From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Luis Henriques <lhenriques@suse.com>,
Jeff Layton <jlayton@kernel.org>,
Ilya Dryomov <idryomov@gmail.com>,
Sasha Levin <sashal@kernel.org>
Subject: [PATCH 4.14 25/40] ceph: fix buffer free while holding i_ceph_lock in __ceph_build_xattrs_blob()
Date: Sun, 8 Sep 2019 13:41:58 +0100 [thread overview]
Message-ID: <20190908121125.432040957@linuxfoundation.org> (raw)
In-Reply-To: <20190908121114.260662089@linuxfoundation.org>
[ Upstream commit 12fe3dda7ed89c95cc0ef7abc001ad1ad3e092f8 ]
Calling ceph_buffer_put() in __ceph_build_xattrs_blob() may result in
freeing the i_xattrs.blob buffer while holding the i_ceph_lock. This can
be fixed by having this function returning the old blob buffer and have
the callers of this function freeing it when the lock is released.
The following backtrace was triggered by fstests generic/117.
BUG: sleeping function called from invalid context at mm/vmalloc.c:2283
in_atomic(): 1, irqs_disabled(): 0, pid: 649, name: fsstress
4 locks held by fsstress/649:
#0: 00000000a7478e7e (&type->s_umount_key#19){++++}, at: iterate_supers+0x77/0xf0
#1: 00000000f8de1423 (&(&ci->i_ceph_lock)->rlock){+.+.}, at: ceph_check_caps+0x7b/0xc60
#2: 00000000562f2b27 (&s->s_mutex){+.+.}, at: ceph_check_caps+0x3bd/0xc60
#3: 00000000f83ce16a (&mdsc->snap_rwsem){++++}, at: ceph_check_caps+0x3ed/0xc60
CPU: 1 PID: 649 Comm: fsstress Not tainted 5.2.0+ #439
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58-prebuilt.qemu.org 04/01/2014
Call Trace:
dump_stack+0x67/0x90
___might_sleep.cold+0x9f/0xb1
vfree+0x4b/0x60
ceph_buffer_release+0x1b/0x60
__ceph_build_xattrs_blob+0x12b/0x170
__send_cap+0x302/0x540
? __lock_acquire+0x23c/0x1e40
? __mark_caps_flushing+0x15c/0x280
? _raw_spin_unlock+0x24/0x30
ceph_check_caps+0x5f0/0xc60
ceph_flush_dirty_caps+0x7c/0x150
? __ia32_sys_fdatasync+0x20/0x20
ceph_sync_fs+0x5a/0x130
iterate_supers+0x8f/0xf0
ksys_sync+0x4f/0xb0
__ia32_sys_sync+0xa/0x10
do_syscall_64+0x50/0x1c0
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7fc6409ab617
Signed-off-by: Luis Henriques <lhenriques@suse.com>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ceph/caps.c | 5 ++++-
fs/ceph/snap.c | 4 +++-
fs/ceph/super.h | 2 +-
fs/ceph/xattr.c | 11 ++++++++---
4 files changed, 16 insertions(+), 6 deletions(-)
diff --git a/fs/ceph/caps.c b/fs/ceph/caps.c
index 238d24348a98a..df95e39ccd45b 100644
--- a/fs/ceph/caps.c
+++ b/fs/ceph/caps.c
@@ -1162,6 +1162,7 @@ static int __send_cap(struct ceph_mds_client *mdsc, struct ceph_cap *cap,
{
struct ceph_inode_info *ci = cap->ci;
struct inode *inode = &ci->vfs_inode;
+ struct ceph_buffer *old_blob = NULL;
struct cap_msg_args arg;
int held, revoking, dropping;
