From: Raghavendra D Prabhu <raghu.prabhu13@gmail.com>
To: Jesper Juhl <jj@chaosbits.net>
Cc: Alex Elder <elder@kernel.org>,
linux-kernel@vger.kernel.org, xfs@oss.sgi.com,
xfs-masters@oss.sgi.com, Ben Myers <bpm@sgi.com>
Subject: Re: Re: [PATCH][RFC] XFS: Fix mem leak and possible NULL deref in xfs_setattr_nonsize()
Date: Wed, 8 Feb 2012 04:11:54 +0530 [thread overview]
Message-ID: <20120207224154.GB4312@Xye> (raw)
In-Reply-To: <alpine.LNX.2.00.1202062145240.20117@swampdragon.chaosbits.net>
[-- Attachment #1.1: Type: text/plain, Size: 4505 bytes --]
Hi,
* On Mon, Feb 06, 2012 at 09:51:54PM +0100, Jesper Juhl <jj@chaosbits.net> wrote:
>On Mon, 6 Feb 2012, Raghavendra D Prabhu wrote:
>
>> Hi,
>>
>>
>> * On Sun, Feb 05, 2012 at 10:23:44PM +0100, Jesper Juhl <jj@chaosbits.net>
>> wrote:
>> > In xfs_setattr_nonsize(), xfs_trans_alloc() gets its memory from
>> > _xfs_trans_alloc() which gets it from kmem_zone_zalloc() which may
>> > fail and return NULL. So this:
>> >
>> > tp = xfs_trans_alloc(mp, XFS_TRANS_SETATTR_NOT_SIZE);
>> >
>> > may result in a NULL 'tp'.
>> > If it does, then the call:
>> >
>> > error = xfs_trans_reserve(tp, 0, XFS_ICHANGE_LOG_RES(mp), 0, 0, 0);
>> >
>> > with a NULL 'tp' will explode, since xfs_trans_reserve() dereferences
>> > its first argument unconditionally.
>> >
>> > And if the memory allocation for 'tp' goes well (and thus
>> > xfs_trans_reserve() does not explode) then we may leak the memory
>> > allocated to 'tp' if xfs_trans_reserve() returns error.
>> >
>> > I believe this patch should fix both issues, but I'm not intimate with
>> > the XFS code at all, so there can easily be something I overlooked or
>> > something that should be done differently than what I did.
>> >
>> > Signed-off-by: Jesper Juhl <jj@chaosbits.net>
>> > ---
>> > fs/xfs/xfs_iops.c | 7 ++++++-
>> > 1 files changed, 6 insertions(+), 1 deletions(-)
>> >
>> > Note:
>> > Please review carefully before applying.
>> > Especially since I don't currently have any XFS filesystems to test
>> > this on, nor any clear idea of a good way to actually test this if I
>> > had. So this patch is compile tested only on my end.
>> >
>> > diff --git a/fs/xfs/xfs_iops.c b/fs/xfs/xfs_iops.c
>> > index ab30253..194c9d7 100644
>> > --- a/fs/xfs/xfs_iops.c
>> > +++ b/fs/xfs/xfs_iops.c
>> > @@ -575,9 +575,14 @@ xfs_setattr_nonsize(
>> > }
>> >
>> > tp = xfs_trans_alloc(mp, XFS_TRANS_SETATTR_NOT_SIZE);
>> > + if (!tp)
>> > + goto out_dqrele;
>> > +
>> > error = xfs_trans_reserve(tp, 0, XFS_ICHANGE_LOG_RES(mp), 0, 0, 0);
>> > - if (error)
>> > + if (error) {
>> > + xfs_trans_cancel(tp, 0);
>> > goto out_dqrele;
>> > + }
>> >
>> > xfs_ilock(ip, XFS_ILOCK_EXCL);
>> >
>> > --
>> > 1.7.9
>> >
>> >
>> > Please CC me on replies.
>> >
>[...]
>>
>> The first one won't be triggered because kmem_zone_alloc (the last one in call
>> chain) checks for
>> if (ptr || (flags & (KM_MAYFAIL|KM_NOSLEEP)))
>>
>> whereas xfs_trans_alloc calls _xfs_trans_alloc with KM_SLEEP, also all other
>> callers of _xfs_trans_alloc call it with KM_SLEEP (except one which calls with
>> KM_NOFS), so it looks like we are safe there, it keeps spinning till it finds
>> mem.
>>
>Good.
>
>>
>> As far as second one is concerned, looks fine, though this one should also do
>> the same.
>>
>> diff --git a/fs/xfs/xfs_iops.c b/fs/xfs/xfs_iops.c
>> index ab30253..d331f5b 100644
>> --- a/fs/xfs/xfs_iops.c
>> +++ b/fs/xfs/xfs_iops.c
>> @@ -730,9 +730,9 @@ xfs_setattr_nonsize(
>> return 0;
>>
>> out_trans_cancel:
>> - xfs_trans_cancel(tp, 0);
>> xfs_iunlock(ip, XFS_ILOCK_EXCL);
>> out_dqrele:
>> + xfs_trans_cancel(tp, 0);
>> xfs_qm_dqrele(udqp);
>> xfs_qm_dqrele(gdqp);
>> return error;
>>
>
>Thank you for the feedback.
