All of lore.kernel.org
 help / color / mirror / Atom feed
From: "Theodore Ts'o" <tytso@mit.edu>
To: Jan Kara <jack@suse.cz>
Cc: Alexander Viro <viro@zeniv.linux.org.uk>,
	Lukas Czerner <lczerner@redhat.com>,
	Svyatoslav Feldsherov <feldsherov@google.com>,
	syzbot+6ba92bd00d5093f7e371@syzkaller.appspotmail.com,
	oferz@google.com, linux-fsdevel@vger.kernel.org,
	linux-kernel@vger.kernel.org
Subject: Re: [PATCH v3] fs: do not update freeing inode i_io_list
Date: Mon, 28 Nov 2022 14:19:57 -0500	[thread overview]
Message-ID: <Y4UJ3f7FcCTTq7q3@mit.edu> (raw)
In-Reply-To: <20221116111539.i7xi7is7rn62prf5@quack3>

On Wed, Nov 16, 2022 at 12:15:39PM +0100, Jan Kara wrote:
> On Tue 15-11-22 20:20:01, Svyatoslav Feldsherov wrote:
> > After commit cbfecb927f42 ("fs: record I_DIRTY_TIME even if inode
> > already has I_DIRTY_INODE") writeback_single_inode can push inode with
> > I_DIRTY_TIME set to b_dirty_time list. In case of freeing inode with
> > I_DIRTY_TIME set this can happen after deletion of inode from i_io_list
> > at evict. Stack trace is following.
> > 
> > evict
> > fat_evict_inode
> > fat_truncate_blocks
> > fat_flush_inodes
> > writeback_inode
> > sync_inode_metadata(inode, sync=0)
> > writeback_single_inode(inode, wbc) <- wbc->sync_mode == WB_SYNC_NONE
> > 
> > This will lead to use after free in flusher thread.
> > 
> > Similar issue can be triggered if writeback_single_inode in the
> > stack trace update inode->i_io_list. Add explicit check to avoid it.
> > 
> > Fixes: cbfecb927f42 ("fs: record I_DIRTY_TIME even if inode already has I_DIRTY_INODE")
> > Reported-by: syzbot+6ba92bd00d5093f7e371@syzkaller.appspotmail.com
> > Reviewed-by: Jan Kara <jack@suse.cz>
> > Signed-off-by: Svyatoslav Feldsherov <feldsherov@google.com>
> 
> Ted, I guess you will merge this patch since you've merged the one from
> Lukas this patch is fixing?

Sorry, I forgot to ack this earlier, but this was pushed to Linus and
it's in 6.1-rc7.

					- Ted

      reply	other threads:[~2022-11-28 19:20 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2022-11-15 20:20 [PATCH v3] fs: do not update freeing inode i_io_list Svyatoslav Feldsherov
2022-11-16 11:15 ` Jan Kara
2022-11-28 19:19   ` Theodore Ts'o [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=Y4UJ3f7FcCTTq7q3@mit.edu \
    --to=tytso@mit.edu \
    --cc=feldsherov@google.com \
    --cc=jack@suse.cz \
    --cc=lczerner@redhat.com \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=oferz@google.com \
    --cc=syzbot+6ba92bd00d5093f7e371@syzkaller.appspotmail.com \
    --cc=viro@zeniv.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.