int wake = 0;
@@ -1227,7 +1228,7 @@ static int __send_cap(struct ceph_mds_client *mdsc, struct ceph_cap *cap,
ci->i_requested_max_size = arg.max_size;
if (flushing & CEPH_CAP_XATTR_EXCL) {
- __ceph_build_xattrs_blob(ci);
+ old_blob = __ceph_build_xattrs_blob(ci);
arg.xattr_version = ci->i_xattrs.version;
arg.xattr_buf = ci->i_xattrs.blob;
} else {
@@ -1262,6 +1263,8 @@ static int __send_cap(struct ceph_mds_client *mdsc, struct ceph_cap *cap,
spin_unlock(&ci->i_ceph_lock);
+ ceph_buffer_put(old_blob);
+
ret = send_cap_msg(&arg);
if (ret < 0) {
dout("error sending cap msg, must requeue %p\n", inode);
diff --git a/fs/ceph/snap.c b/fs/ceph/snap.c
index a7e763dac0385..29ed1688a1d3a 100644
--- a/fs/ceph/snap.c
+++ b/fs/ceph/snap.c
@@ -460,6 +460,7 @@ void ceph_queue_cap_snap(struct ceph_inode_info *ci)
struct inode *inode = &ci->vfs_inode;
struct ceph_cap_snap *capsnap;
struct ceph_snap_context *old_snapc, *new_snapc;
+ struct ceph_buffer *old_blob = NULL;
int used, dirty;
capsnap = kzalloc(sizeof(*capsnap), GFP_NOFS);
@@ -536,7 +537,7 @@ void ceph_queue_cap_snap(struct ceph_inode_info *ci)
capsnap->gid = inode->i_gid;
if (dirty & CEPH_CAP_XATTR_EXCL) {
- __ceph_build_xattrs_blob(ci);
+ old_blob = __ceph_build_xattrs_blob(ci);
capsnap->xattr_blob =
ceph_buffer_get(ci->i_xattrs.blob);
capsnap->xattr_version = ci->i_xattrs.version;
@@ -579,6 +580,7 @@ update_snapc:
}
spin_unlock(&ci->i_ceph_lock);
+ ceph_buffer_put(old_blob);
kfree(capsnap);
ceph_put_snap_context(old_snapc);
}
diff --git a/fs/ceph/super.h b/fs/ceph/super.h
index 60b70f0985f67..46f600107cb5b 100644
--- a/fs/ceph/super.h
+++ b/fs/ceph/super.h
@@ -835,7 +835,7 @@ extern int ceph_getattr(const struct path *path, struct kstat *stat,
int __ceph_setxattr(struct inode *, const char *, const void *, size_t, int);
ssize_t __ceph_getxattr(struct inode *, const char *, void *, size_t);
extern ssize_t ceph_listxattr(struct dentry *, char *, size_t);
-extern void __ceph_build_xattrs_blob(struct ceph_inode_info *ci);
+extern struct ceph_buffer *__ceph_build_xattrs_blob(struct ceph_inode_info *ci);
extern void __ceph_destroy_xattrs(struct ceph_inode_info *ci);
extern void __init ceph_xattr_init(void);
extern void ceph_xattr_exit(void);
diff --git a/fs/ceph/xattr.c b/fs/ceph/xattr.c
index 932c6cdc22d66..3a166f860b6cf 100644
--- a/fs/ceph/xattr.c
+++ b/fs/ceph/xattr.c
@@ -681,12 +681,15 @@ static int __get_required_blob_size(struct ceph_inode_info *ci, int name_size,
/*
* If there are dirty xattrs, reencode xattrs into the prealloc_blob
- * and swap into place.
+ * and swap into place. It returns the old i_xattrs.blob (or NULL) so
+ * that it can be freed by the caller as the i_ceph_lock is likely to be
+ * held.
