From: Dave Chinner <david@fromorbit.com>
To: Chandan Rajendra <chandan@linux.vnet.ibm.com>
Cc: linux-xfs@vger.kernel.org, hch@infradead.org,
darrick.wong@oracle.com, bfoster@redhat.com
Subject: Re: [PATCH V2 2/2] xfs: Fix "use after free" of intent items
Date: Wed, 21 Feb 2018 15:01:09 +1100 [thread overview]
Message-ID: <20180221040109.GE7000@dastard> (raw)
In-Reply-To: <20180221022826.7020-2-chandan@linux.vnet.ibm.com>
On Wed, Feb 21, 2018 at 07:58:26AM +0530, Chandan Rajendra wrote:
> generic/388 can cause the following "use after free" error to occur,
>
> =============================================================================
> BUG xfs_efi_item (Not tainted): Poison overwritten
> -----------------------------------------------------------------------------
>
> Disabling lock debugging due to kernel taint
> INFO: 0x00000000292c4bd4-0x00000000292c4bd4. First byte 0x6a instead of 0x6b
> INFO: Allocated in .kmem_zone_alloc+0xcc/0x190 age=79 cpu=0 pid=12436
> .__slab_alloc+0x54/0x80
> .kmem_cache_alloc+0x124/0x350
> .kmem_zone_alloc+0xcc/0x190
> .xfs_efi_init+0x48/0xf0
> .xfs_extent_free_create_intent+0x40/0x130
> .xfs_defer_intake_work+0x74/0x1e0
> .xfs_defer_finish+0xac/0x5c0
> .xfs_itruncate_extents+0x170/0x590
> .xfs_inactive_truncate+0xcc/0x170
> .xfs_inactive+0x1d8/0x2f0
> .xfs_fs_destroy_inode+0xe4/0x3d0
> .destroy_inode+0x68/0xb0
> .do_unlinkat+0x1e8/0x390
> system_call+0x58/0x6c
> INFO: Freed in .xfs_efi_item_free+0x44/0x80 age=79 cpu=0 pid=12436
> .kmem_cache_free+0x120/0x2b0
> .xfs_efi_item_free+0x44/0x80
> .xfs_trans_free_items+0xd4/0x130
> .__xfs_trans_commit+0xd0/0x350
> .xfs_trans_roll+0x4c/0x90
> .xfs_defer_trans_roll+0xa4/0x2b0
> .xfs_defer_finish+0xb8/0x5c0
> .xfs_itruncate_extents+0x170/0x590
> .xfs_inactive_truncate+0xcc/0x170
> .xfs_inactive+0x1d8/0x2f0
> .xfs_fs_destroy_inode+0xe4/0x3d0
> .destroy_inode+0x68/0xb0
> .do_unlinkat+0x1e8/0x390
> system_call+0x58/0x6c
>
> This happens due to the following interaction,
> 1. xfs_defer_finish() creates "extent free" intent item and adds it to the
> per-transction list of log items.
> 2. xfs_defer_trans_roll() invokes __xfs_trans_commit(). Here, if the
> XFS_MOUNT_FS_SHUTDOWN flag is set, we invoke io_unlock() operation
> for each of the log items in the per-transction list. For "extent
> free" log items xfs_efi_item_unlock() gets invoked which then frees
> the xfs_efi_log_item.
Isn't this the problem? i.e. it's freeing the EFI item because the
abort flag is set, but there are still other references to it? Isn't
this wrong now that we have a cleanup function that will free the
EFI is the commit fails? i.e: this ....
> 3. xfs_defer_trans_roll() then invokes xfs_defer_trans_abort(). Since the
> xfs_defer_pending->dfp_intent is still set to the "extent free" intent
> item, we invoke xfs_extent_free_abort_intent(). This accesses the
> previously freed xfs_efi_log_item to decrement the ref count.
... will free the EFI correctly on transaction commit failure and so
we should be able to remove the "free immediately" hack from the
iop_unlock() code that we used to need because there was no external
reference that could free the EFI on commit failure....
> This commit fixes the bug by invoking xfs_defer_trans_abort() only when
> the log items in the per-transaction list have been committed to the
> CIL. The log item "committed" status is being tracked by
> xfs_defer_ops->dop_committed. This was the behaviour prior to commit
> 3ab78df2a59a485f479d26852a060acfd8c4ecd7 (xfs: rework xfs_bmap_free
> callers to use xfs_defer_ops).
Freeing in ->iop_unlock was always troublesome. We should get
rid of it, not go back to it.
Cheers,
Dave.
--
Dave Chinner
david@fromorbit.com
next prev parent reply other threads:[~2018-02-21 4:01 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-02-21 2:28 [PATCH V2 1/2] xfs: Remove "committed" argument of xfs_dir_ialloc Chandan Rajendra
2018-02-21 2:28 ` [PATCH V2 2/2] xfs: Fix "use after free" of intent items Chandan Rajendra
2018-02-21 4:01 ` Dave Chinner [this message]
2018-02-21 5:45 ` Chandan Rajendra
2018-02-21 21:04 ` Dave Chinner
2018-02-22 2:41 ` Chandan Rajendra
2018-04-02 22:50 ` [PATCH V2 1/2] xfs: Remove "committed" argument of xfs_dir_ialloc Darrick J. Wong
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180221040109.GE7000@dastard \
--to=david@fromorbit.com \
--cc=bfoster@redhat.com \
--cc=chandan@linux.vnet.ibm.com \
--cc=darrick.wong@oracle.com \
--cc=hch@infradead.org \
--cc=linux-xfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).