From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mga07.intel.com (mga07.intel.com [134.134.136.100]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ml01.01.org (Postfix) with ESMTPS id 7AAD421A143C3 for ; Sat, 10 Jun 2017 12:26:39 -0700 (PDT) From: "Williams, Dan J" Subject: [GIT PULL] libnvdimm fix for 4.12-rc5 Date: Sat, 10 Jun 2017 19:27:48 +0000 Message-ID: <1497122866.6031.11.camel@intel.com> Content-Language: en-US Content-ID: <85D4219C761AB54D9D4715CF86821EEA@intel.com> MIME-Version: 1.0 List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Errors-To: linux-nvdimm-bounces@lists.01.org Sender: "Linux-nvdimm" To: "torvalds@linux-foundation.org" Cc: "linux-kernel@vger.kernel.org" , "linux-nvdimm@lists.01.org" List-ID: Hi Linus, please pull from: git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm libnvdimm-fixes ...to receive a fix for an oversight spotted by Sasha. We expanded the device-dax fs type in 4.12 to be a generic provider of a struct dax_device with an embedded inode. However, Sasha found some basic negative testing was not run to verify that this fs cleanly handles being mounted directly. Note that the fresh rebase was done to remove an unnecessary Cc: tag, but this commit otherwise had a build success notification from the 0day robot. --- The following changes since commit 3c2993b8c6143d8a5793746a54eba8f86f95240f: Linux 4.12-rc4 (2017-06-04 16:47:43 -0700) are available in the git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm libnvdimm-fixes for you to fetch changes up to b9d39d17e4819ca2e69ad1f14acaad12240a1de5: device-dax: fix 'dax' device filesystem inode destruction crash (2017-06-09 08:50:49 -0700) ---------------------------------------------------------------- Dan Williams (1): device-dax: fix 'dax' device filesystem inode destruction crash drivers/dax/super.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) commit b9d39d17e4819ca2e69ad1f14acaad12240a1de5 Author: Dan Williams Date: Fri Jun 9 08:50:49 2017 -0700 device-dax: fix 'dax' device filesystem inode destruction crash The inode destruction path for the 'dax' device filesystem incorrectly assumes that the inode was initialized through 'alloc_dax()'. However, if someone attempts to directly mount the dax filesystem with 'mount -t dax dax mnt' that will bypass 'alloc_dax()' and the following failure signatures may occur as a result: kill_dax() must be called before final iput() WARNING: CPU: 2 PID: 1188 at drivers/dax/super.c:243 dax_destroy_inode+0x48/0x50 RIP: 0010:dax_destroy_inode+0x48/0x50 Call Trace: destroy_inode+0x3b/0x60 evict+0x139/0x1c0 iput+0x1f9/0x2d0 dentry_unlink_inode+0xc3/0x160 __dentry_kill+0xcf/0x180 ? dput+0x37/0x3b0 dput+0x3a3/0x3b0 do_one_tree+0x36/0x40 shrink_dcache_for_umount+0x2d/0x90 generic_shutdown_super+0x1f/0x120 kill_anon_super+0x12/0x20 deactivate_locked_super+0x43/0x70 deactivate_super+0x4e/0x60 general protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC RIP: 0010:kfree+0x6d/0x290 Call Trace: dax_i_callback+0x22/0x60 ? dax_destroy_inode+0x50/0x50 rcu_process_callbacks+0x298/0x740 ida_remove called for id=0 which is not allocated. WARNING: CPU: 0 PID: 0 at lib/idr.c:383 ida_remove+0x110/0x120 [..] Call Trace: ida_simple_remove+0x2b/0x50 ? dax_destroy_inode+0x50/0x50 dax_i_callback+0x3c/0x60 rcu_process_callbacks+0x298/0x740 Add missing initialization of the 'struct dax_device' and inode so that the destruction path does not kfree() or ida_simple_remove() uninitialized data. Fixes: 7b6be8444e0f ("dax: refactor dax-fs into a generic provider of 'struct dax_device' instances") Reported-by: Sasha Levin Signed-off-by: Dan Williams --- drivers/dax/super.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/drivers/dax/super.c b/drivers/dax/super.c index 6ed32aac8bbe..922d0823f8ec 100644 --- a/drivers/dax/super.c +++ b/drivers/dax/super.c @@ -210,9 +210,12 @@ EXPORT_SYMBOL_GPL(kill_dax); static struct inode *dax_alloc_inode(struct super_block *sb) { struct dax_device *dax_dev; + struct inode *inode; dax_dev = kmem_cache_alloc(dax_cache, GFP_KERNEL); - return &dax_dev->inode; + inode = &dax_dev->inode; + inode->i_rdev = 0; + return inode; } static struct dax_device *to_dax_dev(struct inode *inode) @@ -227,7 +230,8 @@ static void dax_i_callback(struct rcu_head *head) kfree(dax_dev->host); dax_dev->host = NULL; - ida_simple_remove(&dax_minor_ida, MINOR(inode->i_rdev)); + if (inode->i_rdev) + ida_simple_remove(&dax_minor_ida, MINOR(inode->i_rdev)); kmem_cache_free(dax_cache, dax_dev); } @@ -423,6 +427,7 @@ static void init_once(void *_dax_dev) struct dax_device *dax_dev = _dax_dev; struct inode *inode = &dax_dev->inode; + memset(dax_dev, 0, sizeof(*dax_dev)); inode_init_once(inode); } _______________________________________________ Linux-nvdimm mailing list Linux-nvdimm@lists.01.org https://lists.01.org/mailman/listinfo/linux-nvdimm From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751748AbdFJT1w convert rfc822-to-8bit (ORCPT ); Sat, 10 Jun 2017 15:27:52 -0400 Received: from mga04.intel.com ([192.55.52.120]:37843 "EHLO mga04.intel.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751726AbdFJT1v (ORCPT ); Sat, 10 Jun 2017 15:27:51 -0400 X-ExtLoop1: 1 X-IronPort-AV: E=Sophos;i="5.39,325,1493708400"; d="scan'208";a="113326081" From: "Williams, Dan J" To: "torvalds@linux-foundation.org" CC: "linux-kernel@vger.kernel.org" , "linux-nvdimm@lists.01.org" Subject: [GIT PULL] libnvdimm fix for 4.12-rc5 Thread-Topic: [GIT PULL] libnvdimm fix for 4.12-rc5 Thread-Index: AQHS4h+lq1ruVZ6IS0WUyQIToZ3tFA== Date: Sat, 10 Jun 2017 19:27:48 +0000 Message-ID: <1497122866.6031.11.camel@intel.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [10.254.70.85] Content-Type: text/plain; charset="utf-7" Content-ID: <85D4219C761AB54D9D4715CF86821EEA@intel.com> Content-Transfer-Encoding: 8BIT MIME-Version: 1.0 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Linus, please pull from: git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm libnvdimm-fixes ...to receive a fix for an oversight spotted by Sasha. We expanded the device-dax fs type in 4.12 to be a generic provider of a struct dax+AF8-device with an embedded inode. However, Sasha found some basic negative testing was not run to verify that this fs cleanly handles being mounted directly. Note that the fresh rebase was done to remove an unnecessary Cc: +ADw-stable+AD4- tag, but this commit otherwise had a build success notification from the 0day robot. --- The following changes since commit 3c2993b8c6143d8a5793746a54eba8f86f95240f: Linux 4.12-rc4 (2017-06-04 16:47:43 -0700) are available in the git repository at: git://git.kernel.org/pub/scm/linux/kernel/git/nvdimm/nvdimm libnvdimm-fixes for you to fetch changes up to b9d39d17e4819ca2e69ad1f14acaad12240a1de5: device-dax: fix 'dax' device filesystem inode destruction crash (2017-06-09 08:50:49 -0700) ---------------------------------------------------------------- Dan Williams (1): device-dax: fix 'dax' device filesystem inode destruction crash drivers/dax/super.c +AHw- 9 +-+-+-+-+-+-+--- 1 file changed, 7 insertions(+-), 2 deletions(-) commit b9d39d17e4819ca2e69ad1f14acaad12240a1de5 Author: Dan Williams +ADw-dan.j.williams+AEA-intel.com+AD4- Date: Fri Jun 9 08:50:49 2017 -0700 device-dax: fix 'dax' device filesystem inode destruction crash The inode destruction path for the 'dax' device filesystem incorrectly assumes that the inode was initialized through 'alloc+AF8-dax()'. However, if someone attempts to directly mount the dax filesystem with 'mount -t dax dax mnt' that will bypass 'alloc+AF8-dax()' and the following failure signatures may occur as a result: kill+AF8-dax() must be called before final iput() WARNING: CPU: 2 PID: 1188 at drivers/dax/super.c:243 dax+AF8-destroy+AF8-inode+-0x48/0x50 RIP: 0010:dax+AF8-destroy+AF8-inode+-0x48/0x50 Call Trace: destroy+AF8-inode+-0x3b/0x60 evict+-0x139/0x1c0 iput+-0x1f9/0x2d0 dentry+AF8-unlink+AF8-inode+-0xc3/0x160 +AF8AXw-dentry+AF8-kill+-0xcf/0x180 ? dput+-0x37/0x3b0 dput+-0x3a3/0x3b0 do+AF8-one+AF8-tree+-0x36/0x40 shrink+AF8-dcache+AF8-for+AF8-umount+-0x2d/0x90 generic+AF8-shutdown+AF8-super+-0x1f/0x120 kill+AF8-anon+AF8-super+-0x12/0x20 deactivate+AF8-locked+AF8-super+-0x43/0x70 deactivate+AF8-super+-0x4e/0x60 general protection fault: 0000 +AFsAIw-1+AF0- SMP DEBUG+AF8-PAGEALLOC RIP: 0010:kfree+-0x6d/0x290 Call Trace: +ADw-IRQ+AD4- dax+AF8-i+AF8-callback+-0x22/0x60 ? dax+AF8-destroy+AF8-inode+-0x50/0x50 rcu+AF8-process+AF8-callbacks+-0x298/0x740 ida+AF8-remove called for id+AD0-0 which is not allocated. WARNING: CPU: 0 PID: 0 at lib/idr.c:383 ida+AF8-remove+-0x110/0x120 +AFs-..+AF0- Call Trace: +ADw-IRQ+AD4- ida+AF8-simple+AF8-remove+-0x2b/0x50 ? dax+AF8-destroy+AF8-inode+-0x50/0x50 dax+AF8-i+AF8-callback+-0x3c/0x60 rcu+AF8-process+AF8-callbacks+-0x298/0x740 Add missing initialization of the 'struct dax+AF8-device' and inode so that the destruction path does not kfree() or ida+AF8-simple+AF8-remove() uninitialized data. Fixes: 7b6be8444e0f (+ACI-dax: refactor dax-fs into a generic provider of 'struct dax+AF8-device' instances+ACI-) Reported-by: Sasha Levin +ADw-alexander.levin+AEA-verizon.com+AD4- Signed-off-by: Dan Williams +ADw-dan.j.williams+AEA-intel.com+AD4- --- drivers/dax/super.c +AHw- 9 +-+-+-+-+-+-+--- 1 file changed, 7 insertions(+-), 2 deletions(-) diff --git a/drivers/dax/super.c b/drivers/dax/super.c index 6ed32aac8bbe..922d0823f8ec 100644 --- a/drivers/dax/super.c +-+-+- b/drivers/dax/super.c +AEAAQA- -210,9 +-210,12 +AEAAQA- EXPORT+AF8-SYMBOL+AF8-GPL(kill+AF8-dax)+ADs- static struct inode +ACo-dax+AF8-alloc+AF8-inode(struct super+AF8-block +ACo-sb) +AHs- struct dax+AF8-device +ACo-dax+AF8-dev+ADs- +- struct inode +ACo-inode+ADs- dax+AF8-dev +AD0- kmem+AF8-cache+AF8-alloc(dax+AF8-cache, GFP+AF8-KERNEL)+ADs- - return +ACY-dax+AF8-dev-+AD4-inode+ADs- +- inode +AD0- +ACY-dax+AF8-dev-+AD4-inode+ADs- +- inode-+AD4-i+AF8-rdev +AD0- 0+ADs- +- return inode+ADs- +AH0- static struct dax+AF8-device +ACo-to+AF8-dax+AF8-dev(struct inode +ACo-inode) +AEAAQA- -227,7 +-230,8 +AEAAQA- static void dax+AF8-i+AF8-callback(struct rcu+AF8-head +ACo-head) kfree(dax+AF8-dev-+AD4-host)+ADs- dax+AF8-dev-+AD4-host +AD0- NULL+ADs- - ida+AF8-simple+AF8-remove(+ACY-dax+AF8-minor+AF8-ida, MINOR(inode-+AD4-i+AF8-rdev))+ADs- +- if (inode-+AD4-i+AF8-rdev) +- ida+AF8-simple+AF8-remove(+ACY-dax+AF8-minor+AF8-ida, MINOR(inode-+AD4-i+AF8-rdev))+ADs- kmem+AF8-cache+AF8-free(dax+AF8-cache, dax+AF8-dev)+ADs- +AH0- +AEAAQA- -423,6 +-427,7 +AEAAQA- static void init+AF8-once(void +ACoAXw-dax+AF8-dev) struct dax+AF8-device +ACo-dax+AF8-dev +AD0- +AF8-dax+AF8-dev+ADs- struct inode +ACo-inode +AD0- +ACY-dax+AF8-dev-+AD4-inode+ADs- +- memset(dax+AF8-dev, 0, sizeof(+ACo-dax+AF8-dev))+ADs- inode+AF8-init+AF8-once(inode)+ADs- +AH0-