From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
"Bryant G. Ly" <bryantly@linux.vnet.ibm.com>,
Nicholas Bellinger <nab@linux-iscsi.org>,
Christoph Hellwig <hch@lst.de>
Subject: [PATCH 3.18 10/32] configfs: Fix race between create_link and configfs_rmdir
Date: Mon, 19 Jun 2017 23:20:54 +0800 [thread overview]
Message-ID: <20170619152036.225312281@linuxfoundation.org> (raw)
In-Reply-To: <20170619152035.750974520@linuxfoundation.org>
3.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Nicholas Bellinger <nab@linux-iscsi.org>
commit ba80aa909c99802c428682c352b0ee0baac0acd3 upstream.
This patch closes a long standing race in configfs between
the creation of a new symlink in create_link(), while the
symlink target's config_item is being concurrently removed
via configfs_rmdir().
This can happen because the symlink target's reference
is obtained by config_item_get() in create_link() before
the CONFIGFS_USET_DROPPING bit set by configfs_detach_prep()
during configfs_rmdir() shutdown is actually checked..
This originally manifested itself on ppc64 on v4.8.y under
heavy load using ibmvscsi target ports with Novalink API:
[ 7877.289863] rpadlpar_io: slot U8247.22L.212A91A-V1-C8 added
[ 7879.893760] ------------[ cut here ]------------
[ 7879.893768] WARNING: CPU: 15 PID: 17585 at ./include/linux/kref.h:46 config_item_get+0x7c/0x90 [configfs]
[ 7879.893811] CPU: 15 PID: 17585 Comm: targetcli Tainted: G O 4.8.17-customv2.22 #12
[ 7879.893812] task: c00000018a0d3400 task.stack: c0000001f3b40000
[ 7879.893813] NIP: d000000002c664ec LR: d000000002c60980 CTR: c000000000b70870
[ 7879.893814] REGS: c0000001f3b43810 TRAP: 0700 Tainted: G O (4.8.17-customv2.22)
[ 7879.893815] MSR: 8000000000029033 <SF,EE,ME,IR,DR,RI,LE> CR: 28222242 XER: 00000000
[ 7879.893820] CFAR: d000000002c664bc SOFTE: 1
GPR00: d000000002c60980 c0000001f3b43a90 d000000002c70908 c0000000fbc06820
GPR04: c0000001ef1bd900 0000000000000004 0000000000000001 0000000000000000
GPR08: 0000000000000000 0000000000000001 d000000002c69560 d000000002c66d80
GPR12: c000000000b70870 c00000000e798700 c0000001f3b43ca0 c0000001d4949d40
GPR16: c00000014637e1c0 0000000000000000 0000000000000000 c0000000f2392940
GPR20: c0000001f3b43b98 0000000000000041 0000000000600000 0000000000000000
GPR24: fffffffffffff000 0000000000000000 d000000002c60be0 c0000001f1dac490
GPR28: 0000000000000004 0000000000000000 c0000001ef1bd900 c0000000f2392940
[ 7879.893839] NIP [d000000002c664ec] config_item_get+0x7c/0x90 [configfs]
[ 7879.893841] LR [d000000002c60980] check_perm+0x80/0x2e0 [configfs]
[ 7879.893842] Call Trace:
[ 7879.893844] [c0000001f3b43ac0] [d000000002c60980] check_perm+0x80/0x2e0 [configfs]
[ 7879.893847] [c0000001f3b43b10] [c000000000329770] do_dentry_open+0x2c0/0x460
[ 7879.893849] [c0000001f3b43b70] [c000000000344480] path_openat+0x210/0x1490
[ 7879.893851] [c0000001f3b43c80] [c00000000034708c] do_filp_open+0xfc/0x170
[ 7879.893853] [c0000001f3b43db0] [c00000000032b5bc] do_sys_open+0x1cc/0x390
[ 7879.893856] [c0000001f3b43e30] [c000000000009584] system_call+0x38/0xec
[ 7879.893856] Instruction dump:
[ 7879.893858] 409d0014 38210030 e8010010 7c0803a6 4e800020 3d220000 e94981e0 892a0000
[ 7879.893861] 2f890000 409effe0 39200001 992a0000 <0fe00000> 4bffffd0 60000000 60000000
[ 7879.893866] ---[ end trace 14078f0b3b5ad0aa ]---
To close this race, go ahead and obtain the symlink's target
config_item reference only after the existing CONFIGFS_USET_DROPPING
check succeeds.
This way, if configfs_rmdir() wins create_link() will return -ENONET,
and if create_link() wins configfs_rmdir() will return -EBUSY.
