From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Jianhong Yin <jiyin@redhat.com>,
David Howells <dhowells@redhat.com>,
Jeff Layton <jlayton@redhat.com>,
Steve Dickson <steved@redhat.com>,
Al Viro <viro@zeniv.linux.org.uk>
Subject: [PATCH 4.7 44/45] cachefiles: Fix attempt to read i_blocks after deleting file [ver #2]
Date: Fri, 21 Oct 2016 11:18:04 +0200 [thread overview]
Message-ID: <20161021091429.590024467@linuxfoundation.org> (raw)
In-Reply-To: <20161021091427.214431885@linuxfoundation.org>
4.7-stable review patch. If anyone has any objections, please let me know.
------------------
From: David Howells <dhowells@redhat.com>
commit a818101d7b92e76db2f9a597e4830734767473b9 upstream.
An NULL-pointer dereference happens in cachefiles_mark_object_inactive()
when it tries to read i_blocks so that it can tell the cachefilesd daemon
how much space it's making available.
The problem is that cachefiles_drop_object() calls
cachefiles_mark_object_inactive() after calling cachefiles_delete_object()
because the object being marked active staves off attempts to (re-)use the
file at that filename until after it has been deleted. This means that
d_inode is NULL by the time we come to try to access it.
To fix the problem, have the caller of cachefiles_mark_object_inactive()
supply the number of blocks freed up.
Without this, the following oops may occur:
BUG: unable to handle kernel NULL pointer dereference at 0000000000000098
IP: [<ffffffffa06c5cc1>] cachefiles_mark_object_inactive+0x61/0xb0 [cachefiles]
...
CPU: 11 PID: 527 Comm: kworker/u64:4 Tainted: G I ------------ 3.10.0-470.el7.x86_64 #1
Hardware name: Hewlett-Packard HP Z600 Workstation/0B54h, BIOS 786G4 v03.19 03/11/2011
Workqueue: fscache_object fscache_object_work_func [fscache]
task: ffff880035edaf10 ti: ffff8800b77c0000 task.ti: ffff8800b77c0000
RIP: 0010:[<ffffffffa06c5cc1>] cachefiles_mark_object_inactive+0x61/0xb0 [cachefiles]
RSP: 0018:ffff8800b77c3d70 EFLAGS: 00010246
RAX: 0000000000000000 RBX: ffff8800bf6cc400 RCX: 0000000000000034
RDX: 0000000000000000 RSI: ffff880090ffc710 RDI: ffff8800bf761ef8
RBP: ffff8800b77c3d88 R08: 2000000000000000 R09: 0090ffc710000000
R10: ff51005d2ff1c400 R11: 0000000000000000 R12: ffff880090ffc600
R13: ffff8800bf6cc520 R14: ffff8800bf6cc400 R15: ffff8800bf6cc498
FS: 0000000000000000(0000) GS:ffff8800bb8c0000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 000000008005003b
CR2: 0000000000000098 CR3: 00000000019ba000 CR4: 00000000000007e0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000ffff0ff0 DR7: 0000000000000400
Stack:
ffff880090ffc600 ffff8800bf6cc400 ffff8800867df140 ffff8800b77c3db0
ffffffffa06c48cb ffff880090ffc600 ffff880090ffc180 ffff880090ffc658
ffff8800b77c3df0 ffffffffa085d846 ffff8800a96b8150 ffff880090ffc600
Call Trace:
[<ffffffffa06c48cb>] cachefiles_drop_object+0x6b/0xf0 [cachefiles]
[<ffffffffa085d846>] fscache_drop_object+0xd6/0x1e0 [fscache]
[<ffffffffa085d615>] fscache_object_work_func+0xa5/0x200 [fscache]
[<ffffffff810a605b>] process_one_work+0x17b/0x470
[<ffffffff810a6e96>] worker_thread+0x126/0x410
[<ffffffff810a6d70>] ? rescuer_thread+0x460/0x460
[<ffffffff810ae64f>] kthread+0xcf/0xe0
[<ffffffff810ae580>] ? kthread_create_on_node+0x140/0x140
[<ffffffff81695418>] ret_from_fork+0x58/0x90
[<ffffffff810ae580>] ? kthread_create_on_node+0x140/0x140
The oopsing code shows:
callq 0xffffffff810af6a0 <wake_up_bit>
mov 0xf8(%r12),%rax
mov 0x30(%rax),%rax
mov 0x98(%rax),%rax <---- oops here
lock add %rax,0x130(%rbx)
where this is:
d_backing_inode(object->dentry)->i_blocks
Fixes: a5b3a80b899bda0f456f1246c4c5a1191ea01519 (CacheFiles: Provide read-and-reset release counters for cachefilesd)
Reported-by: Jianhong Yin <jiyin@redhat.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Reviewed-by: Jeff Layton <jlayton@redhat.com>
Reviewed-by: Steve Dickson <steved@redhat.com>
Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/cachefiles/interface.c | 8 +++++++-
fs/cachefiles/internal.h | 3 ++-
fs/cachefiles/namei.c | 8 ++++----
3 files changed, 13 insertions(+), 6 deletions(-)
--- a/fs/cachefiles/interface.c
+++ b/fs/cachefiles/interface.c
@@ -253,6 +253,8 @@ static void cachefiles_drop_object(struc
struct cachefiles_object *object;
struct cachefiles_cache *cache;
const struct cred *saved_cred;
+ struct inode *inode;
+ blkcnt_t i_blocks = 0;
ASSERT(_object);
@@ -279,6 +281,10 @@ static void cachefiles_drop_object(struc
_object != cache->cache.fsdef
) {
_debug("- retire object OBJ%x", object->fscache.debug_id);
+ inode = d_backing_inode(object->dentry);
+ if (inode)
+ i_blocks = inode->i_blocks;
+
cachefiles_begin_secure(cache, &saved_cred);
cachefiles_delete_object(cache, object);
cachefiles_end_secure(cache, saved_cred);
@@ -292,7 +298,7 @@ static void cachefiles_drop_object(struc
/* note that the object is now inactive */
if (test_bit(CACHEFILES_OBJECT_ACTIVE, &object->flags))
- cachefiles_mark_object_inactive(cache, object);
+ cachefiles_mark_object_inactive(cache, object, i_blocks);
dput(object->dentry);
object->dentry = NULL;
--- a/fs/cachefiles/internal.h
+++ b/fs/cachefiles/internal.h
@@ -160,7 +160,8 @@ extern char *cachefiles_cook_key(const u
* namei.c
*/
extern void cachefiles_mark_object_inactive(struct cachefiles_cache *cache,
- struct cachefiles_object *object);
+ struct cachefiles_object *object,
+ blkcnt_t i_blocks);
extern int cachefiles_delete_object(struct cachefiles_cache *cache,
struct cachefiles_object *object);
extern int cachefiles_walk_to_object(struct cachefiles_object *parent,
--- a/fs/cachefiles/namei.c
+++ b/fs/cachefiles/namei.c
@@ -261,10 +261,9 @@ requeue:
* Mark an object as being inactive.
*/
void cachefiles_mark_object_inactive(struct cachefiles_cache *cache,
- struct cachefiles_object *object)
+ struct cachefiles_object *object,
+ blkcnt_t i_blocks)
{
- blkcnt_t i_blocks = d_backing_inode(object->dentry)->i_blocks;
-
write_lock(&cache->active_lock);
rb_erase(&object->active_node, &cache->active_nodes);
clear_bit(CACHEFILES_OBJECT_ACTIVE, &object->flags);
@@ -707,7 +706,8 @@ mark_active_timed_out:
check_error:
_debug("check error %d", ret);
- cachefiles_mark_object_inactive(cache, object);
+ cachefiles_mark_object_inactive(
+ cache, object, d_backing_inode(object->dentry)->i_blocks);
release_dentry:
dput(object->dentry);
object->dentry = NULL;
next prev parent reply other threads:[~2016-10-21 9:19 UTC|newest]
Thread overview: 42+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <CGME20161021092031uscas1p23c708f6b57321ddde439826eb68aa2f9@uscas1p2.samsung.com>
2016-10-21 9:17 ` [PATCH 4.7 00/45] 4.7.10-stable review Greg Kroah-Hartman
2016-10-21 9:17 ` [PATCH 4.7 02/45] serial: 8250_dw: Check the data->pclk when get apb_pclk Greg Kroah-Hartman
2016-10-21 9:17 ` [PATCH 4.7 03/45] serial: 8250_port: fix runtime PM use in __do_stop_tx_rs485() Greg Kroah-Hartman
2016-10-21 9:17 ` [PATCH 4.7 04/45] ARCv2: intc: Use kflag if STATUS32.IE must be reset Greg Kroah-Hartman
2016-10-21 9:17 ` [PATCH 4.7 05/45] ARCv2: fix local_save_flags Greg Kroah-Hartman
2016-10-21 9:17 ` [PATCH 4.7 06/45] debugfs: introduce a public file_operations accessor Greg Kroah-Hartman
2016-10-21 9:17 ` [PATCH 4.7 07/45] b43: fix debugfs crash Greg Kroah-Hartman
2016-10-21 9:17 ` [PATCH 4.7 08/45] b43legacy: " Greg Kroah-Hartman
2016-10-21 9:17 ` [PATCH 4.7 09/45] carl9170: fix debugfs crashes Greg Kroah-Hartman
2016-10-21 9:17 ` [PATCH 4.7 12/45] btrfs: assign error values to the correct bio structs Greg Kroah-Hartman
2016-10-21 9:17 ` [PATCH 4.7 13/45] mei: amthif: fix deadlock in initialization during a reset Greg Kroah-Hartman
2016-10-21 9:17 ` [PATCH 4.7 14/45] drivers: base: dma-mapping: page align the size when unmap_kernel_range Greg Kroah-Hartman
2016-10-21 9:17 ` [PATCH 4.7 15/45] IB/hfi1: Fix defered ack race with qp destroy Greg Kroah-Hartman
2016-10-21 9:17 ` [PATCH 4.7 16/45] clk: mvebu: fix setting unwanted flags in CP110 gate clock Greg Kroah-Hartman
2016-10-21 9:17 ` [PATCH 4.7 17/45] clk: mvebu: dynamically allocate resources in Armada CP110 system controller Greg Kroah-Hartman
2016-10-21 9:17 ` [PATCH 4.7 18/45] fuse: listxattr: verify xattr list Greg Kroah-Hartman
2016-10-21 9:17 ` [PATCH 4.7 20/45] fuse: fix killing s[ug]id in setattr Greg Kroah-Hartman
2016-10-21 9:17 ` [PATCH 4.7 21/45] i40e: avoid NULL pointer dereference and recursive errors on early PCI error Greg Kroah-Hartman
2016-10-21 9:17 ` [PATCH 4.7 22/45] xfs: change mailing list address Greg Kroah-Hartman
2016-10-21 9:17 ` [PATCH 4.7 23/45] brcmfmac: fix pmksa->bssid usage Greg Kroah-Hartman
2016-10-21 9:17 ` [PATCH 4.7 26/45] ASoC: Intel: Atom: add a missing star in a memcpy call Greg Kroah-Hartman
2016-10-21 9:17 ` [PATCH 4.7 27/45] reiserfs: Unlock superblock before calling reiserfs_quota_on_mount() Greg Kroah-Hartman
2016-10-21 9:17 ` [PATCH 4.7 28/45] async_pq_val: fix DMA memory leak Greg Kroah-Hartman
2016-10-21 9:17 ` [PATCH 4.7 29/45] scsi: arcmsr: Buffer overflow in arcmsr_iop_message_xfer() Greg Kroah-Hartman
2016-10-21 9:17 ` [PATCH 4.7 30/45] scsi: arcmsr: Simplify user_len checking Greg Kroah-Hartman
2016-10-21 9:17 ` [PATCH 4.7 31/45] scsi: ibmvfc: Fix I/O hang when port is not mapped Greg Kroah-Hartman
2016-10-21 9:17 ` [PATCH 4.7 32/45] vfs,mm: fix a dead loop in truncate_inode_pages_range() Greg Kroah-Hartman
2016-10-21 9:17 ` [PATCH 4.7 33/45] ext4: enforce online defrag restriction for encrypted files Greg Kroah-Hartman
2016-10-21 9:17 ` [PATCH 4.7 34/45] ext4: reinforce check of i_dtime when clearing high fields of uid and gid Greg Kroah-Hartman
2016-10-21 9:17 ` [PATCH 4.7 36/45] ext4: fix memory leak in ext4_insert_range() Greg Kroah-Hartman
2016-10-21 9:17 ` [PATCH 4.7 37/45] ext4: allow DAX writeback for hole punch Greg Kroah-Hartman
2016-10-21 9:17 ` [PATCH 4.7 38/45] ext4: release bh in make_indexed_dir Greg Kroah-Hartman
2016-10-21 9:17 ` [PATCH 4.7 39/45] ext4: unmap metadata when zeroing blocks Greg Kroah-Hartman
2016-10-21 9:18 ` [PATCH 4.7 40/45] crypto: ghash-generic - move common definitions to a new header file Greg Kroah-Hartman
2016-10-21 9:18 ` [PATCH 4.7 41/45] crypto: vmx - Fix memory corruption caused by p8_ghash Greg Kroah-Hartman
2016-10-21 9:18 ` [PATCH 4.7 42/45] dlm: free workqueues after the connections Greg Kroah-Hartman
2016-10-21 9:18 ` [PATCH 4.7 43/45] vfs: move permission checking into notify_change() for utimes(NULL) Greg Kroah-Hartman
2016-10-21 9:18 ` Greg Kroah-Hartman [this message]
2016-10-21 9:18 ` [PATCH 4.7 45/45] cfq: fix starvation of asynchronous writes Greg Kroah-Hartman
2016-10-21 15:45 ` [PATCH 4.7 00/45] 4.7.10-stable review Shuah Khan
2016-10-21 19:17 ` Guenter Roeck
[not found] ` <580a133b.43921c0a.263d9.400c@mx.google.com>
[not found] ` <7hy41h1px6.fsf@baylibre.com>
2016-10-22 9:56 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20161021091429.590024467@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=dhowells@redhat.com \
--cc=jiyin@redhat.com \
--cc=jlayton@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=steved@redhat.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).