From: Liu Bo <bo.li.liu@oracle.com>
To: dsterba@suse.cz, linux-btrfs@vger.kernel.org
Subject: Re: [PATCH 1/5] Btrfs: fix use-after-free bug during umount
Date: Mon, 27 May 2013 21:52:33 +0800 [thread overview]
Message-ID: <20130527135232.GA4666@liubo.jp.oracle.com> (raw)
In-Reply-To: <20130527120700.GB28422@twin.jikos.cz>
On Mon, May 27, 2013 at 02:07:00PM +0200, David Sterba wrote:
> On Sun, May 26, 2013 at 09:50:27PM +0800, Liu Bo wrote:
> > Commit be283b2e674a09457d4563729015adb637ce7cc1
> > ( Btrfs: use helper to cleanup tree roots) introduced the following bug,
>
> Well, it did not introduce the bug, but made it visible.
>
> > We've free'ed commit_root before actually getting to free block groups where
> > caching thread needs valid extent_root->commit_root.
> >
> > Signed-off-by: Liu Bo <bo.li.liu@oracle.com>
> > ---
> > fs/btrfs/disk-io.c | 4 ++--
> > 1 files changed, 2 insertions(+), 2 deletions(-)
> >
> > diff --git a/fs/btrfs/disk-io.c b/fs/btrfs/disk-io.c
> > index e7b3cb5..a5c8f28 100644
> > --- a/fs/btrfs/disk-io.c
> > +++ b/fs/btrfs/disk-io.c
> > @@ -3512,10 +3512,10 @@ int close_ctree(struct btrfs_root *root)
> > percpu_counter_sum(&fs_info->delalloc_bytes));
> > }
> >
> > - free_root_pointers(fs_info, 1);
> > -
> > btrfs_free_block_groups(fs_info);
> >
> > + free_root_pointers(fs_info, 1);
> > +
> > del_fs_roots(fs_info);
> >
> > iput(fs_info->btree_inode);
>
> This makes it just harder to hit, but the worker threads that get
> stopped after iput may still access the freed roots, like mentioned here
>
> http://www.mail-archive.com/linux-btrfs@vger.kernel.org/msg24239.html
>
> david
Hi David,
The original code just free_extent_buffer(commit_root), so the bug proves that
there can still be a reference on commit_root during the period between freeing
tree roots and stopping workers.
I think we should add a parameter for free_root_pointers() to tell it not set
root->commit_root NULL.
If you agree on this, I can make a patch :)
(I did spend a lot of time to reproduce this with xfstests as you
showed, but I failed somehow, the magic is that I reproduced it while
testing the dedup patch set, lol)
thanks,
liubo
next prev parent reply other threads:[~2013-05-27 13:53 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2013-05-26 13:50 [PATCH 0/5] cleanup and fix Liu Bo
2013-05-26 13:50 ` [PATCH 1/5] Btrfs: fix use-after-free bug during umount Liu Bo
2013-05-27 12:07 ` David Sterba
2013-05-27 13:52 ` Liu Bo [this message]
2013-05-26 13:50 ` [PATCH 2/5] Btrfs: update new flags for tracepoint Liu Bo
2013-05-26 13:50 ` [PATCH 3/5] Btrfs: kill replicate code in replay_one_buffer Liu Bo
2013-05-26 13:50 ` [PATCH 4/5 RESEND] Btrfs: remove unused code in btrfs_del_root Liu Bo
2013-05-26 13:50 ` [PATCH 5/5 RESEND] Btrfs: allow file data clone within a file Liu Bo
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20130527135232.GA4666@liubo.jp.oracle.com \
--to=bo.li.liu@oracle.com \
--cc=dsterba@suse.cz \
--cc=linux-btrfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).