From: Christoph Hellwig <hch@lst.de>
To: Dave Chinner <david@fromorbit.com>
Cc: "Darrick J. Wong" <djwong@kernel.org>,
xfs <linux-xfs@vger.kernel.org>,
hch@lst.de, oliver.sang@intel.com
Subject: Re: [PATCH] xfs: fix use-after-free in xattr node block inactivation
Date: Fri, 8 Jul 2022 06:59:21 +0200 [thread overview]
Message-ID: <20220708045921.GA15474@lst.de> (raw)
In-Reply-To: <20220708042653.GQ227878@dread.disaster.area>
On Fri, Jul 08, 2022 at 02:26:53PM +1000, Dave Chinner wrote:
> > child_blkno,
> > XFS_FSB_TO_BB(mp, mp->m_attr_geo->fsbcount), 0,
> > &child_bp);
> > if (error)
> > return error;
> > error = bp->b_error;
> >
> > That doesn't look right -- I think this should be dereferencing
> > child_bp, not bp.
>
> It shouldn't even be there. If xfs_trans_get_buf() returns a buffer,
> it should not have a pending error on it at all. i.e. it's supposed
> to return either an error or a buffer handle that is ready for use.
Agreed. Consumers of the buffer cache API should never look at b_error
because they will not see buffers with b_error set at all.
> Whoever wrote this didn't, for some reason, use the da btree path
> tracking (i.e. a struct xfs_da_state) to keep track of all the
> parent buffers of the current child being invalidated. That would
> make this code a whole lot simpler and neater....
Yeah. The brelese seems to go back to:
commit 677821a1ab2301629aa0370835babb33bc6c919e
Author: Doug Doucette <doucette@engr.sgi.com>
Date: Fri Dec 6 22:05:46 1996 +0000
Fold in ficus changes not yet merged in:
revision 1.32
date: 1996/11/21 23:31:08; author: doucette; state: Exp; lines: +69 -205
Rewrite inactive attribute code to avoid freeing any of the data blocks
until the very end. We still walk the on-disk structure, but just
call xfs_trans_binval on the buffers we get. Then we call the truncate
code to get rid of the data blocks. This means we don't need a block
reservation.
and the loop іtself is even older. But the da_state had been around
since 1996, so that isn't really an excuse.
> > + error = child_bp->b_error;
> > if (error) {
> > xfs_trans_brelse(*trans, child_bp);
> > return error;
>
> I'd just remove the child_bp error checking altogether - if there
> was an IOi or corruption error on it, that shouldn't keep us from
> invalidating it to free the underlying space. We're trashing the
> contents, so who cares if the contents is already trashed?
Yeah. I also don't see how a b_error could even magically appear
here without xfs_trans_get_buf returning an error first.
> Also, you probably need to set bp = NULL after the
> xfs_trans_brelse() call at the bottom of the loop....
Yes.
next prev parent reply other threads:[~2022-07-08 4:59 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-07-07 22:21 [PATCH] xfs: fix use-after-free in xattr node block inactivation Darrick J. Wong
2022-07-08 4:26 ` Dave Chinner
2022-07-08 4:59 ` Christoph Hellwig [this message]
2022-07-08 15:45 ` Darrick J. Wong
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220708045921.GA15474@lst.de \
--to=hch@lst.de \
--cc=david@fromorbit.com \
--cc=djwong@kernel.org \
--cc=linux-xfs@vger.kernel.org \
--cc=oliver.sang@intel.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.