From: NeilBrown <neilb@suse.de>
To: Yihao Wu <wuyihao@linux.alibaba.com>,
"J . Bruce Fields" <bfields@fieldses.org>,
Chuck Lever <chuck.lever@oracle.com>
Cc: linux-nfs@vger.kernel.org
Subject: Re: [PATCH] nfsd: fix race between cache_clean and cache_purge
Date: Wed, 25 Mar 2020 10:07:14 +1100 [thread overview]
Message-ID: <87369x8i8t.fsf@notabene.neil.brown.name> (raw)
In-Reply-To: <5eed50660eb13326b0fbf537fb58481ea53c1acb.1585043174.git.wuyihao@linux.alibaba.com>
[-- Attachment #1: Type: text/plain, Size: 6144 bytes --]
On Tue, Mar 24 2020, Yihao Wu wrote:
> cache_purge should hold cache_list_lock as cache_clean does. Otherwise a cache
> can be cache_put twice, which leads to a use-after-free bug.
>
> To reproduce, run ltp. It happens rarely. /opt/ltp/runltp run -f net.nfs
>
> [14454.137661] ==================================================================
> [14454.138863] BUG: KASAN: use-after-free in cache_purge+0xce/0x160 [sunrpc]
> [14454.139822] Read of size 4 at addr ffff8883d484d560 by task nfsd/31993
> [14454.140746]
> [14454.140995] CPU: 1 PID: 31993 Comm: nfsd Kdump: loaded Not tainted 4.19.91-0.229.git.87bac30.al7.x86_64.debug #1
> [14454.141002] Call Trace:
> [14454.141014] dump_stack+0xaf/0xfb[14454.141027] print_address_description+0x6a/0x2a0
> [14454.141037] kasan_report+0x166/0x2b0[14454.141057] ? cache_purge+0xce/0x160 [sunrpc]
> [14454.141079] cache_purge+0xce/0x160 [sunrpc]
> [14454.141099] nfsd_last_thread+0x267/0x270 [nfsd][14454.141109] ? nfsd_last_thread+0x5/0x270 [nfsd]
> [14454.141130] nfsd_destroy+0xcb/0x180 [nfsd]
> [14454.141140] ? nfsd_destroy+0x5/0x180 [nfsd]
> [14454.141153] nfsd+0x1e4/0x2b0 [nfsd]
> [14454.141163] ? nfsd+0x5/0x2b0 [nfsd]
> [14454.141173] kthread+0x114/0x150
> [14454.141183] ? nfsd_destroy+0x180/0x180 [nfsd]
> [14454.141187] ? kthread_park+0xb0/0xb0
> [14454.141197] ret_from_fork+0x3a/0x50
> [14454.141224]
> [14454.141475] Allocated by task 20918:
> [14454.142011] kmem_cache_alloc_trace+0x9f/0x2e0
> [14454.142027] sunrpc_cache_lookup+0xca/0x2f0 [sunrpc]
> [14454.142037] svc_export_parse+0x1e7/0x930 [nfsd]
> [14454.142051] cache_do_downcall+0x5a/0x80 [sunrpc]
> [14454.142064] cache_downcall+0x78/0x180 [sunrpc]
> [14454.142078] cache_write_procfs+0x57/0x80 [sunrpc]
> [14454.142083] proc_reg_write+0x90/0xd0
> [14454.142088] vfs_write+0xc2/0x1c0
> [14454.142092] ksys_write+0x4d/0xd0
> [14454.142098] do_syscall_64+0x60/0x250
> [14454.142103] entry_SYSCALL_64_after_hwframe+0x49/0xbe
> [14454.142106]
> [14454.142344] Freed by task 19165:
> [14454.142804] kfree+0x114/0x300
> [14454.142819] cache_clean+0x2a4/0x2e0 [sunrpc]
> [14454.142833] cache_flush+0x24/0x60 [sunrpc]
> [14454.142845] write_flush.isra.19+0xbe/0x100 [sunrpc]
> [14454.142849] proc_reg_write+0x90/0xd0
> [14454.142853] vfs_write+0xc2/0x1c0
> [14454.142856] ksys_write+0x4d/0xd0
> [14454.142860] do_syscall_64+0x60/0x250
> [14454.142865] entry_SYSCALL_64_after_hwframe+0x49/0xbe
> [14454.142867]
> [14454.143095] The buggy address belongs to the object at ffff8883d484d540 which belongs to the cache kmalloc-256 of size 256
> [14454.144842] The buggy address is located 32 bytes inside of 256-byte region [ffff8883d484d540, ffff8883d484d640)
> [14454.146463] The buggy address belongs to the page:
> [14454.147155] page:ffffea000f521300 count:1 mapcount:0 mapping:ffff888107c02e00 index:0xffff8883d484da40 compound_map count: 0
> [14454.148712] flags: 0x17fffc00010200(slab|head)
> [14454.149356] raw: 0017fffc00010200 ffffea000f4baf00 0000000200000002 ffff888107c02e00
> [14454.150453] raw: ffff8883d484da40 0000000080190001 00000001ffffffff 0000000000000000
> [14454.151557] page dumped because: kasan: bad access detected
> [14454.152364]
> [14454.152606] Memory state around the buggy address:
> [14454.153300] ffff8883d484d400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> [14454.154319] ffff8883d484d480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> [14454.155324] >ffff8883d484d500: fc fc fc fc fc fc fc fc fb fb fb fb fb fb fb fb
> [14454.156334] ^
> [14454.157237] ffff8883d484d580: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> [14454.158262] ffff8883d484d600: fb fb fb fb fb fb fb fb fc fc fc fc fc fc fc fc
> [14454.159282] ==================================================================
> [14454.160224] Disabling lock debugging due to kernel taint
>
> Fixes: 471a930ad7d1(SUNRPC: Drop all entries from cache_detail when cache_purge())
> Cc: stable@vger.kernel.org #v4.11+
> Signed-off-by: Yihao Wu <wuyihao@linux.alibaba.com>
> ---
> net/sunrpc/cache.c | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/net/sunrpc/cache.c b/net/sunrpc/cache.c
> index bd843a81afa0..3e523eefc47f 100644
> --- a/net/sunrpc/cache.c
> +++ b/net/sunrpc/cache.c
> @@ -524,9 +524,11 @@ void cache_purge(struct cache_detail *detail)
> struct hlist_node *tmp = NULL;
> int i = 0;
>
> + spin_lock(&cache_list_lock);
> spin_lock(&detail->hash_lock);
> if (!detail->entries) {
> spin_unlock(&detail->hash_lock);
> + spin_unlock(&cache_list_lock);
> return;
> }
>
> @@ -541,6 +543,7 @@ void cache_purge(struct cache_detail *detail)
> }
> }
> spin_unlock(&detail->hash_lock);
> + spin_unlock(&cache_list_lock);
> }
> EXPORT_SYMBOL_GPL(cache_purge);
>
> --
> 2.20.1.2432.ga663e714
I wonder if this is the best solution.
This code:
hlist_for_each_entry_safe(ch, tmp, head, cache_list) {
sunrpc_begin_cache_remove_entry(ch, detail);
spin_unlock(&detail->hash_lock);
sunrpc_end_cache_remove_entry(ch, detail);
spin_lock(&detail->hash_lock);
}
Looks wrong.
Dropping a lock while walking a list if only safe if you hold a
reference to the place-holder - 'tmp' in this case. but we don't.
As this is trying to remove everything in the list it would be safer to
do something like
while (!hlist_empty(head)) {
ch = hlist_entry(head->first, struct cache_head, h);
sunrpc_begin_cache_remove_entry(ch, detail);
spin_unlock(&detail->hash_lock);
sunrpc_end_cache_remove_entry(ch, detail);
spin_lock(&detail->hash_lock);
}
I'm guessing that would fix the problem in a more focused.
But I'm not 100% sure because there is no analysis given of the cause.
What line is
cache_purge+0xce/0x160
./scripts/faddr2line can tell you.
I suspect it is the hlist_for_each_entry_safe() line.
Can you test the change I suggest and see if it helps?
Thanks,
NeilBrown
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 832 bytes --]
next prev parent reply other threads:[~2020-03-24 23:07 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-03-24 9:49 [PATCH] nfsd: fix race between cache_clean and cache_purge Yihao Wu
2020-03-24 13:38 ` Chuck Lever
2020-03-24 14:33 ` Bruce Fields
2020-03-24 14:35 ` Chuck Lever
2020-03-24 15:24 ` Trond Myklebust
2020-03-24 17:46 ` Chuck Lever
2020-03-25 6:37 ` Yihao Wu
2020-03-25 14:24 ` Chuck Lever
2020-03-25 15:14 ` Yihao Wu
2020-03-24 14:18 ` Chuck Lever
2020-03-24 14:28 ` Yihao Wu
2020-03-24 23:07 ` NeilBrown [this message]
2020-04-04 13:53 ` Yihao Wu
2020-03-25 1:01 ` Sasha Levin
2020-03-25 14:13 ` Chuck Lever
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87369x8i8t.fsf@notabene.neil.brown.name \
--to=neilb@suse.de \
--cc=bfields@fieldses.org \
--cc=chuck.lever@oracle.com \
--cc=linux-nfs@vger.kernel.org \
--cc=wuyihao@linux.alibaba.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox