From: Dave Chinner <david@fromorbit.com>
To: xfs@oss.sgi.com
Subject: [PATCH 03/11] xfs: synchronous buffer IO needs a reference
Date: Thu, 25 Sep 2014 22:34:13 +1000 [thread overview]
Message-ID: <1411648461-29003-4-git-send-email-david@fromorbit.com> (raw)
In-Reply-To: <1411648461-29003-1-git-send-email-david@fromorbit.com>
From: Dave Chinner <dchinner@redhat.com>
When synchronous IO runs IO completion work, it does so without an
IO reference or a hold reference on the buffer. The IO "hold
reference" is owned by the submitter, and released when the
submission is complete. The IO reference is released when both the
submitter and the bio end_io processing is run, and so if the io
completion work is run from IO completion context, it is run without
an IO reference.
Hence we can get the situation where the submitter can submit the
IO, see an error on the buffer and unlock and free the buffer while
there is still IO in progress. This leads to use-after-free and
memory corruption.
Fix this by taking a "sync IO hold" reference that is owned by the
IO and not released until after the buffer completion calls are run
to wake up synchronous waiters. This means that the buffer will not
be freed in any circumstance until all IO processing is completed.
Signed-off-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
---
fs/xfs/xfs_buf.c | 51 ++++++++++++++++++++++++++++++++++++++++++---------
1 file changed, 42 insertions(+), 9 deletions(-)
diff --git a/fs/xfs/xfs_buf.c b/fs/xfs/xfs_buf.c
index f1bd238..5d8d2e1 100644
--- a/fs/xfs/xfs_buf.c
+++ b/fs/xfs/xfs_buf.c
@@ -1019,6 +1019,9 @@ xfs_buf_iodone_work(
else {
ASSERT(read && bp->b_ops);
complete(&bp->b_iowait);
+
+ /* release the !XBF_ASYNC ref now we are done. */
+ xfs_buf_rele(bp);
}
}
@@ -1044,6 +1047,7 @@ xfs_buf_ioend(
} else {
bp->b_flags &= ~(XBF_READ | XBF_WRITE | XBF_READ_AHEAD);
complete(&bp->b_iowait);
+ xfs_buf_rele(bp);
}
}
@@ -1086,8 +1090,11 @@ xfs_bioerror(
xfs_buf_ioerror(bp, -EIO);
/*
- * We're calling xfs_buf_ioend, so delete XBF_DONE flag.
+ * We're calling xfs_buf_ioend, so delete XBF_DONE flag. For
+ * sync IO, xfs_buf_ioend is going to remove a ref here.
*/
+ if (!(bp->b_flags & XBF_ASYNC))
+ xfs_buf_hold(bp);
XFS_BUF_UNREAD(bp);
XFS_BUF_UNDONE(bp);
xfs_buf_stale(bp);
@@ -1383,22 +1390,48 @@ xfs_buf_iorequest(
if (bp->b_flags & XBF_WRITE)
xfs_buf_wait_unpin(bp);
+
+ /*
+ * Take references to the buffer. For XBF_ASYNC buffers, holding a
+ * reference for as long as submission takes is all that is necessary
+ * here. The IO inherits the lock and hold count from the submitter,
+ * and these are release during IO completion processing. Taking a hold
+ * over submission ensures that the buffer is not freed until we have
+ * completed all processing, regardless of when IO errors occur or are
+ * reported.
+ *
+ * However, for synchronous IO, the IO does not inherit the submitters
+ * reference count, nor the buffer lock. Hence we need to take an extra
+ * reference to the buffer for the for the IO context so that we can
+ * guarantee the buffer is not freed until all IO completion processing
+ * is done. Otherwise the caller can drop their reference while the IO
+ * is still in progress and hence trigger a use-after-free situation.
+ */
xfs_buf_hold(bp);
+ if (!(bp->b_flags & XBF_ASYNC))
+ xfs_buf_hold(bp);
+
/*
- * Set the count to 1 initially, this will stop an I/O
- * completion callout which happens before we have started
- * all the I/O from calling xfs_buf_ioend too early.
