[PATCH 4.14 15/21] ceph: fix use-after-free bug for inodes when flushing capsnaps

stable.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	patches@lists.linux.dev, Xiubo Li <xiubli@redhat.com>,
	Milind Changire <mchangir@redhat.com>,
	Ilya Dryomov <idryomov@gmail.com>
Subject: [PATCH 4.14 15/21] ceph: fix use-after-free bug for inodes when flushing capsnaps
Date: Mon, 12 Jun 2023 12:26:10 +0200	[thread overview]
Message-ID: <20230612101651.577529518@linuxfoundation.org> (raw)
In-Reply-To: <20230612101651.048240731@linuxfoundation.org>

From: Xiubo Li <xiubli@redhat.com>

commit 409e873ea3c1fd3079909718bbeb06ac1ec7f38b upstream.

There is a race between capsnaps flush and removing the inode from
'mdsc->snap_flush_list' list:

   == Thread A ==                     == Thread B ==
ceph_queue_cap_snap()
 -> allocate 'capsnapA'
 ->ihold('&ci->vfs_inode')
 ->add 'capsnapA' to 'ci->i_cap_snaps'
 ->add 'ci' to 'mdsc->snap_flush_list'
    ...
   == Thread C ==
ceph_flush_snaps()
 ->__ceph_flush_snaps()
  ->__send_flush_snap()
                                handle_cap_flushsnap_ack()
                                 ->iput('&ci->vfs_inode')
                                   this also will release 'ci'
                                    ...
				      == Thread D ==
                                ceph_handle_snap()
                                 ->flush_snaps()
                                  ->iterate 'mdsc->snap_flush_list'
                                   ->get the stale 'ci'
 ->remove 'ci' from                ->ihold(&ci->vfs_inode) this
   'mdsc->snap_flush_list'           will WARNING

To fix this we will increase the inode's i_count ref when adding 'ci'
to the 'mdsc->snap_flush_list' list.

[ idryomov: need_put int -> bool ]

Cc: stable@vger.kernel.org
Link: https://bugzilla.redhat.com/show_bug.cgi?id=2209299
Signed-off-by: Xiubo Li <xiubli@redhat.com>
Reviewed-by: Milind Changire <mchangir@redhat.com>
Reviewed-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
 fs/ceph/caps.c |    6 ++++++
 fs/ceph/snap.c |    4 +++-
 2 files changed, 9 insertions(+), 1 deletion(-)

--- a/fs/ceph/caps.c
+++ b/fs/ceph/caps.c
@@ -1437,6 +1437,7 @@ void ceph_flush_snaps(struct ceph_inode_
 	struct inode *inode = &ci->vfs_inode;
 	struct ceph_mds_client *mdsc = ceph_inode_to_client(inode)->mdsc;
 	struct ceph_mds_session *session = NULL;
+	bool need_put = false;
 	int mds;
 
 	dout("ceph_flush_snaps %p\n", inode);
@@ -1490,8 +1491,13 @@ out:
 	}
 	/* we flushed them all; remove this inode from the queue */
 	spin_lock(&mdsc->snap_flush_lock);
+	if (!list_empty(&ci->i_snap_flush_item))
+		need_put = true;
 	list_del_init(&ci->i_snap_flush_item);
 	spin_unlock(&mdsc->snap_flush_lock);
+
+	if (need_put)
+		iput(inode);
 }
 
 /*
--- a/fs/ceph/snap.c
+++ b/fs/ceph/snap.c
@@ -623,8 +623,10 @@ int __ceph_finish_cap_snap(struct ceph_i
 	     capsnap->size);
 
 	spin_lock(&mdsc->snap_flush_lock);
-	if (list_empty(&ci->i_snap_flush_item))
+	if (list_empty(&ci->i_snap_flush_item)) {
+		ihold(inode);
 		list_add_tail(&ci->i_snap_flush_item, &mdsc->snap_flush_list);
+	}
 	spin_unlock(&mdsc->snap_flush_lock);
 	return 1;  /* caller may want to ceph_flush_snaps */
 }

next prev parent reply	other threads:[~2023-06-12 10:44 UTC|newest]

Thread overview: 27+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-06-12 10:25 [PATCH 4.14 00/21] 4.14.318-rc1 review Greg Kroah-Hartman
2023-06-12 10:25 ` [PATCH 4.14 01/21] i40iw: fix build warning in i40iw_manage_apbvt() Greg Kroah-Hartman
2023-06-12 10:25 ` [PATCH 4.14 02/21] i40e: fix build warnings in i40e_alloc.h Greg Kroah-Hartman
2023-06-12 10:25 ` [PATCH 4.14 03/21] spi: qup: Request DMA before enabling clocks Greg Kroah-Hartman
2023-06-12 10:25 ` [PATCH 4.14 04/21] Bluetooth: Fix l2cap_disconnect_req deadlock Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 4.14 05/21] Bluetooth: L2CAP: Add missing checks for invalid DCID Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 4.14 06/21] rfs: annotate lockless accesses to sk->sk_rxhash Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 4.14 07/21] rfs: annotate lockless accesses to RFS sock flow table Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 4.14 08/21] net: sched: move rtm_tca_policy declaration to include file Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 4.14 09/21] lib: cpu_rmap: Fix potential use-after-free in irq_cpu_rmap_release() Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 4.14 10/21] bnxt_en: Query default VLAN before VNIC setup on a VF Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 4.14 11/21] batman-adv: Broken sync while rescheduling delayed work Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 4.14 12/21] Input: xpad - delete a Razer DeathAdder mouse VID/PID entry Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 4.14 13/21] Input: psmouse - fix OOB access in Elantech protocol Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 4.14 14/21] drm/amdgpu: fix xclk freq on CHIP_STONEY Greg Kroah-Hartman
2023-06-12 10:26 ` Greg Kroah-Hartman [this message]
2023-06-12 10:26 ` [PATCH 4.14 16/21] Bluetooth: Fix use-after-free in hci_remove_ltk/hci_remove_irk Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 4.14 17/21] i2c: sprd: Delete i2c adapter in .removes error path Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 4.14 18/21] ext4: only check dquot_initialize_needed() when debugging Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 4.14 19/21] btrfs: check return value of btrfs_commit_transaction in relocation Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 4.14 20/21] btrfs: unset reloc control if transaction commit fails in prepare_to_relocate() Greg Kroah-Hartman
2023-06-12 10:26 ` [PATCH 4.14 21/21] Revert "staging: rtl8192e: Replace macro RTL_PCI_DEVICE with PCI_DEVICE" Greg Kroah-Hartman
2023-06-12 21:49 ` [PATCH 4.14 00/21] 4.14.318-rc1 review Chris Paterson
2023-06-13  8:38 ` Jon Hunter
2023-06-13  9:38 ` Harshit Mogalapalli
2023-06-13  9:40 ` Naresh Kamboju
2023-06-13 23:08 ` Guenter Roeck

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20230612101651.577529518@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=idryomov@gmail.com \
    --cc=mchangir@redhat.com \
    --cc=patches@lists.linux.dev \
    --cc=stable@vger.kernel.org \
    --cc=xiubli@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).