aGUgd29y bGQncyBsYXJnZXN0IGNvZGUKc2VhcmNoIG9uIE9obG9oLCB0aGUgQmxhY2sgRHVjayBPcGVuIEh1 YiEgVHJ5IGl0IG5vdy4KaHR0cDovL3Auc2YubmV0L3NmdS9iZHMKX19fX19fX19fX19fX19fX19f X19fX19fX19fX19fX19fX19fX19fX19fX19fX18KTGludXgtZjJmcy1kZXZlbCBtYWlsaW5nIGxp c3QKTGludXgtZjJmcy1kZXZlbEBsaXN0cy5zb3VyY2Vmb3JnZS5uZXQKaHR0cHM6Ly9saXN0cy5z b3VyY2Vmb3JnZS5uZXQvbGlzdHMvbGlzdGluZm8vbGludXgtZjJmcy1kZXZlbAo= From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1759046AbaGYDYB (ORCPT ); Thu, 24 Jul 2014 23:24:01 -0400 Received: from mailout4.samsung.com ([203.254.224.34]:62581 "EHLO mailout4.samsung.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751765AbaGYDX7 convert rfc822-to-8bit (ORCPT ); Thu, 24 Jul 2014 23:23:59 -0400 X-AuditID: cbfee61b-f79f86d00000144c-1e-53d1cdc5f12c From: Chao Yu To: "'Andrey Tsyvarev'" , "'Gu Zheng'" Cc: "'Jaegeuk Kim'" , "'linux-kernel'" , "'Alexey Khoroshilov'" , linux-f2fs-devel@lists.sourceforge.net References: <52F320FC.50803@ispras.ru> <534BC29B.3020408@ispras.ru> <53CCF1EC.30008@ispras.ru> <53CDC9AF.2050605@cn.fujitsu.com> <53CE3722.60307@ispras.ru> <000001cfa61b$c693b350$53bb19f0$@samsung.com> <53CF2E61.3000601@cn.fujitsu.com> <53D0DC8C.7050406@ispras.ru> In-reply-to: <53D0DC8C.7050406@ispras.ru> Subject: RE: [f2fs-dev] f2fs: Possible use-after-free when umount filesystem Date: Fri, 25 Jul 2014 11:22:20 +0800 Message-id: <002a01cfa7b7$d79edc40$86dc94c0$@samsung.com> MIME-version: 1.0 Content-type: text/plain; charset=UTF-8 Content-transfer-encoding: 8BIT X-Mailer: Microsoft Outlook 14.0 Thread-index: AQFytas9PwOSgMpUAzyRX4aA2O7urwLC5OzGAi4uvbQB/hgJVwLFf5LUArRSVvcC1RcGbwIgqlB8m98LeGA= Content-language: zh-cn X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFvrBLMWRmVeSWpSXmKPExsVy+t9jQd2jZy8GG1zdYmrxvP0As8WT9bOY LXas28lucWmRu8XlXXPYLJZfjnNg8/h/cBKzx4x/Uxk9Nq3qZPPYveAzk8fnTXIBrFFcNimp OZllqUX6dglcGT8/r2IumKZVcepsUQPjNcUuRk4OCQETiQdnJrND2GISF+6tZ+ti5OIQEpjO KLFu+jZWCOcHo8SPmU+ZQarYBFQklnf8ZwKxRQQCJGb/fM4MUsQssJFRYs/qY4wQHX1MEiuX TQPr4BTQlDjy7T5QgoNDWMBH4vObApAwi4CqxNd5y8DCvAKWEi/OuIOEeQUEJX5MvscCYjML qEtMmreIGcLWlnjy7gIrxKUKEjvOvmaEuCFFor3hJFSNuMTGI7dYJjAKzUIyahaSUbOQjJqF pGUBI8sqRtHUguSC4qT0XCO94sTc4tK8dL3k/NxNjOD4eCa9g3FVg8UhRgEORiUe3o76i8FC rIllxZW5hxglOJiVRHhvHQYK8aYkVlalFuXHF5XmpBYfYpTmYFES5z3Yah0oJJCeWJKanZpa kFoEk2Xi4JRqYFwXX3N4xdbYrgCRw9sMjd028NkU5+a0sp7ZVVj9bN+FiBb5RRFZDA+q6tzn +hnWOt7cJeFtLmH5QeeVqIvYfiHOlp+5T//lh0u1VUwUyHtoeu67qfnfZHFFN+c/acbmDqWm 2zfbTqg6XGT2y1H5rkLOMebpFmJvJ+/NVJj0bl1n2065/DXrlFiKMxINtZiLihMBLkTUYIsC AAA= Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi, To Andrey: Thanks for your test on this patch! To Gu: If you do not object, let me make and resend a patch base on the one which skip invalidating pages. Regards, Yu > -----Original Message----- > From: Andrey Tsyvarev [mailto:tsyvarev@ispras.ru] > Sent: Thursday, July 24, 2014 6:15 PM > To: Gu Zheng; Chao Yu > Cc: 'Jaegeuk Kim'; 'linux-kernel'; 'Alexey Khoroshilov'; > linux-f2fs-devel@lists.sourceforge.net > Subject: Re: [f2fs-dev] f2fs: Possible use-after-free when umount filesystem > > Hi, > > With patch skipping invalidating pages for node_inode and meta_inode > use-after-free error disappears too. > > 23.07.2014 7:39, Gu Zheng пишет: > > Hi, > > On 07/23/2014 10:12 AM, Chao Yu wrote: > > > >> Hi Andrey Gu, > >> > >>> -----Original Message----- > >>> From: Andrey Tsyvarev [mailto:tsyvarev@ispras.ru] > >>> Sent: Tuesday, July 22, 2014 6:04 PM > >>> To: Gu Zheng > >>> Cc: Jaegeuk Kim; linux-kernel; Alexey Khoroshilov; linux-f2fs-devel@lists.sourceforge.net > >>> Subject: Re: [f2fs-dev] f2fs: Possible use-after-free when umount filesystem > >>> > >>> Hi Gu, > >>> > >>>>> Investigation shows, that f2fs_evict_inode, when called for 'meta_inode', uses > >>> invalidate_mapping_pages() for 'node_inode'. > >>>>> But 'node_inode' is deleted before 'meta_inode' in f2fs_put_super via iput(). > >>>>> > >>>>> It seems that in common usage scenario this use-after-free is benign, because 'node_inode' > >>> remains partially valid data even after kmem_cache_free(). > >>>>> But things may change if, while 'meta_inode' is evicted in one f2fs filesystem, another > (mounted) > >>> f2fs filesystem requests inode from cache, and formely > >>>>> 'node_inode' of the first filesystem is returned. > >>>> The analysis seems reasonable. Have you tried to swap the reclaim order of node_inde > >>>> and meta_inode? > >>>> > >>>> diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c > >>>> index 870fe19..e114418 100644 > >>>> --- a/fs/f2fs/super.c > >>>> +++ b/fs/f2fs/super.c > >>>> @@ -430,8 +430,8 @@ static void f2fs_put_super(struct super_block *sb) > >>>> if (sbi->s_dirty && get_pages(sbi, F2FS_DIRTY_NODES)) > >>>> write_checkpoint(sbi, true); > >>>> > >>>> - iput(sbi->node_inode); > >>>> iput(sbi->meta_inode); > >>>> + iput(sbi->node_inode); > >>>> > >>>> /* destroy f2fs internal modules */ > >>>> destroy_node_manager(sbi); > >>>> > >>>> Thanks, > >>>> Gu > >>> With reclaim order of node_inode and meta_inode swapped, use-after-free > >>> error disappears. > >>> > >>> But shouldn't initialization order of these inodes be swapped too? > >>> As meta_inode uses node_inode, it seems logical that it should be > >>> initialized after it. > > The initialization order dose not affect anything, so swapping the order dose not > > make more sense here. > > > >> IMO, it's not easy to exchange order of initialization between meta_inode and > >> node_inode, because we should use meta_inode in get_valid_checkpoint for valid > >> cp first for usual verification, then init node_inode. > > Yeah, but I think just moving node_inode's initialization to the front of meta_inode > > dose not break anything. > > > >> As I checked, nids for both meta_inode and node_inode are reservation, so it's not > >> necessary for us to invalidate pages which will never alloced. > >> > >> How about skipping it as following? > > It seems the right way to fix this issue. > > > > To Andrey: > > Could you please try this one? > > > > Thanks, > > Gu > > > >> diff --git a/fs/f2fs/inode.c b/fs/f2fs/inode.c > >> index 2cf6962..cafba3c 100644 > >> --- a/fs/f2fs/inode.c > >> +++ b/fs/f2fs/inode.c > >> @@ -273,7 +273,7 @@ void f2fs_evict_inode(struct inode *inode) > >> > >> if (inode->i_ino == F2FS_NODE_INO(sbi) || > >> inode->i_ino == F2FS_META_INO(sbi)) > >> - goto no_delete; > >> + goto out_clear; > >> > >> f2fs_bug_on(get_dirty_dents(inode)); > >> remove_dirty_dir_inode(inode); > >> @@ -295,6 +295,7 @@ void f2fs_evict_inode(struct inode *inode) > >> > >> sb_end_intwrite(inode->i_sb); > >> no_delete: > >> - clear_inode(inode); > >> invalidate_mapping_pages(NODE_MAPPING(sbi), inode->i_ino, inode->i_ino); > >> +out_clear: > >> + clear_inode(inode); > >> } > >> > >>> -- > >>> Best regards, > >>> > >>> Andrey Tsyvarev > >>> Linux Verification Center, ISPRAS > >>> web:http://linuxtesting.org > >>> > >>> > >>> ------------------------------------------------------------------------------ > >>> Want fast and easy access to all the code in your enterprise? Index and > >>> search up to 200,000 lines of code with a free copy of Black Duck > >>> Code Sight - the same software that powers the world's largest code > >>> search on Ohloh, the Black Duck Open Hub! Try it now. > >>> http://p.sf.net/sfu/bds > >>> _______________________________________________ > >>> Linux-f2fs-devel mailing list > >>> Linux-f2fs-devel@lists.sourceforge.net > >>> https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel > >> . > >> > > > > > > -- > Best regards, > > Andrey Tsyvarev > Linux Verification Center, ISPRAS > web:http://linuxtesting.org