+ * Set the count to 1 initially, this will stop an I/O completion
+ * callout which happens before we have started all the I/O from calling
+ * xfs_buf_ioend too early.
*/
atomic_set(&bp->b_io_remaining, 1);
_xfs_buf_ioapply(bp);
+
/*
- * If _xfs_buf_ioapply failed, we'll get back here with
- * only the reference we took above. _xfs_buf_ioend will
- * drop it to zero, so we'd better not queue it for later,
- * or we'll free it before it's done.
+ * If _xfs_buf_ioapply failed or we are doing synchronous IO that
+ * completes extremely quickly, we can get back here with only the IO
+ * reference we took above. _xfs_buf_ioend will drop it to zero. Run
+ * completion processing synchronously so that we don't return to the
+ * caller with completion still pending. This avoids unnecessary context
+ * switches associated with the end_io workqueue.
*/
- _xfs_buf_ioend(bp, bp->b_error ? 0 : 1);
+ if (bp->b_error || !(bp->b_flags & XBF_ASYNC))
+ _xfs_buf_ioend(bp, 0);
+ else
+ _xfs_buf_ioend(bp, 1);
xfs_buf_rele(bp);
}
--
2.0.0
_______________________________________________
xfs mailing list
xfs@oss.sgi.com
http://oss.sgi.com/mailman/listinfo/xfs
next prev parent reply other threads:[~2014-09-25 12:34 UTC|newest]
Thread overview: 27+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-09-25 12:34 [PATCH 00/11 v2] xfs: clean up xfs_buf io interfaces Dave Chinner
2014-09-25 12:34 ` [PATCH 01/11] xfs: force the log before shutting down Dave Chinner
2014-09-26 10:37 ` Christoph Hellwig
2014-09-25 12:34 ` [PATCH 02/11] xfs: Don't use xfs_buf_iowait in the delwri buffer code Dave Chinner
2014-09-25 16:19 ` Christoph Hellwig
2014-09-25 12:34 ` Dave Chinner [this message]
2014-09-26 10:11 ` [PATCH 03/11] xfs: synchronous buffer IO needs a reference Christoph Hellwig
2014-09-25 12:34 ` [PATCH 04/11] xfs: xfs_buf_ioend and xfs_buf_iodone_work duplicate functionality Dave Chinner
2014-09-26 10:14 ` Christoph Hellwig
2014-09-25 12:34 ` [PATCH 05/11] xfs: rework xfs_buf_bio_endio error handling Dave Chinner
2014-09-26 10:15 ` Christoph Hellwig
2014-09-25 12:34 ` [PATCH 06/11] xfs: kill xfs_bdstrat_cb Dave Chinner
2014-09-25 12:34 ` [PATCH 07/11] xfs: xfs_bioerror can die Dave Chinner
2014-09-26 10:16 ` Christoph Hellwig
2014-09-25 12:34 ` [PATCH 08/11] xfs: kill xfs_bioerror_relse Dave Chinner
2014-09-26 10:18 ` Christoph Hellwig
2014-09-29 19:09 ` Brian Foster
2014-09-25 12:34 ` [PATCH 09/11] xfs: introduce xfs_buf_submit[_wait] Dave Chinner
2014-09-26 12:33 ` Christoph Hellwig
2014-10-01 23:03 ` Dave Chinner
2014-09-25 12:34 ` [PATCH 10/11] xfs: check xfs_buf_read_uncached returns correctly Dave Chinner
2014-09-26 10:21 ` Christoph Hellwig
2014-09-26 23:20 ` [PATCH 10/11 v2] " Dave Chinner
2014-09-29 10:40 ` Christoph Hellwig
2014-09-25 12:34 ` [PATCH 11/11] xfs: simplify xfs_zero_remaining_bytes Dave Chinner
2014-09-26 10:22 ` Christoph Hellwig
2014-09-29 19:09 ` Brian Foster
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1411648461-29003-4-git-send-email-david@fromorbit.com \
--to=david@fromorbit.com \
--cc=xfs@oss.sgi.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox