From: Eryu Guan <guaneryu@gmail.com>
To: Brian Foster <bfoster@redhat.com>
Cc: fstests@vger.kernel.org, linux-xfs@vger.kernel.org
Subject: Re: [PATCH] tests/xfs: filestream allocator inode use-after-free test
Date: Thu, 26 Apr 2018 10:01:07 +0800 [thread overview]
Message-ID: <20180426020107.GI11384@desktop> (raw)
In-Reply-To: <20180426015456.GH11384@desktop>
On Thu, Apr 26, 2018 at 09:54:56AM +0800, Eryu Guan wrote:
> On Wed, Apr 25, 2018 at 07:53:41AM -0400, Brian Foster wrote:
> > On Wed, Apr 25, 2018 at 11:22:21AM +0800, Eryu Guan wrote:
> > > On Fri, Apr 06, 2018 at 10:18:15AM -0400, Brian Foster wrote:
> > > > The XFS filestreams allocator caches dir inode -> agno mappings in
> > > > an MRU mechanism that holds elements in memory for an amount of time
> > > > and then cleans up expired elements in the background. The elements
> > > > typically held inode pointers without holding a reference to the
> > > > associated inode. This means that if the inode is reclaimed before
> > > > an expired entry is cleaned up, the MRU reaper can access freed
> > > > memory and cause a panic.
> > > >
> > > > Test for this problem by performing continuous filestreams
> > > > allocations under short-lived parent directory inodes. This will
> > > > produce KASAN use-after-free splats if enabled during the test.
> > > >
> > > > Signed-off-by: Brian Foster <bfoster@redhat.com>
> > > > ---
> > > >
> > > > This test reproduces the problem described in this[1] thread. It's
> > > > XFS-specific because of the filestream option and specific geometry used
> > > > to format the scratch device.
> > > >
> > > > Brian
> > > >
> > > > [1] https://marc.info/?l=linux-xfs&m=152293031029161&w=2
> > >
> > > From above thread, it seems that we don't need the kernel change
> > > anymore, and the test itself would trigger dmesg check failure when
> > > testing on kernel with kasan enabled, right?
> > >
> >
> > Yep...
> >
> > > But I've looped the test for 200 times and it all passed without
> > > triggering any KASAN warnings, kernel is v4.17-rc2.
> > >
> >
> > The kernel fix ended up being a patch from Christoph. It looks like it
> > made it into v4.17-rc1 as commit 7fcd3efa1e ("xfs: remove filestream
> > item xfs_inode reference"). Could you perhaps try an older kernel or one
> > with that patch reverted?
>
> Sure, I'll try reverting that patch.
Yeah, I hit KASAN warning quite quickly after reverting that patch.
Thanks!
Eryu
prev parent reply other threads:[~2018-04-26 2:01 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-04-06 14:18 [PATCH] tests/xfs: filestream allocator inode use-after-free test Brian Foster
2018-04-25 3:22 ` Eryu Guan
2018-04-25 11:53 ` Brian Foster
2018-04-26 1:54 ` Eryu Guan
2018-04-26 2:01 ` Eryu Guan [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180426020107.GI11384@desktop \
--to=guaneryu@gmail.com \
--cc=bfoster@redhat.com \
--cc=fstests@vger.kernel.org \
--cc=linux-xfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).