From: "Darrick J. Wong" <djwong@kernel.org>
To: Dave Chinner <david@fromorbit.com>
Cc: linux-xfs@vger.kernel.org
Subject: Re: [PATCH 4/7] xfs: prevent UAF in xfs_log_item_in_current_chkpt
Date: Thu, 16 Dec 2021 08:35:31 -0800 [thread overview]
Message-ID: <20211216163531.GB27664@magnolia> (raw)
In-Reply-To: <20211216043607.GW449541@dread.disaster.area>
On Thu, Dec 16, 2021 at 03:36:07PM +1100, Dave Chinner wrote:
> On Wed, Dec 15, 2021 at 05:09:37PM -0800, Darrick J. Wong wrote:
> > From: Darrick J. Wong <djwong@kernel.org>
> >
> > While I was running with KASAN and lockdep enabled, I stumbled upon an
> > KASAN report about a UAF to a freed CIL checkpoint. Looking at the
> > comment for xfs_log_item_in_current_chkpt, it seems pretty obvious to me
> > that the original patch to xfs_defer_finish_noroll should have done
> > something to lock the CIL to prevent it from switching the CIL contexts
> > while the predicate runs.
> >
> > For upper level code that needs to know if a given log item is new
> > enough not to need relogging, add a new wrapper that takes the CIL
> > context lock long enough to sample the current CIL context. This is
> > kind of racy in that the CIL can switch the contexts immediately after
> > sampling, but that's ok because the consequence is that the defer ops
> > code is a little slow to relog items.
> >
>
> I see the problem, but I don't think this is the right way to fix
> it. The CIL context lock is already a major contention point in the
> transaction commit code when it is only taken once per
> xfs_trans_commit() call. If we now potentially take it once per
> intent item per xfs_trans_commit() call, we're going to make the
> contention even worse than it already is.
>
> The current sequence is always available from the CIL itself via
> cil->xc_current_sequence, and we can read that without needing any
> locking to provide existence guarantees of the CIL structure.
>
> So....
>
> bool
> xfs_log_item_in_current_chkpt(
> struct xfs_log_item *lip)
> {
> struct xfs_cil *cil = lip->li_mountp->m_log->l_cilp;
>
> if (list_empty(&lip->li_cil))
> return false;
>
> /*
> * li_seq is written on the first commit of a log item to record the
> * first checkpoint it is written to. Hence if it is different to the
> * current sequence, we're in a new checkpoint.
> */
> return lip->li_seq == READ_ONCE(cil->xc_current_sequence);
Ooh, much better!
--D
> }
>
> Cheers,
>
> Dave.
> --
> Dave Chinner
> david@fromorbit.com
next prev parent reply other threads:[~2021-12-16 16:35 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-12-16 1:09 [PATCHSET 0/7] xfs: random fixes for 5.17 Darrick J. Wong
2021-12-16 1:09 ` [PATCH 1/7] xfs: take the ILOCK when accessing the inode core Darrick J. Wong
2021-12-16 4:56 ` Dave Chinner
2021-12-17 18:59 ` Darrick J. Wong
2021-12-21 1:08 ` Darrick J. Wong
2021-12-21 5:10 ` Dave Chinner
2022-01-04 1:19 ` Darrick J. Wong
2022-01-05 0:09 ` Dave Chinner
2022-01-05 1:38 ` Darrick J. Wong
2021-12-16 1:09 ` [PATCH 2/7] xfs: shut down filesystem if we xfs_trans_cancel with deferred work items Darrick J. Wong
2021-12-16 4:57 ` Dave Chinner
2021-12-24 7:16 ` Christoph Hellwig
2021-12-16 1:09 ` [PATCH 3/7] xfs: fix a bug in the online fsck directory leaf1 bestcount check Darrick J. Wong
2021-12-16 5:05 ` Dave Chinner
2021-12-16 19:25 ` Darrick J. Wong
2021-12-16 21:17 ` Dave Chinner
2021-12-16 21:40 ` Darrick J. Wong
2021-12-16 22:04 ` Dave Chinner
2021-12-24 7:17 ` Christoph Hellwig
2021-12-16 1:09 ` [PATCH 4/7] xfs: prevent UAF in xfs_log_item_in_current_chkpt Darrick J. Wong
2021-12-16 4:36 ` Dave Chinner
2021-12-16 16:35 ` Darrick J. Wong [this message]
2021-12-16 1:09 ` [PATCH 5/7] xfs: fix quotaoff mutex usage now that we don't support disabling it Darrick J. Wong
2021-12-16 5:07 ` Dave Chinner
2021-12-24 7:17 ` Christoph Hellwig
2021-12-16 1:09 ` [PATCH 6/7] xfs: don't expose internal symlink metadata buffers to the vfs Darrick J. Wong
2021-12-16 5:11 ` Dave Chinner
2021-12-17 2:58 ` Ian Kent
2021-12-24 7:22 ` Christoph Hellwig
2021-12-16 1:09 ` [PATCH 7/7] xfs: only run COW extent recovery when there are no live extents Darrick J. Wong
2021-12-16 4:41 ` Dave Chinner
2021-12-24 7:18 ` Christoph Hellwig
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20211216163531.GB27664@magnolia \
--to=djwong@kernel.org \
--cc=david@fromorbit.com \
--cc=linux-xfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox