[Cluster-devel] [PATCH 1/2] gfs2: Fix occasional glock use-after-free

cluster-devel.redhat.com archive mirror
 help / color / mirror / Atom feed

From: Bob Peterson <rpeterso@redhat.com>
To: cluster-devel.redhat.com
Subject: [Cluster-devel] [PATCH 1/2] gfs2: Fix occasional glock use-after-free
Date: Thu, 31 Jan 2019 09:40:00 -0500 (EST)	[thread overview]
Message-ID: <1251576250.68839146.1548945600012.JavaMail.zimbra@redhat.com> (raw)
In-Reply-To: <20190131105543.15421-2-ross.lagerwall@citrix.com>

----- Original Message -----
> Each gfs2_bufdata stores a reference to a glock but the reference count
> isn't incremented. This causes an occasional use-after-free of the
> glock. Fix by taking a reference on the glock during allocation and
> dropping it when freeing.
> 
> Found by KASAN:
> 
> BUG: KASAN: use-after-free in revoke_lo_after_commit+0x8e/0xe0 [gfs2]
> Write of size 4 at addr ffff88801aff6134 by task kworker/0:2H/20371
> 
> CPU: 0 PID: 20371 Comm: kworker/0:2H Tainted: G O 4.19.0+0 #1
> Hardware name: Dell Inc. PowerEdge R805/0D456H, BIOS 4.2.1 04/14/2010
> Workqueue: glock_workqueue glock_work_func [gfs2]
> Call Trace:
>  dump_stack+0x71/0xab
>  print_address_description+0x6a/0x270
>  kasan_report+0x258/0x380
>  ? revoke_lo_after_commit+0x8e/0xe0 [gfs2]
>  revoke_lo_after_commit+0x8e/0xe0 [gfs2]
>  gfs2_log_flush+0x511/0xa70 [gfs2]
>  ? gfs2_log_shutdown+0x1f0/0x1f0 [gfs2]
>  ? __brelse+0x48/0x50
>  ? gfs2_log_commit+0x4de/0x6e0 [gfs2]
>  ? gfs2_trans_end+0x18d/0x340 [gfs2]
>  gfs2_ail_empty_gl+0x1ab/0x1c0 [gfs2]
>  ? inode_go_dump+0xe0/0xe0 [gfs2]
>  ? inode_go_sync+0xe4/0x220 [gfs2]
>  inode_go_sync+0xe4/0x220 [gfs2]
>  do_xmote+0x12b/0x290 [gfs2]
>  glock_work_func+0x6f/0x160 [gfs2]
>  process_one_work+0x461/0x790
>  worker_thread+0x69/0x6b0
>  ? process_one_work+0x790/0x790
>  kthread+0x1ae/0x1d0
>  ? kthread_create_worker_on_cpu+0xc0/0xc0
>  ret_from_fork+0x22/0x40
> 
> Allocated by task 20805:
>  kasan_kmalloc+0xa0/0xd0
>  kmem_cache_alloc+0xb5/0x1b0
>  gfs2_glock_get+0x14b/0x620 [gfs2]
>  gfs2_inode_lookup+0x20c/0x640 [gfs2]
>  gfs2_dir_search+0x150/0x180 [gfs2]
>  gfs2_lookupi+0x272/0x360 [gfs2]
>  __gfs2_lookup+0x8b/0x1d0 [gfs2]
>  gfs2_atomic_open+0x77/0x100 [gfs2]
>  path_openat+0x1454/0x1c10
>  do_filp_open+0x124/0x1d0
>  do_sys_open+0x213/0x2c0
>  do_syscall_64+0x69/0x160
>  entry_SYSCALL_64_after_hwframe+0x44/0xa9
> 
> Freed by task 0:
>  __kasan_slab_free+0x130/0x180
>  kmem_cache_free+0x78/0x1e0
>  rcu_process_callbacks+0x2ad/0x6c0
>  __do_softirq+0x111/0x38c
> 
> The buggy address belongs to the object at ffff88801aff6040
>  which belongs to the cache gfs2_glock(aspace) of size 560
> The buggy address is located 244 bytes inside of
>  560-byte region [ffff88801aff6040, ffff88801aff6270)
> ...
> 
> Signed-off-by: Ross Lagerwall <ross.lagerwall@citrix.com>
> ---

This makes sense to me.

Regards,

Bob Peterson

next prev parent reply	other threads:[~2019-01-31 14:40 UTC|newest]

Thread overview: 21+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-01-31 10:55 [Cluster-devel] [PATCH 0/2] GFS2 counting fixes Ross Lagerwall
2019-01-31 10:55 ` [Cluster-devel] [PATCH 1/2] gfs2: Fix occasional glock use-after-free Ross Lagerwall
2019-01-31 11:23   ` Steven Whitehouse
2019-01-31 14:40   ` Bob Peterson [this message]
2019-01-31 17:18   ` Andreas Gruenbacher
2019-02-01  9:23     ` Ross Lagerwall
2019-02-01 14:34       ` Bob Peterson
2019-02-01 14:51       ` Bob Peterson
2019-02-01 15:03       ` [Cluster-devel] [PATCH 1/2] gfs2: Fix occasional glock use-after-free (Another debug patch) Bob Peterson
2019-03-26 18:49     ` [Cluster-devel] [PATCH 1/2] gfs2: Fix occasional glock use-after-free Ross Lagerwall
2019-03-26 19:14       ` Bob Peterson
2019-04-01 22:59         ` Andreas Gruenbacher
2019-04-05 17:50           ` Andreas Gruenbacher
2019-04-09 15:36             ` Ross Lagerwall
2019-04-09 15:41               ` Andreas Gruenbacher
2019-01-31 10:55 ` [Cluster-devel] [PATCH 2/2] gfs2: Fix lru_count going negative Ross Lagerwall
2019-01-31 11:21   ` Steven Whitehouse
2019-01-31 14:36   ` Bob Peterson
2019-01-31 15:04     ` Bob Peterson
2019-01-31 15:23     ` Ross Lagerwall
2019-01-31 18:32   ` Andreas Gruenbacher

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=1251576250.68839146.1548945600012.JavaMail.zimbra@redhat.com \
    --to=rpeterso@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).