*/
-void __ceph_build_xattrs_blob(struct ceph_inode_info *ci)
+struct ceph_buffer *__ceph_build_xattrs_blob(struct ceph_inode_info *ci)
{
struct rb_node *p;
struct ceph_inode_xattr *xattr = NULL;
+ struct ceph_buffer *old_blob = NULL;
void *dest;
dout("__build_xattrs_blob %p\n", &ci->vfs_inode);
@@ -717,12 +720,14 @@ void __ceph_build_xattrs_blob(struct ceph_inode_info *ci)
dest - ci->i_xattrs.prealloc_blob->vec.iov_base;
if (ci->i_xattrs.blob)
- ceph_buffer_put(ci->i_xattrs.blob);
+ old_blob = ci->i_xattrs.blob;
ci->i_xattrs.blob = ci->i_xattrs.prealloc_blob;
ci->i_xattrs.prealloc_blob = NULL;
ci->i_xattrs.dirty = false;
ci->i_xattrs.version++;
}
+
+ return old_blob;
}
static inline int __get_request_mask(struct inode *in) {
--
2.20.1
next prev parent reply other threads:[~2019-09-08 12:45 UTC|newest]
Thread overview: 47+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-09-08 12:41 [PATCH 4.14 00/40] 4.14.143-stable review Greg Kroah-Hartman
2019-09-08 12:41 ` [PATCH 4.14 01/40] net: tundra: tsi108: use spin_lock_irqsave instead of spin_lock_irq in IRQ context Greg Kroah-Hartman
2019-09-08 12:41 ` [PATCH 4.14 02/40] hv_netvsc: Fix a warning of suspicious RCU usage Greg Kroah-Hartman
2019-09-08 12:41 ` [PATCH 4.14 03/40] net: tc35815: Explicitly check NET_IP_ALIGN is not zero in tc35815_rx Greg Kroah-Hartman
2019-09-08 12:41 ` [PATCH 4.14 04/40] Bluetooth: btqca: Add a short delay before downloading the NVM Greg Kroah-Hartman
2019-09-09 16:13 ` Matthias Kaehlcke
2019-09-08 12:41 ` [PATCH 4.14 05/40] Bluetooth: hidp: Let hidp_send_message return number of queued bytes Greg Kroah-Hartman
2019-09-08 12:41 ` [PATCH 4.14 06/40] ibmveth: Convert multicast list size for little-endian system Greg Kroah-Hartman
2019-09-08 12:41 ` [PATCH 4.14 07/40] gpio: Fix build error of function redefinition Greg Kroah-Hartman
2019-09-08 12:41 ` [PATCH 4.14 08/40] drm/mediatek: use correct device to import PRIME buffers Greg Kroah-Hartman
2019-09-08 12:41 ` [PATCH 4.14 09/40] drm/mediatek: set DMA max segment size Greg Kroah-Hartman
2019-09-08 12:41 ` [PATCH 4.14 10/40] cxgb4: fix a memory leak bug Greg Kroah-Hartman
2019-09-08 12:41 ` [PATCH 4.14 11/40] liquidio: add cleanup in octeon_setup_iq() Greg Kroah-Hartman
2019-09-08 12:41 ` [PATCH 4.14 12/40] net: myri10ge: fix memory leaks Greg Kroah-Hartman
2019-09-08 12:41 ` [PATCH 4.14 13/40] lan78xx: Fix " Greg Kroah-Hartman
2019-09-08 12:41 ` [PATCH 4.14 14/40] vfs: fix page locking deadlocks when deduping files Greg Kroah-Hartman
2019-09-08 12:41 ` [PATCH 4.14 15/40] cx82310_eth: fix a memory leak bug Greg Kroah-Hartman
2019-09-08 12:41 ` [PATCH 4.14 16/40] net: kalmia: fix memory leaks Greg Kroah-Hartman
2019-09-08 12:41 ` [PATCH 4.14 17/40] wimax/i2400m: fix a memory leak bug Greg Kroah-Hartman
2019-09-08 12:41 ` [PATCH 4.14 18/40] ravb: Fix use-after-free ravb_tstamp_skb Greg Kroah-Hartman
