* [Cluster-devel] [GFS2 PATCH 0/4] Fix some memory corruption issues found during testing
@ 2020-10-29 14:51 Bob Peterson
2020-10-29 14:52 ` [Cluster-devel] [GFS2 PATCH 1/4] gfs2: Free rd_bits later in gfs2_clear-rgrpd to fix use-after-free Bob Peterson
` (3 more replies)
0 siblings, 4 replies; 5+ messages in thread
From: Bob Peterson @ 2020-10-29 14:51 UTC (permalink / raw)
To: cluster-devel.redhat.com
Hi,
This set of 4 patches is my latest and greatest set for fixing various
problems I've recently discovered during xfstests testing.
Bob Peterson (4):
gfs2: Free rd_bits later in gfs2_clear-rgrpd to fix use-after-free
gfs2: Add missing truncate_inode_pages_final for sd_aspace
gfs2: init_journal's undo directive should also undo the statfs inodes
gfs2: don't initialize statfs_change inodes in spectator mode
fs/gfs2/ops_fstype.c | 14 +++++++++-----
fs/gfs2/rgrp.c | 2 +-
fs/gfs2/super.c | 1 +
3 files changed, 11 insertions(+), 6 deletions(-)
--
2.26.2
^ permalink raw reply [flat|nested] 5+ messages in thread
* [Cluster-devel] [GFS2 PATCH 1/4] gfs2: Free rd_bits later in gfs2_clear-rgrpd to fix use-after-free
2020-10-29 14:51 [Cluster-devel] [GFS2 PATCH 0/4] Fix some memory corruption issues found during testing Bob Peterson
@ 2020-10-29 14:52 ` Bob Peterson
2020-10-29 14:52 ` [Cluster-devel] [GFS2 PATCH 2/4] gfs2: Add missing truncate_inode_pages_final for sd_aspace Bob Peterson
` (2 subsequent siblings)
3 siblings, 0 replies; 5+ messages in thread
From: Bob Peterson @ 2020-10-29 14:52 UTC (permalink / raw)
To: cluster-devel.redhat.com
Function gfs2_clear_rgrpd calls kfree(rgd->rd_bits) before calling
return_all_reservations, but return_all_reservations still dereferences
rgd->rd_bits in __rs_deltree. Fix that by moving the call to kfree below the
call to return_all_reservations.
Signed-off-by: Bob Peterson <rpeterso@redhat.com>
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
---
fs/gfs2/rgrp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/gfs2/rgrp.c b/fs/gfs2/rgrp.c
index ee491bb9c1cc..eb1b29734b7f 100644
--- a/fs/gfs2/rgrp.c
+++ b/fs/gfs2/rgrp.c
@@ -719,9 +719,9 @@ void gfs2_clear_rgrpd(struct gfs2_sbd *sdp)
}
gfs2_free_clones(rgd);
+ return_all_reservations(rgd);
kfree(rgd->rd_bits);
rgd->rd_bits = NULL;
- return_all_reservations(rgd);
kmem_cache_free(gfs2_rgrpd_cachep, rgd);
}
}
--
2.26.2
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [Cluster-devel] [GFS2 PATCH 2/4] gfs2: Add missing truncate_inode_pages_final for sd_aspace
2020-10-29 14:51 [Cluster-devel] [GFS2 PATCH 0/4] Fix some memory corruption issues found during testing Bob Peterson
2020-10-29 14:52 ` [Cluster-devel] [GFS2 PATCH 1/4] gfs2: Free rd_bits later in gfs2_clear-rgrpd to fix use-after-free Bob Peterson
@ 2020-10-29 14:52 ` Bob Peterson
2020-10-29 14:52 ` [Cluster-devel] [GFS2 PATCH 3/4] gfs2: init_journal's undo directive should also undo the statfs inodes Bob Peterson
2020-10-29 14:52 ` [Cluster-devel] [GFS2 PATCH 4/4] gfs2: don't initialize statfs_change inodes in spectator mode Bob Peterson
3 siblings, 0 replies; 5+ messages in thread
From: Bob Peterson @ 2020-10-29 14:52 UTC (permalink / raw)
To: cluster-devel.redhat.com
Gfs2 creates an address space for its rgrps called sd_aspace, but it never
called truncate_inode_pages_final on it. This confused vfs greatly which
tried to reference the address space after gfs2 had freed the superblock
that contained it.
This patch adds a call to truncate_inode_pages_final for sd_aspace, thus
avoiding the use-after-free.
Signed-off-by: Bob Peterson <rpeterso@redhat.com>
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
---
fs/gfs2/super.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/fs/gfs2/super.c b/fs/gfs2/super.c
index b285192bd6b3..b3d951ab8068 100644
--- a/fs/gfs2/super.c
+++ b/fs/gfs2/super.c
@@ -738,6 +738,7 @@ static void gfs2_put_super(struct super_block *sb)
gfs2_jindex_free(sdp);
/* Take apart glock structures and buffer lists */
gfs2_gl_hash_clear(sdp);
+ truncate_inode_pages_final(&sdp->sd_aspace);
gfs2_delete_debugfs_file(sdp);
/* Unmount the locking protocol */
gfs2_lm_unmount(sdp);
--
2.26.2
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [Cluster-devel] [GFS2 PATCH 3/4] gfs2: init_journal's undo directive should also undo the statfs inodes
2020-10-29 14:51 [Cluster-devel] [GFS2 PATCH 0/4] Fix some memory corruption issues found during testing Bob Peterson
2020-10-29 14:52 ` [Cluster-devel] [GFS2 PATCH 1/4] gfs2: Free rd_bits later in gfs2_clear-rgrpd to fix use-after-free Bob Peterson
2020-10-29 14:52 ` [Cluster-devel] [GFS2 PATCH 2/4] gfs2: Add missing truncate_inode_pages_final for sd_aspace Bob Peterson
@ 2020-10-29 14:52 ` Bob Peterson
2020-10-29 14:52 ` [Cluster-devel] [GFS2 PATCH 4/4] gfs2: don't initialize statfs_change inodes in spectator mode Bob Peterson
3 siblings, 0 replies; 5+ messages in thread
From: Bob Peterson @ 2020-10-29 14:52 UTC (permalink / raw)
To: cluster-devel.redhat.com
Hi,
Before this patch, function init_journal's "undo" directive jumped to label
fail_jinode_gh. But now that it does statfs initialization, it needs to
jump to fail_statfs instead. Failure to do so means that mount failures
after init_journal is successful will neglect to let go of the proper
statfs information, stranding the statfs_changeX inodes. This makes it
impossible to free its glocks, and results in:
gfs2: fsid=sda.s: G: s:EX n:2/805f f:Dqob t:EX d:UN/603701000 a:0 v:0 r:4 m:200 p:1
gfs2: fsid=sda.s: H: s:EX f:H e:0 p:1397947 [(ended)] init_journal+0x548/0x890 [gfs2]
gfs2: fsid=sda.s: I: n:6/32863 t:8 f:0x00 d:0x00000201 s:24 p:0
gfs2: fsid=sda.s: G: s:SH n:5/805f f:Dqob t:SH d:UN/603712000 a:0 v:0 r:3 m:200 p:0
gfs2: fsid=sda.s: H: s:SH f:EH e:0 p:1397947 [(ended)] gfs2_inode_lookup+0x1fb/0x410 [gfs2]
VFS: Busy inodes after unmount of sda. Self-destruct in 5 seconds. Have a nice day...
The next time the file system is mounted, it then reuses the same glocks,
which ends in a kernel NULL pointer dereference when trying to dump the
reused glock.
This patch makes the "undo" function of init_journal jump to fail_statfs
so the statfs files are properly deconstructed upon failure.
Fixes: 97fd734ba17e ("gfs2: lookup local statfs inodes prior to journal recovery")
Signed-off-by: Bob Peterson <rpeterso@redhat.com>
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
---
fs/gfs2/ops_fstype.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/fs/gfs2/ops_fstype.c b/fs/gfs2/ops_fstype.c
index 7a7e3c10a9a9..1ed4b61e3298 100644
--- a/fs/gfs2/ops_fstype.c
+++ b/fs/gfs2/ops_fstype.c
@@ -704,7 +704,7 @@ static int init_journal(struct gfs2_sbd *sdp, int undo)
if (undo) {
jindex = 0;
- goto fail_jinode_gh;
+ goto fail_statfs;
}
sdp->sd_jindex = gfs2_lookup_simple(master, "jindex");
--
2.26.2
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [Cluster-devel] [GFS2 PATCH 4/4] gfs2: don't initialize statfs_change inodes in spectator mode
2020-10-29 14:51 [Cluster-devel] [GFS2 PATCH 0/4] Fix some memory corruption issues found during testing Bob Peterson
` (2 preceding siblings ...)
