From: Dave Chinner <david@fromorbit.com>
To: "yukuai (C)" <yukuai3@huawei.com>
Cc: darrick.wong@oracle.com, linux-xfs@vger.kernel.org,
linux-kernel@vger.kernel.org, yi.zhang@huawei.com
Subject: Re: [RFC PATCH] fix use after free in xlog_wait()
Date: Thu, 11 Jun 2020 15:05:48 +1000 [thread overview]
Message-ID: <20200611050548.GS2040@dread.disaster.area> (raw)
In-Reply-To: <c07ba74e-81a4-2060-db82-8d11c6400be8@huawei.com>
On Thu, Jun 11, 2020 at 11:01:38AM +0800, yukuai (C) wrote:
> On 2020/6/11 10:28, Dave Chinner wrote
> > Actually, it's a lot simpler:
> >
> > thread1 thread2
> >
> > __xfs_trans_commit
> > xfs_log_commit_cil
> > xlog_wait
> > schedule
> > xlog_cil_push_work
> > wake_up_all
> > <shutdown aborts commit>
> > xlog_cil_committed
> > kmem_free
> >
> > remove_wait_queue
> > spin_lock_irqsave --> UAF
> >
>
> It's ture in this case, however, I got another result when I
> tried to reporduce it, which seems 'ctx' can be freed in a
> different path:
Yup, it's effectively the same thing because of the nature of the IO
failures (generated at submit time) and scheduler behaviour of
workqueues. THis means the IO completion that processes the error is
is queued to a workqueue on the same CPU. When thread 2 finishes
running (it hasn't seen an error yet) the completion work will get
get scheduled ahead of thread1 (cpu bound kernel task vs unbound
user task). The completion work then runs the shutdown because it
saw a log IO error and because it's the commit record bio it runs
the journal checkpoint completion to abort all the items attached to
it and free the CIL context. Then thread 1 runs again.
The only difference between the two cases is which IO of the CIL
commit the request was failed on....
Cheers,
Dave.
--
Dave Chinner
david@fromorbit.com
prev parent reply other threads:[~2020-06-11 5:05 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-11 1:39 [RFC PATCH] fix use after free in xlog_wait() Yu Kuai
2020-06-11 2:28 ` Dave Chinner
2020-06-11 2:45 ` [PATCH] xfs: fix use-after-free on CIL context on shutdown Dave Chinner
2020-06-11 15:11 ` Brian Foster
2020-06-16 1:16 ` yukuai (C)
2020-06-16 2:38 ` Dave Chinner
2020-06-19 13:46 ` Christoph Hellwig
2020-06-11 3:01 ` [RFC PATCH] fix use after free in xlog_wait() yukuai (C)
2020-06-11 5:05 ` Dave Chinner [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200611050548.GS2040@dread.disaster.area \
--to=david@fromorbit.com \
--cc=darrick.wong@oracle.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-xfs@vger.kernel.org \
--cc=yi.zhang@huawei.com \
--cc=yukuai3@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox