From: Eryu Guan <guaneryu@gmail.com>
To: Brian Foster <bfoster@redhat.com>
Cc: fstests@vger.kernel.org, linux-xfs@vger.kernel.org
Subject: Re: [PATCH] tests/xfs: filestream allocator inode use-after-free test
Date: Thu, 26 Apr 2018 10:01:07 +0800 [thread overview]
Message-ID: <20180426020107.GI11384@desktop> (raw)
In-Reply-To: <20180426015456.GH11384@desktop>
On Thu, Apr 26, 2018 at 09:54:56AM +0800, Eryu Guan wrote:
> On Wed, Apr 25, 2018 at 07:53:41AM -0400, Brian Foster wrote:
> > On Wed, Apr 25, 2018 at 11:22:21AM +0800, Eryu Guan wrote:
> > > On Fri, Apr 06, 2018 at 10:18:15AM -0400, Brian Foster wrote:
> > > > The XFS filestreams allocator caches dir inode -> agno mappings in
> > > > an MRU mechanism that holds elements in memory for an amount of time
> > > > and then cleans up expired elements in the background. The elements
> > > > typically held inode pointers without holding a reference to the
> > > > associated inode. This means that if the inode is reclaimed before
> > > > an expired entry is cleaned up, the MRU reaper can access freed
> > > > memory and cause a panic.
> > > >
> > > > Test for this problem by performing continuous filestreams
> > > > allocations under short-lived parent directory inodes. This will
> > > > produce KASAN use-after-free splats if enabled during the test.
> > > >
> > > > Signed-off-by: Brian Foster <bfoster@redhat.com>
> > > > ---
> > > >
> > > > This test reproduces the problem described in this[1] thread. It's
> > > > XFS-specific because of the filestream option and specific geometry used
> > > > to format the scratch device.
> > > >
> > > > Brian
> > > >
> > > > [1] https://marc.info/?l=linux-xfs&m=152293031029161&w=2
> > >
> > > From above thread, it seems that we don't need the kernel change
> > > anymore, and the test itself would trigger dmesg check failure when
> > > testing on kernel with kasan enabled, right?
> > >
> >
> > Yep...
> >
> > > But I've looped the test for 200 times and it all passed without
> > > triggering any KASAN warnings, kernel is v4.17-rc2.
> > >
> >
> > The kernel fix ended up being a patch from Christoph. It looks like it
> > made it into v4.17-rc1 as commit 7fcd3efa1e ("xfs: remove filestream
> > item xfs_inode reference"). Could you perhaps try an older kernel or one
> > with that patch reverted?
>
> Sure, I'll try reverting that patch.
Yeah, I hit KASAN warning quite quickly after reverting that patch.
Thanks!
Eryu
prev parent reply other threads:[~2018-04-26 2:01 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-04-06 14:18 [PATCH] tests/xfs: filestream allocator inode use-after-free test Brian Foster
2018-04-25 3:22 ` Eryu Guan
2018-04-25 11:53 ` Brian Foster
2018-04-26 1:54 ` Eryu Guan
2018-04-26 2:01 ` Eryu Guan [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180426020107.GI11384@desktop \
--to=guaneryu@gmail.com \
--cc=bfoster@redhat.com \
--cc=fstests@vger.kernel.org \
--cc=linux-xfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.