2020-10-29 14:52 ` [Cluster-devel] [GFS2 PATCH 3/4] gfs2: init_journal's undo directive should also undo the statfs inodes Bob Peterson
@ 2020-10-29 14:52 ` Bob Peterson
3 siblings, 0 replies; 5+ messages in thread
From: Bob Peterson @ 2020-10-29 14:52 UTC (permalink / raw)
To: cluster-devel.redhat.com
Before commit 97fd734ba17e, the local statfs_changeX inode was never
initialized for spectator mounts. However, it still checks for
spectator mounts when unmounting everything. There's no good reason to
lookup the statfs_changeX files because spectators cannot perform recovery.
It still, however, needs the master statfs file for statfs calls.
This patch adds the check for spectator mounts to init_statfs.
Fixes: 97fd734ba17e ("gfs2: lookup local statfs inodes prior to journal recovery")
Signed-off-by: Bob Peterson <rpeterso@redhat.com>
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
---
fs/gfs2/ops_fstype.c | 12 ++++++++----
1 file changed, 8 insertions(+), 4 deletions(-)
diff --git a/fs/gfs2/ops_fstype.c b/fs/gfs2/ops_fstype.c
index 1ed4b61e3298..61fce59cb4d3 100644
--- a/fs/gfs2/ops_fstype.c
+++ b/fs/gfs2/ops_fstype.c
@@ -633,8 +633,10 @@ static int init_statfs(struct gfs2_sbd *sdp)
if (IS_ERR(sdp->sd_statfs_inode)) {
error = PTR_ERR(sdp->sd_statfs_inode);
fs_err(sdp, "can't read in statfs inode: %d\n", error);
- goto fail;
+ goto out;
}
+ if (sdp->sd_args.ar_spectator)
+ goto out;
pn = gfs2_lookup_simple(master, "per_node");
if (IS_ERR(pn)) {
@@ -682,15 +684,17 @@ static int init_statfs(struct gfs2_sbd *sdp)
iput(pn);
put_statfs:
iput(sdp->sd_statfs_inode);
-fail:
+out:
return error;
}
/* Uninitialize and free up memory used by the list of statfs inodes */
static void uninit_statfs(struct gfs2_sbd *sdp)
{
- gfs2_glock_dq_uninit(&sdp->sd_sc_gh);
- free_local_statfs_inodes(sdp);
+ if (!sdp->sd_args.ar_spectator) {
+ gfs2_glock_dq_uninit(&sdp->sd_sc_gh);
+ free_local_statfs_inodes(sdp);
+ }
iput(sdp->sd_statfs_inode);
}
--
2.26.2
^ permalink raw reply related [flat|nested] 5+ messages in thread
end of thread, other threads:[~2020-10-29 14:52 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2020-10-29 14:51 [Cluster-devel] [GFS2 PATCH 0/4] Fix some memory corruption issues found during testing Bob Peterson
2020-10-29 14:52 ` [Cluster-devel] [GFS2 PATCH 1/4] gfs2: Free rd_bits later in gfs2_clear-rgrpd to fix use-after-free Bob Peterson
2020-10-29 14:52 ` [Cluster-devel] [GFS2 PATCH 2/4] gfs2: Add missing truncate_inode_pages_final for sd_aspace Bob Peterson
2020-10-29 14:52 ` [Cluster-devel] [GFS2 PATCH 3/4] gfs2: init_journal's undo directive should also undo the statfs inodes Bob Peterson
2020-10-29 14:52 ` [Cluster-devel] [GFS2 PATCH 4/4] gfs2: don't initialize statfs_change inodes in spectator mode Bob Peterson
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).