Reported-by: Bryant G. Ly <bryantly@linux.vnet.ibm.com>
Tested-by: Bryant G. Ly <bryantly@linux.vnet.ibm.com>
Signed-off-by: Nicholas Bellinger <nab@linux-iscsi.org>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/configfs/symlink.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- a/fs/configfs/symlink.c
+++ b/fs/configfs/symlink.c
@@ -83,14 +83,13 @@ static int create_link(struct config_ite
ret = -ENOMEM;
sl = kmalloc(sizeof(struct configfs_symlink), GFP_KERNEL);
if (sl) {
- sl->sl_target = config_item_get(item);
spin_lock(&configfs_dirent_lock);
if (target_sd->s_type & CONFIGFS_USET_DROPPING) {
spin_unlock(&configfs_dirent_lock);
- config_item_put(item);
kfree(sl);
return -ENOENT;
}
+ sl->sl_target = config_item_get(item);
list_add(&sl->sl_list, &target_sd->s_links);
spin_unlock(&configfs_dirent_lock);
ret = configfs_create_link(sl, parent_item->ci_dentry,
next prev parent reply other threads:[~2017-06-19 15:33 UTC|newest]
Thread overview: 37+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-06-19 15:20 [PATCH 3.18 00/32] 3.18.58-stable review Greg Kroah-Hartman
2017-06-19 15:20 ` [PATCH 3.18 01/32] s390/vmem: fix identity mapping Greg Kroah-Hartman
2017-06-19 15:20 ` [PATCH 3.18 02/32] partitions/msdos: FreeBSD UFS2 file systems are not recognized Greg Kroah-Hartman
2017-06-19 15:20 ` [PATCH 3.18 03/32] Call echo service immediately after socket reconnect Greg Kroah-Hartman
2017-06-19 15:20 ` [PATCH 3.18 04/32] net: xilinx_emaclite: fix freezes due to unordered I/O Greg Kroah-Hartman
2017-06-19 15:20 ` [PATCH 3.18 05/32] net: xilinx_emaclite: fix receive buffer overflow Greg Kroah-Hartman
2017-06-19 15:20 ` [PATCH 3.18 06/32] ipv6: Handle IPv4-mapped src to in6addr_any dst Greg Kroah-Hartman
2017-06-19 15:20 ` [PATCH 3.18 07/32] ipv6: Inhibit IPv4-mapped src address on the wire Greg Kroah-Hartman
2017-06-19 15:20 ` [PATCH 3.18 08/32] log2: make order_base_2() behave correctly on const input value zero Greg Kroah-Hartman
2017-06-19 15:20 ` [PATCH 3.18 09/32] sparc64: make string buffers large enough Greg Kroah-Hartman
2017-06-19 15:20 ` Greg Kroah-Hartman [this message]
2017-06-19 15:20 ` [PATCH 3.18 11/32] can: gs_usb: fix memory leak in gs_cmd_reset() Greg Kroah-Hartman
2017-06-19 15:20 ` [PATCH 3.18 13/32] [media] vb2: Fix an off by one error in vb2_plane_vaddr Greg Kroah-Hartman
2017-06-19 15:20 ` [PATCH 3.18 14/32] mac80211: dont look at the PM bit of BAR frames Greg Kroah-Hartman
2017-06-19 15:21 ` [PATCH 3.18 16/32] x86/mm/32: Set the __vmalloc_start_set flag in initmem_init() Greg Kroah-Hartman
2017-06-19 15:21 ` [PATCH 3.18 17/32] mfd: omap-usb-tll: Fix inverted bit use for USB TLL mode Greg Kroah-Hartman
2017-06-19 15:21 ` [PATCH 3.18 18/32] staging: rtl8188eu: prevent an underflow in rtw_check_beacon_data() Greg Kroah-Hartman
2017-06-19 15:21 ` [PATCH 3.18 19/32] iio: proximity: as3935: recalibrate RCO after resume Greg Kroah-Hartman
2017-06-19 15:21 ` [PATCH 3.18 20/32] USB: hub: fix SS max number of ports Greg Kroah-Hartman
2017-06-19 15:21 ` [PATCH 3.18 21/32] usb: core: fix potential memory leak in error path during hcd creation Greg Kroah-Hartman
2017-06-19 15:21 ` [PATCH 3.18 22/32] [media] pvrusb2: reduce stack usage pvr2_eeprom_analyze() Greg Kroah-Hartman
2017-06-19 15:21 ` [PATCH 3.18 23/32] USB: gadget: dummy_hcd: fix hub-descriptor removable fields Greg Kroah-Hartman
2017-06-19 15:21 ` [PATCH 3.18 24/32] usb: r8a66597-hcd: select a different endpoint on timeout Greg Kroah-Hartman
2017-06-19 15:21 ` [PATCH 3.18 25/32] usb: r8a66597-hcd: decrease timeout Greg Kroah-Hartman
2017-06-19 15:21 ` [PATCH 3.18 26/32] drivers/misc/c2port/c2port-duramar2150.c: checking for NULL instead of IS_ERR() Greg Kroah-Hartman
2017-06-19 15:21 ` [PATCH 3.18 27/32] usb: xhci: ASMedia ASM1042A chipset need shorts TX quirk Greg Kroah-Hartman
2017-06-19 15:21 ` [PATCH 3.18 28/32] mm/memory-failure.c: use compound_head() flags for huge pages Greg Kroah-Hartman
2017-06-19 15:21 ` [PATCH 3.18 29/32] swap: cond_resched in swap_cgroup_prepare() Greg Kroah-Hartman
2017-06-19 15:21 ` [PATCH 3.18 30/32] genirq: Release resources in __setup_irq() error path Greg Kroah-Hartman
2017-06-19 15:21 ` [PATCH 3.18 31/32] alarmtimer: Rate limit periodic intervals Greg Kroah-Hartman
2017-06-19 15:21 ` [PATCH 3.18 32/32] mm: larger stack guard gap, between vmas Greg Kroah-Hartman
2017-06-21 5:49 ` Hugh Dickins
2017-06-21 5:59 ` Willy Tarreau
2017-06-21 6:10 ` Hugh Dickins
2017-06-21 7:24 ` Willy Tarreau
2017-06-24 15:04 ` Greg Kroah-Hartman
2017-06-19 22:47 ` [PATCH 3.18 00/32] 3.18.58-stable review Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170619152036.225312281@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=bryantly@linux.vnet.ibm.com \
--cc=hch@lst.de \
--cc=linux-kernel@vger.kernel.org \
--cc=nab@linux-iscsi.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox