[PATCH] ocfs2: remove debugfs before shutting down recovery

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH] ocfs2: remove debugfs before shutting down recovery
@ 2026-05-25  7:06 Zhang Cen
  2026-06-14  1:32 ` Cen Zhang
  2026-06-16  1:59 ` Su Yue
  0 siblings, 2 replies; 3+ messages in thread
From: Zhang Cen @ 2026-05-25  7:06 UTC (permalink / raw)
  To: Mark Fasheh, Joel Becker, Joseph Qi
  Cc: ocfs2-devel, zerocling0077, 2045gemini, Zhang Cen

ocfs2_osb_debug_open() builds the per-mount fs_state snapshot by calling
ocfs2_osb_dump(), which reads osb->recovery_map. During normal unmount,
ocfs2_dismount_volume() currently calls ocfs2_recovery_exit() before it
removes osb->osb_debug_root, so a concurrent fs_state open can still
enter ocfs2_osb_dump() after the recovery map has been freed.

operations, so moving it ahead of ocfs2_recovery_exit() closes the
post-free/pre-remove window without changing the recovery-state logic.
This also makes the normal unmount path match the existing mount-error
state.

The buggy scenario involves two paths, with each column showing the
order within that path:

1. Open the per-mount fs_state file      1. ocfs2_dismount_volume() starts
2. ocfs2_osb_debug_open() calls          2. ocfs2_recovery_exit() frees
   ocfs2_osb_dump()                         osb->recovery_map
   osb->recovery_map                        runs later

Validation reproduced this kernel report:
KASAN slab-use-after-free in ocfs2_osb_debug_open+0x478/0xaa0
RIP: 0033:0x7f65fc97a001
The buggy address belongs to the object at ffff8881049c3da0 which belongs
to the cache kmalloc-8 of size 8
The buggy address is located 0 bytes inside of freed 8-byte region
[ffff8881049c3da0, ffff8881049c3da8)
Read of size 4
Call trace:
  dump_stack_lvl+0x66/0xa0 (?:?)
  print_report+0xd0/0x630 (?:?)
  ocfs2_osb_debug_open+0x478/0xaa0 (fs/ocfs2/super.c:343)
  srso_alias_return_thunk+0x5/0xfbef5 (?:?)
  __virt_addr_valid+0x188/0x2f0 (?:?)
  kasan_report+0xe4/0x120 (?:?)
  full_proxy_open_regular+0x113/0x170 (?:?)
  do_dentry_open+0x233/0x7f0 (?:?)
  vfs_open+0x5a/0x1b0 (?:?)
  security_inode_permission+0x19/0x60 (?:?)
  path_openat+0x679/0x1540 (?:?)
  kmem_cache_alloc_noprof+0x1ea/0x5f0 (?:?)
  do_getname+0x2e/0x1d0 (?:?)
  do_sys_openat2+0xa4/0x150 (?:?)
  __x64_sys_openat+0xd0/0x140 (?:?)
  do_syscall_64+0x10c/0x640 (arch/x86/entry/syscall_64.c:87)
  entry_SYSCALL_64_after_hwframe+0x77/0x7f (?:?)
  do_file_open+0x190/0x2a0 (?:?)
  __lock_acquire+0x42f/0x1a60 (?:?)
  _raw_spin_unlock+0x23/0x40 (?:?)
  alloc_fd+0x210/0x350 (?:?)
  do_sys_openat2+0xce/0x150 (?:?)
  irqentry_exit+0xac/0x6e0 (?:?)
Freed by task stack:
  kasan_save_stack+0x33/0x60 (?:?)
  kasan_save_track+0x14/0x30 (?:?)
  kasan_save_free_info+0x3b/0x60 (?:?)
  __kasan_slab_free+0x5f/0x80 (?:?)
  kfree+0x30f/0x580 (?:?)
  ocfs2_dismount_volume+0x168/0x560 (fs/ocfs2/super.c:1868)
  generic_shutdown_super+0xc3/0x220 (fs/ocfs2/super.c:?)
  kill_block_super+0x29/0x60 (fs/ocfs2/super.c:?)
  deactivate_locked_super+0x66/0xe0 (fs/ocfs2/super.c:?)
  cleanup_mnt+0x13d/0x210 (?:?)
  task_work_run+0xfa/0x170 (?:?)
  exit_to_user_mode_loop+0xd6/0x430 (?:?)
  do_syscall_64+0x3cb/0x640 (arch/x86/entry/syscall_64.c:87)
  entry_SYSCALL_64_after_hwframe+0x77/0x7f (?:?)

Fixes: 5e7a3ed9f1a6 ("ocfs2: further debugfs cleanups")
Assisted-by: Codex:gpt-5.5
Signed-off-by: Zhang Cen <rollkingzzc@gmail.com>
---
 fs/ocfs2/super.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/fs/ocfs2/super.c b/fs/ocfs2/super.c
index b875f01c9756..357f210b6a43 100644
--- a/fs/ocfs2/super.c
+++ b/fs/ocfs2/super.c
@@ -1826,6 +1826,9 @@ static void ocfs2_dismount_volume(struct super_block *sb, int mnt_err)
 
 	ocfs2_truncate_log_shutdown(osb);
 
+	ocfs2_blockcheck_stats_debugfs_remove(&osb->osb_ecc_stats);
+	debugfs_remove_recursive(osb->osb_debug_root);
+
 	/* This will disable recovery and flush any recovery work. */
 	ocfs2_recovery_exit(osb);
 
@@ -1865,9 +1868,6 @@ static void ocfs2_dismount_volume(struct super_block *sb, int mnt_err)
 
 	ocfs2_dlm_shutdown(osb, hangup_needed);
 
-	ocfs2_blockcheck_stats_debugfs_remove(&osb->osb_ecc_stats);
-	debugfs_remove_recursive(osb->osb_debug_root);
-
 	if (hangup_needed)
 		ocfs2_cluster_hangup(osb->uuid_str, strlen(osb->uuid_str));
 
-- 
2.43.0


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH] ocfs2: remove debugfs before shutting down recovery
  2026-05-25  7:06 [PATCH] ocfs2: remove debugfs before shutting down recovery Zhang Cen
@ 2026-06-14  1:32 ` Cen Zhang
  2026-06-16  1:59 ` Su Yue
  1 sibling, 0 replies; 3+ messages in thread
From: Cen Zhang @ 2026-06-14  1:32 UTC (permalink / raw)
  To: Mark Fasheh, Joel Becker, Joseph Qi
  Cc: ocfs2-devel, zerocling0077, 2045gemini

Hi all,

Just a gentle ping on this series.

I would appreciate any feedback or guidance on whether further changes
are needed.

Thanks for your time and review.

Best regards,
Zhang Cen

Zhang Cen <rollkingzzc@gmail.com> 于2026年5月25日周一 15:06写道：
>
> ocfs2_osb_debug_open() builds the per-mount fs_state snapshot by calling
> ocfs2_osb_dump(), which reads osb->recovery_map. During normal unmount,
> ocfs2_dismount_volume() currently calls ocfs2_recovery_exit() before it
> removes osb->osb_debug_root, so a concurrent fs_state open can still
> enter ocfs2_osb_dump() after the recovery map has been freed.
>
> operations, so moving it ahead of ocfs2_recovery_exit() closes the
> post-free/pre-remove window without changing the recovery-state logic.
> This also makes the normal unmount path match the existing mount-error
> state.
>
> The buggy scenario involves two paths, with each column showing the
> order within that path:
>
> 1. Open the per-mount fs_state file      1. ocfs2_dismount_volume() starts
> 2. ocfs2_osb_debug_open() calls          2. ocfs2_recovery_exit() frees
>    ocfs2_osb_dump()                         osb->recovery_map
>    osb->recovery_map                        runs later
>
> Validation reproduced this kernel report:
> KASAN slab-use-after-free in ocfs2_osb_debug_open+0x478/0xaa0
> RIP: 0033:0x7f65fc97a001
> The buggy address belongs to the object at ffff8881049c3da0 which belongs
> to the cache kmalloc-8 of size 8
> The buggy address is located 0 bytes inside of freed 8-byte region
> [ffff8881049c3da0, ffff8881049c3da8)
> Read of size 4
> Call trace:
>   dump_stack_lvl+0x66/0xa0 (?:?)
>   print_report+0xd0/0x630 (?:?)
>   ocfs2_osb_debug_open+0x478/0xaa0 (fs/ocfs2/super.c:343)
>   srso_alias_return_thunk+0x5/0xfbef5 (?:?)
>   __virt_addr_valid+0x188/0x2f0 (?:?)
>   kasan_report+0xe4/0x120 (?:?)
>   full_proxy_open_regular+0x113/0x170 (?:?)
>   do_dentry_open+0x233/0x7f0 (?:?)
>   vfs_open+0x5a/0x1b0 (?:?)
>   security_inode_permission+0x19/0x60 (?:?)
>   path_openat+0x679/0x1540 (?:?)
>   kmem_cache_alloc_noprof+0x1ea/0x5f0 (?:?)
>   do_getname+0x2e/0x1d0 (?:?)
>   do_sys_openat2+0xa4/0x150 (?:?)
>   __x64_sys_openat+0xd0/0x140 (?:?)
>   do_syscall_64+0x10c/0x640 (arch/x86/entry/syscall_64.c:87)
>   entry_SYSCALL_64_after_hwframe+0x77/0x7f (?:?)
>   do_file_open+0x190/0x2a0 (?:?)
>   __lock_acquire+0x42f/0x1a60 (?:?)
>   _raw_spin_unlock+0x23/0x40 (?:?)
>   alloc_fd+0x210/0x350 (?:?)
>   do_sys_openat2+0xce/0x150 (?:?)
>   irqentry_exit+0xac/0x6e0 (?:?)
> Freed by task stack:
>   kasan_save_stack+0x33/0x60 (?:?)
>   kasan_save_track+0x14/0x30 (?:?)
>   kasan_save_free_info+0x3b/0x60 (?:?)
>   __kasan_slab_free+0x5f/0x80 (?:?)
>   kfree+0x30f/0x580 (?:?)
>   ocfs2_dismount_volume+0x168/0x560 (fs/ocfs2/super.c:1868)
>   generic_shutdown_super+0xc3/0x220 (fs/ocfs2/super.c:?)
>   kill_block_super+0x29/0x60 (fs/ocfs2/super.c:?)
>   deactivate_locked_super+0x66/0xe0 (fs/ocfs2/super.c:?)
>   cleanup_mnt+0x13d/0x210 (?:?)
>   task_work_run+0xfa/0x170 (?:?)
>   exit_to_user_mode_loop+0xd6/0x430 (?:?)
>   do_syscall_64+0x3cb/0x640 (arch/x86/entry/syscall_64.c:87)
>   entry_SYSCALL_64_after_hwframe+0x77/0x7f (?:?)
>
> Fixes: 5e7a3ed9f1a6 ("ocfs2: further debugfs cleanups")
> Assisted-by: Codex:gpt-5.5
> Signed-off-by: Zhang Cen <rollkingzzc@gmail.com>
> ---
>  fs/ocfs2/super.c | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/fs/ocfs2/super.c b/fs/ocfs2/super.c
> index b875f01c9756..357f210b6a43 100644
> --- a/fs/ocfs2/super.c
> +++ b/fs/ocfs2/super.c
> @@ -1826,6 +1826,9 @@ static void ocfs2_dismount_volume(struct super_block *sb, int mnt_err)
>
>         ocfs2_truncate_log_shutdown(osb);
>
> +       ocfs2_blockcheck_stats_debugfs_remove(&osb->osb_ecc_stats);
> +       debugfs_remove_recursive(osb->osb_debug_root);
> +
>         /* This will disable recovery and flush any recovery work. */
>         ocfs2_recovery_exit(osb);
>
> @@ -1865,9 +1868,6 @@ static void ocfs2_dismount_volume(struct super_block *sb, int mnt_err)
>
>         ocfs2_dlm_shutdown(osb, hangup_needed);
>
> -       ocfs2_blockcheck_stats_debugfs_remove(&osb->osb_ecc_stats);
> -       debugfs_remove_recursive(osb->osb_debug_root);
> -
>         if (hangup_needed)
>                 ocfs2_cluster_hangup(osb->uuid_str, strlen(osb->uuid_str));
>
> --
> 2.43.0
>