2019-09-08 12:41 ` [PATCH 4.14 19/40] kprobes: Fix potential deadlock in kprobe_optimizer() Greg Kroah-Hartman
2019-09-08 12:41 ` [PATCH 4.14 20/40] HID: cp2112: prevent sleeping function called from invalid context Greg Kroah-Hartman
2019-09-08 12:41 ` [PATCH 4.14 21/40] Input: hyperv-keyboard: Use in-place iterator API in the channel callback Greg Kroah-Hartman
2019-09-08 12:41 ` [PATCH 4.14 22/40] Tools: hv: kvp: eliminate may be used uninitialized warning Greg Kroah-Hartman
2019-09-08 12:41 ` [PATCH 4.14 23/40] IB/mlx4: Fix memory leaks Greg Kroah-Hartman
2019-09-08 12:41 ` [PATCH 4.14 24/40] ceph: fix buffer free while holding i_ceph_lock in __ceph_setxattr() Greg Kroah-Hartman
2019-09-08 12:41 ` Greg Kroah-Hartman [this message]
2019-09-08 12:41 ` [PATCH 4.14 26/40] ceph: fix buffer free while holding i_ceph_lock in fill_inode() Greg Kroah-Hartman
2019-09-08 12:42 ` [PATCH 4.14 27/40] KVM: arm/arm64: Only skip MMIO insn once Greg Kroah-Hartman
2019-09-08 12:42 ` [PATCH 4.14 28/40] libceph: allow ceph_buffer_put() to receive a NULL ceph_buffer Greg Kroah-Hartman
2019-09-08 12:42 ` [PATCH 4.14 29/40] spi: bcm2835aux: unifying code between polling and interrupt driven code Greg Kroah-Hartman
2019-09-08 12:42 ` [PATCH 4.14 30/40] spi: bcm2835aux: remove dangerous uncontrolled read of fifo Greg Kroah-Hartman
2019-09-08 12:42 ` [PATCH 4.14 31/40] spi: bcm2835aux: fix corruptions for longer spi transfers Greg Kroah-Hartman
2019-09-08 12:42 ` [PATCH 4.14 32/40] Revert "x86/apic: Include the LDR when clearing out APIC registers" Greg Kroah-Hartman
2019-09-08 12:42 ` [PATCH 4.14 33/40] net: fix skb use after free in netpoll Greg Kroah-Hartman
2019-09-08 12:42 ` [PATCH 4.14 34/40] net_sched: fix a NULL pointer deref in ipt action Greg Kroah-Hartman
2019-09-08 12:42 ` [PATCH 4.14 35/40] net: stmmac: dwmac-rk: Dont fail if phy regulator is absent Greg Kroah-Hartman
2019-09-08 12:42 ` [PATCH 4.14 36/40] tcp: inherit timestamp on mtu probe Greg Kroah-Hartman
2019-09-08 12:42 ` [PATCH 4.14 37/40] tcp: remove empty skb from write queue in error cases Greg Kroah-Hartman
2019-09-08 12:42 ` [PATCH 4.14 38/40] net: sched: act_sample: fix psample group handling on overwrite Greg Kroah-Hartman
2019-09-08 12:42 ` [PATCH 4.14 39/40] mld: fix memory leak in mld_del_delrec() Greg Kroah-Hartman
2019-09-08 12:42 ` [PATCH 4.14 40/40] x86/boot: Preserve boot_params.secure_boot from sanitizing Greg Kroah-Hartman
2019-09-08 16:58 ` [PATCH 4.14 00/40] 4.14.143-stable review kernelci.org bot
2019-09-09 1:35 ` Naresh Kamboju
2019-09-09 14:50 ` Bharath Vedartham
2019-09-09 19:39 ` Guenter Roeck
2019-09-10 9:19 ` Jon Hunter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190908121125.432040957@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=idryomov@gmail.com \
--cc=jlayton@kernel.org \
--cc=lhenriques@suse.com \
--cc=linux-kernel@vger.kernel.org \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).