>
>I worry about the fact that this suddenly calls xfs_trans_cancel() without
>holding the lock. I don't know if that's actually significant though.
>
>If it *is* significant, then I think the patch I just submitted in reply to
>Dave Chinner is better since there we do the alloc and cancel before even
>taking the lock at all in the leaky case and all other case have
>identical behaviour as before.
>If it is *not* significant then your patch is probably better since that
>means one less thing done while holding a lock.
>
>But I don't know enough XFS details to say which it is, so I'll leave it
>to someone else to pick the best patch of the two for this.
>
>
>--
>Jesper Juhl <jj@chaosbits.net> http://www.chaosbits.net/
>Don't top-post http://www.catb.org/jargon/html/T/top-post.html
>Plain text mails only, please.
>
Thanks, I noticed it a few moments after I posted it :) but I
needed to know the reason behind unlock before cancel pattern
which was provided by David Chinner.
Regards,
--
Raghavendra Prabhu
GPG Id : 0xD72BE977
Fingerprint: B93F EBCB 8E05 7039 CD3C A4B8 A616 DCA1 D72B E977
www: wnohang.net
[-- Attachment #1.2: Type: application/pgp-signature, Size: 490 bytes --]
[-- Attachment #2: Type: text/plain, Size: 121 bytes --]
_______________________________________________
xfs mailing list
xfs@oss.sgi.com
http://oss.sgi.com/mailman/listinfo/xfs
WARNING: multiple messages have this Message-ID (diff)
From: Raghavendra D Prabhu <raghu.prabhu13@gmail.com>
To: Jesper Juhl <jj@chaosbits.net>
Cc: xfs@oss.sgi.com, xfs-masters@oss.sgi.com, Ben Myers <bpm@sgi.com>,
Alex Elder <elder@kernel.org>,
linux-kernel@vger.kernel.org, Dave Chinner <david@fromorbit.com>
Subject: Re: Re: [PATCH][RFC] XFS: Fix mem leak and possible NULL deref in xfs_setattr_nonsize()
Date: Wed, 8 Feb 2012 04:11:54 +0530 [thread overview]
Message-ID: <20120207224154.GB4312@Xye> (raw)
In-Reply-To: <alpine.LNX.2.00.1202062145240.20117@swampdragon.chaosbits.net>
[-- Attachment #1: Type: text/plain, Size: 4505 bytes --]
Hi,
* On Mon, Feb 06, 2012 at 09:51:54PM +0100, Jesper Juhl <jj@chaosbits.net> wrote:
>On Mon, 6 Feb 2012, Raghavendra D Prabhu wrote:
>
>> Hi,
>>
>>
>> * On Sun, Feb 05, 2012 at 10:23:44PM +0100, Jesper Juhl <jj@chaosbits.net>
>> wrote:
>> > In xfs_setattr_nonsize(), xfs_trans_alloc() gets its memory from
>> > _xfs_trans_alloc() which gets it from kmem_zone_zalloc() which may
>> > fail and return NULL. So this:
>> >
>> > tp = xfs_trans_alloc(mp, XFS_TRANS_SETATTR_NOT_SIZE);
>> >
>> > may result in a NULL 'tp'.
>> > If it does, then the call:
>> >
>> > error = xfs_trans_reserve(tp, 0, XFS_ICHANGE_LOG_RES(mp), 0, 0, 0);
>> >
>> > with a NULL 'tp' will explode, since xfs_trans_reserve() dereferences
>> > its first argument unconditionally.
>> >
>> > And if the memory allocation for 'tp' goes well (and thus
>> > xfs_trans_reserve() does not explode) then we may leak the memory
>> > allocated to 'tp' if xfs_trans_reserve() returns error.
>> >
>> > I believe this patch should fix both issues, but I'm not intimate with
>> > the XFS code at all, so there can easily be something I overlooked or
>> > something that should be done differently than what I did.
>> >
>> > Signed-off-by: Jesper Juhl <jj@chaosbits.net>
>> > ---
>> > fs/xfs/xfs_iops.c | 7 ++++++-
>> > 1 files changed, 6 insertions(+), 1 deletions(-)
>> >
>> > Note:
>> > Please review carefully before applying.
>> > Especially since I don't currently have any XFS filesystems to test
>> > this on, nor any clear idea of a good way to actually test this if I
>> > had. So this patch is compile tested only on my end.
>> >
>> > diff --git a/fs/xfs/xfs_iops.c b/fs/xfs/xfs_iops.c
>> > index ab30253..194c9d7 100644
>> > --- a/fs/xfs/xfs_iops.c
>> > +++ b/fs/xfs/xfs_iops.c
>> > @@ -575,9 +575,14 @@ xfs_setattr_nonsize(
>> > }
>> >
>> > tp = xfs_trans_alloc(mp, XFS_TRANS_SETATTR_NOT_SIZE);
>> > + if (!tp)
>> > + goto out_dqrele;
>> > +
>> > error = xfs_trans_reserve(tp, 0, XFS_ICHANGE_LOG_RES(mp), 0, 0, 0);
>> > - if (error)
>> > + if (error) {
>> > + xfs_trans_cancel(tp, 0);
>> > goto out_dqrele;
>> > + }
>> >
>> > xfs_ilock(ip, XFS_ILOCK_EXCL);
>> >
>> > --
>> > 1.7.9
>> >
>> >
>> > Please CC me on replies.
>> >
>[...]
>>
>> The first one won't be triggered because kmem_zone_alloc (the last one in call
>> chain) checks for
>> if (ptr || (flags & (KM_MAYFAIL|KM_NOSLEEP)))
>>
>> whereas xfs_trans_alloc calls _xfs_trans_alloc with KM_SLEEP, also all other
>> callers of _xfs_trans_alloc call it with KM_SLEEP (except one which calls with
>> KM_NOFS), so it looks like we are safe there, it keeps spinning till it finds
>> mem.
>>
>Good.
>
>>
>> As far as second one is concerned, looks fine, though this one should also do
>> the same.
>>
>> diff --git a/fs/xfs/xfs_iops.c b/fs/xfs/xfs_iops.c
>> index ab30253..d331f5b 100644
>> --- a/fs/xfs/xfs_iops.c
>> +++ b/fs/xfs/xfs_iops.c
>> @@ -730,9 +730,9 @@ xfs_setattr_nonsize(
>> return 0;
>>
>> out_trans_cancel:
>> - xfs_trans_cancel(tp, 0);
>> xfs_iunlock(ip, XFS_ILOCK_EXCL);
>> out_dqrele:
>> + xfs_trans_cancel(tp, 0);
>> xfs_qm_dqrele(udqp);
>> xfs_qm_dqrele(gdqp);
>> return error;
>>
>
>Thank you for the feedback.
>
>I worry about the fact that this suddenly calls xfs_trans_cancel() without
>holding the lock. I don't know if that's actually significant though.
>
>If it *is* significant, then I think the patch I just submitted in reply to
>Dave Chinner is better since there we do the alloc and cancel before even
>taking the lock at all in the leaky case and all other case have
>identical behaviour as before.
>If it is *not* significant then your patch is probably better since that
>means one less thing done while holding a lock.
>
>But I don't know enough XFS details to say which it is, so I'll leave it
>to someone else to pick the best patch of the two for this.
>
>
>--
>Jesper Juhl <jj@chaosbits.net> http://www.chaosbits.net/
>Don't top-post http://www.catb.org/jargon/html/T/top-post.html
>Plain text mails only, please.
>
Thanks, I noticed it a few moments after I posted it :) but I
needed to know the reason behind unlock before cancel pattern
which was provided by David Chinner.
Regards,
--
Raghavendra Prabhu
GPG Id : 0xD72BE977
Fingerprint: B93F EBCB 8E05 7039 CD3C A4B8 A616 DCA1 D72B E977
www: wnohang.net
[-- Attachment #2: Type: application/pgp-signature, Size: 490 bytes --]
next prev parent reply other threads:[~2012-02-07 22:42 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-02-05 21:23 [PATCH][RFC] XFS: Fix mem leak and possible NULL deref in xfs_setattr_nonsize() Jesper Juhl
2012-02-05 21:23 ` Jesper Juhl
2012-02-06 6:23 ` Dave Chinner
2012-02-06 6:23 ` Dave Chinner
2012-02-06 20:44 ` Jesper Juhl
2012-02-06 20:44 ` Jesper Juhl
2012-07-20 19:28 ` Jesper Juhl
2012-07-20 19:28 ` Jesper Juhl
2012-02-06 9:11 ` Raghavendra D Prabhu
2012-02-06 9:11 ` Raghavendra D Prabhu
2012-02-06 20:51 ` Jesper Juhl
2012-02-06 20:51 ` Jesper Juhl
2012-02-06 21:27 ` Dave Chinner
2012-02-06 21:27 ` Dave Chinner
2012-02-07 22:41 ` Raghavendra D Prabhu [this message]
2012-02-07 22:41 ` Raghavendra D Prabhu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20120207224154.GB4312@Xye \
--to=raghu.prabhu13@gmail.com \
--cc=bpm@sgi.com \
--cc=elder@kernel.org \
--cc=jj@chaosbits.net \
--cc=linux-kernel@vger.kernel.org \
--cc=xfs-masters@oss.sgi.com \
--cc=xfs@oss.sgi.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.