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] ocfs2: remove debugfs before shutting down recovery
  2026-05-25  7:06 [PATCH] ocfs2: remove debugfs before shutting down recovery Zhang Cen
  2026-06-14  1:32 ` Cen Zhang
@ 2026-06-16  1:59 ` Su Yue
  1 sibling, 0 replies; 3+ messages in thread
From: Su Yue @ 2026-06-16  1:59 UTC (permalink / raw)
  To: Zhang Cen
  Cc: Mark Fasheh, Joel Becker, Joseph Qi, ocfs2-devel, zerocling0077,
	2045gemini

On Mon 25 May 2026 at 15:06, Zhang Cen <rollkingzzc@gmail.com> 
wrote:

> ocfs2_osb_debug_open() builds the per-mount fs_state snapshot by 
> calling
> ocfs2_osb_dump(), which reads osb->recovery_map. During normal 
> unmount,
> ocfs2_dismount_volume() currently calls ocfs2_recovery_exit() 
> before it
> removes osb->osb_debug_root, so a concurrent fs_state open can 
> still
> enter ocfs2_osb_dump() after the recovery map has been freed.
>
> operations, so moving it ahead of ocfs2_recovery_exit() closes 
> the
>
"operations,"? Seems one line is missing.

> post-free/pre-remove window without changing the recovery-state 
> logic.
> This also makes the normal unmount path match the existing 
> mount-error
> state.
>
> The buggy scenario involves two paths, with each column showing 
> the
> order within that path:
>
> 1. Open the per-mount fs_state file      1. 
> ocfs2_dismount_volume() starts
> 2. ocfs2_osb_debug_open() calls          2. 
> ocfs2_recovery_exit() frees
>    ocfs2_osb_dump()                         osb->recovery_map
>    osb->recovery_map                        runs later
>
> Validation reproduced this kernel report:
>
Please paste the link of report or steps to reproduce.

The codes LGTM.

--
Su

> KASAN slab-use-after-free in ocfs2_osb_debug_open+0x478/0xaa0
> RIP: 0033:0x7f65fc97a001
> The buggy address belongs to the object at ffff8881049c3da0 
> which belongs
> to the cache kmalloc-8 of size 8
> The buggy address is located 0 bytes inside of freed 8-byte 
> region
> [ffff8881049c3da0, ffff8881049c3da8)
> Read of size 4
> Call trace:
>   dump_stack_lvl+0x66/0xa0 (?:?)
>   print_report+0xd0/0x630 (?:?)
>   ocfs2_osb_debug_open+0x478/0xaa0 (fs/ocfs2/super.c:343)
>   srso_alias_return_thunk+0x5/0xfbef5 (?:?)
>   __virt_addr_valid+0x188/0x2f0 (?:?)
>   kasan_report+0xe4/0x120 (?:?)
>   full_proxy_open_regular+0x113/0x170 (?:?)
>   do_dentry_open+0x233/0x7f0 (?:?)
>   vfs_open+0x5a/0x1b0 (?:?)
>   security_inode_permission+0x19/0x60 (?:?)
>   path_openat+0x679/0x1540 (?:?)
>   kmem_cache_alloc_noprof+0x1ea/0x5f0 (?:?)
>   do_getname+0x2e/0x1d0 (?:?)
>   do_sys_openat2+0xa4/0x150 (?:?)
>   __x64_sys_openat+0xd0/0x140 (?:?)
>   do_syscall_64+0x10c/0x640 (arch/x86/entry/syscall_64.c:87)
>   entry_SYSCALL_64_after_hwframe+0x77/0x7f (?:?)
>   do_file_open+0x190/0x2a0 (?:?)
>   __lock_acquire+0x42f/0x1a60 (?:?)
>   _raw_spin_unlock+0x23/0x40 (?:?)
>   alloc_fd+0x210/0x350 (?:?)
>   do_sys_openat2+0xce/0x150 (?:?)
>   irqentry_exit+0xac/0x6e0 (?:?)
> Freed by task stack:
>   kasan_save_stack+0x33/0x60 (?:?)
>   kasan_save_track+0x14/0x30 (?:?)
>   kasan_save_free_info+0x3b/0x60 (?:?)
>   __kasan_slab_free+0x5f/0x80 (?:?)
>   kfree+0x30f/0x580 (?:?)
>   ocfs2_dismount_volume+0x168/0x560 (fs/ocfs2/super.c:1868)
>   generic_shutdown_super+0xc3/0x220 (fs/ocfs2/super.c:?)
>   kill_block_super+0x29/0x60 (fs/ocfs2/super.c:?)
>   deactivate_locked_super+0x66/0xe0 (fs/ocfs2/super.c:?)
>   cleanup_mnt+0x13d/0x210 (?:?)
>   task_work_run+0xfa/0x170 (?:?)
>   exit_to_user_mode_loop+0xd6/0x430 (?:?)
>   do_syscall_64+0x3cb/0x640 (arch/x86/entry/syscall_64.c:87)
>   entry_SYSCALL_64_after_hwframe+0x77/0x7f (?:?)
>
> Fixes: 5e7a3ed9f1a6 ("ocfs2: further debugfs cleanups")
> Assisted-by: Codex:gpt-5.5
> Signed-off-by: Zhang Cen <rollkingzzc@gmail.com>
> ---
>  fs/ocfs2/super.c | 6 +++---
>  1 file changed, 3 insertions(+), 3 deletions(-)
>
> diff --git a/fs/ocfs2/super.c b/fs/ocfs2/super.c
> index b875f01c9756..357f210b6a43 100644
> --- a/fs/ocfs2/super.c
> +++ b/fs/ocfs2/super.c
> @@ -1826,6 +1826,9 @@ static void ocfs2_dismount_volume(struct 
> super_block *sb, int mnt_err)
>
>  	ocfs2_truncate_log_shutdown(osb);
>
> +	ocfs2_blockcheck_stats_debugfs_remove(&osb->osb_ecc_stats);
> +	debugfs_remove_recursive(osb->osb_debug_root);
> +
>  	/* This will disable recovery and flush any recovery work. */
>  	ocfs2_recovery_exit(osb);
>
> @@ -1865,9 +1868,6 @@ static void ocfs2_dismount_volume(struct 
> super_block *sb, int mnt_err)
>
>  	ocfs2_dlm_shutdown(osb, hangup_needed);
>
> -	ocfs2_blockcheck_stats_debugfs_remove(&osb->osb_ecc_stats);
> -	debugfs_remove_recursive(osb->osb_debug_root);
> -
>  	if (hangup_needed)
>  		ocfs2_cluster_hangup(osb->uuid_str, 
>  strlen(osb->uuid_str));

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2026-06-16  2:05 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-25  7:06 [PATCH] ocfs2: remove debugfs before shutting down recovery Zhang Cen
2026-06-14  1:32 ` Cen Zhang
2026-06-16  1:59 ` Su Yue

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.