From: Su Yue <l@damenly.org>
To: Zhang Cen <rollkingzzc@gmail.com>
Cc: Mark Fasheh <mark@fasheh.com>, Joel Becker <jlbec@evilplan.org>,
Joseph Qi <joseph.qi@linux.alibaba.com>,
ocfs2-devel@lists.linux.dev, zerocling0077@gmail.com,
2045gemini@gmail.com
Subject: Re: [PATCH] ocfs2: remove debugfs before shutting down recovery
Date: Tue, 16 Jun 2026 09:59:47 +0800 [thread overview]
Message-ID: <tsr3tfcc.fsf@damenly.org> (raw)
In-Reply-To: <20260525070604.360875-1-rollkingzzc@gmail.com> (Zhang Cen's message of "Mon, 25 May 2026 15:06:04 +0800")
On Mon 25 May 2026 at 15:06, Zhang Cen <rollkingzzc@gmail.com>
wrote:
> ocfs2_osb_debug_open() builds the per-mount fs_state snapshot by
> calling
> ocfs2_osb_dump(), which reads osb->recovery_map. During normal
> unmount,
> ocfs2_dismount_volume() currently calls ocfs2_recovery_exit()
> before it
> removes osb->osb_debug_root, so a concurrent fs_state open can
> still
> enter ocfs2_osb_dump() after the recovery map has been freed.
>
> operations, so moving it ahead of ocfs2_recovery_exit() closes
> the
>
"operations,"? Seems one line is missing.
> post-free/pre-remove window without changing the recovery-state
> logic.
> This also makes the normal unmount path match the existing
> mount-error
> state.
>
> The buggy scenario involves two paths, with each column showing
> the
> order within that path:
>
> 1. Open the per-mount fs_state file 1.
> ocfs2_dismount_volume() starts
> 2. ocfs2_osb_debug_open() calls 2.
> ocfs2_recovery_exit() frees
> ocfs2_osb_dump() osb->recovery_map
> osb->recovery_map runs later
>
> Validation reproduced this kernel report:
>
Please paste the link of report or steps to reproduce.
The codes LGTM.
--
Su
> KASAN slab-use-after-free in ocfs2_osb_debug_open+0x478/0xaa0
> RIP: 0033:0x7f65fc97a001
> The buggy address belongs to the object at ffff8881049c3da0
> which belongs
> to the cache kmalloc-8 of size 8
> The buggy address is located 0 bytes inside of freed 8-byte
> region
> [ffff8881049c3da0, ffff8881049c3da8)
> Read of size 4
> Call trace:
> dump_stack_lvl+0x66/0xa0 (?:?)
> print_report+0xd0/0x630 (?:?)
> ocfs2_osb_debug_open+0x478/0xaa0 (fs/ocfs2/super.c:343)
> srso_alias_return_thunk+0x5/0xfbef5 (?:?)
> __virt_addr_valid+0x188/0x2f0 (?:?)
> kasan_report+0xe4/0x120 (?:?)
> full_proxy_open_regular+0x113/0x170 (?:?)
> do_dentry_open+0x233/0x7f0 (?:?)
> vfs_open+0x5a/0x1b0 (?:?)
> security_inode_permission+0x19/0x60 (?:?)
> path_openat+0x679/0x1540 (?:?)
> kmem_cache_alloc_noprof+0x1ea/0x5f0 (?:?)
> do_getname+0x2e/0x1d0 (?:?)
> do_sys_openat2+0xa4/0x150 (?:?)
> __x64_sys_openat+0xd0/0x140 (?:?)
> do_syscall_64+0x10c/0x640 (arch/x86/entry/syscall_64.c:87)
> entry_SYSCALL_64_after_hwframe+0x77/0x7f (?:?)
> do_file_open+0x190/0x2a0 (?:?)
> __lock_acquire+0x42f/0x1a60 (?:?)
> _raw_spin_unlock+0x23/0x40 (?:?)
> alloc_fd+0x210/0x350 (?:?)
> do_sys_openat2+0xce/0x150 (?:?)
> irqentry_exit+0xac/0x6e0 (?:?)
> Freed by task stack:
> kasan_save_stack+0x33/0x60 (?:?)
> kasan_save_track+0x14/0x30 (?:?)
> kasan_save_free_info+0x3b/0x60 (?:?)
> __kasan_slab_free+0x5f/0x80 (?:?)
> kfree+0x30f/0x580 (?:?)
> ocfs2_dismount_volume+0x168/0x560 (fs/ocfs2/super.c:1868)
> generic_shutdown_super+0xc3/0x220 (fs/ocfs2/super.c:?)
> kill_block_super+0x29/0x60 (fs/ocfs2/super.c:?)
> deactivate_locked_super+0x66/0xe0 (fs/ocfs2/super.c:?)
> cleanup_mnt+0x13d/0x210 (?:?)
> task_work_run+0xfa/0x170 (?:?)
> exit_to_user_mode_loop+0xd6/0x430 (?:?)
> do_syscall_64+0x3cb/0x640 (arch/x86/entry/syscall_64.c:87)
> entry_SYSCALL_64_after_hwframe+0x77/0x7f (?:?)
>
> Fixes: 5e7a3ed9f1a6 ("ocfs2: further debugfs cleanups")
> Assisted-by: Codex:gpt-5.5
> Signed-off-by: Zhang Cen <rollkingzzc@gmail.com>
> ---
> fs/ocfs2/super.c | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/fs/ocfs2/super.c b/fs/ocfs2/super.c
> index b875f01c9756..357f210b6a43 100644
> --- a/fs/ocfs2/super.c
> +++ b/fs/ocfs2/super.c
> @@ -1826,6 +1826,9 @@ static void ocfs2_dismount_volume(struct
> super_block *sb, int mnt_err)
>
> ocfs2_truncate_log_shutdown(osb);
>
> + ocfs2_blockcheck_stats_debugfs_remove(&osb->osb_ecc_stats);
> + debugfs_remove_recursive(osb->osb_debug_root);
> +
> /* This will disable recovery and flush any recovery work. */
> ocfs2_recovery_exit(osb);
>
> @@ -1865,9 +1868,6 @@ static void ocfs2_dismount_volume(struct
> super_block *sb, int mnt_err)
>
> ocfs2_dlm_shutdown(osb, hangup_needed);
>
> - ocfs2_blockcheck_stats_debugfs_remove(&osb->osb_ecc_stats);
> - debugfs_remove_recursive(osb->osb_debug_root);
> -
> if (hangup_needed)
> ocfs2_cluster_hangup(osb->uuid_str,
> strlen(osb->uuid_str));
prev parent reply other threads:[~2026-06-16 2:05 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-25 7:06 [PATCH] ocfs2: remove debugfs before shutting down recovery Zhang Cen
2026-06-14 1:32 ` Cen Zhang
2026-06-16 1:59 ` Su Yue [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=tsr3tfcc.fsf@damenly.org \
--to=l@damenly.org \
--cc=2045gemini@gmail.com \
--cc=jlbec@evilplan.org \
--cc=joseph.qi@linux.alibaba.com \
--cc=mark@fasheh.com \
--cc=ocfs2-devel@lists.linux.dev \
--cc=rollkingzzc@gmail.com \
--cc=zerocling0077@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.