* [f2fs-dev] [PATCH 2/5] f2fs: wait for sysfs kobject removal before freeing f2fs_sb_info
@ 2020-10-12 13:09 Jamie Iles
2020-10-13 3:32 ` Chao Yu
0 siblings, 1 reply; 2+ messages in thread
From: Jamie Iles @ 2020-10-12 13:09 UTC (permalink / raw)
To: linux-f2fs-devel; +Cc: Jaegeuk Kim, Jamie Iles
syzkaller found that with CONFIG_DEBUG_KOBJECT_RELEASE=y, unmounting an
f2fs filesystem could result in the following splat:
kobject: 'loop5' ((____ptrval____)): kobject_release, parent 0000000000000000 (delayed 250)
kobject: 'f2fs_xattr_entry-7:5' ((____ptrval____)): kobject_release, parent 0000000000000000 (delayed 750)
------------[ cut here ]------------
ODEBUG: free active (active state 0) object type: timer_list hint: delayed_work_timer_fn+0x0/0x98
WARNING: CPU: 0 PID: 699 at lib/debugobjects.c:485 debug_print_object+0x180/0x240
Kernel panic - not syncing: panic_on_warn set ...
CPU: 0 PID: 699 Comm: syz-executor.5 Tainted: G S 5.9.0-rc8+ #101
Hardware name: linux,dummy-virt (DT)
Call trace:
dump_backtrace+0x0/0x4d8
show_stack+0x34/0x48
dump_stack+0x174/0x1f8
panic+0x360/0x7a0
__warn+0x244/0x2ec
report_bug+0x240/0x398
bug_handler+0x50/0xc0
call_break_hook+0x160/0x1d8
brk_handler+0x30/0xc0
do_debug_exception+0x184/0x340
el1_dbg+0x48/0xb0
el1_sync_handler+0x170/0x1c8
el1_sync+0x80/0x100
debug_print_object+0x180/0x240
debug_check_no_obj_freed+0x200/0x430
slab_free_freelist_hook+0x190/0x210
kfree+0x13c/0x460
f2fs_put_super+0x624/0xa58
generic_shutdown_super+0x120/0x300
kill_block_super+0x94/0xf8
kill_f2fs_super+0x244/0x308
deactivate_locked_super+0x104/0x150
deactivate_super+0x118/0x148
cleanup_mnt+0x27c/0x3c0
__cleanup_mnt+0x28/0x38
task_work_run+0x10c/0x248
do_notify_resume+0x9d4/0x1188
work_pending+0x8/0x34c
Like the error handling for f2fs_register_sysfs(), we need to wait for
the kobject to be destroyed before returning to prevent a potential
use-after-free.
Fixes: bf9e697ecd4 ("f2fs: expose features to sysfs entry")
Cc: Jaegeuk Kim <jaegeuk@kernel.org>
Cc: Chao Yu <chao@kernel.org>
Signed-off-by: Jamie Iles <jamie@nuviainc.com>
---
fs/f2fs/sysfs.c | 1 +
1 file changed, 1 insertion(+)
diff --git a/fs/f2fs/sysfs.c b/fs/f2fs/sysfs.c
index 3162f46b3c9b..f6c02d2483ad 100644
--- a/fs/f2fs/sysfs.c
+++ b/fs/f2fs/sysfs.c
@@ -890,4 +890,5 @@ void f2fs_unregister_sysfs(struct f2fs_sb_info *sbi)
}
kobject_del(&sbi->s_kobj);
kobject_put(&sbi->s_kobj);
+ wait_for_completion(&sbi->s_kobj_unregister);
}
--
2.25.1
_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [f2fs-dev] [PATCH 2/5] f2fs: wait for sysfs kobject removal before freeing f2fs_sb_info
2020-10-12 13:09 [f2fs-dev] [PATCH 2/5] f2fs: wait for sysfs kobject removal before freeing f2fs_sb_info Jamie Iles
@ 2020-10-13 3:32 ` Chao Yu
0 siblings, 0 replies; 2+ messages in thread
From: Chao Yu @ 2020-10-13 3:32 UTC (permalink / raw)
To: Jamie Iles, linux-f2fs-devel; +Cc: Jaegeuk Kim
On 2020/10/12 21:09, Jamie Iles wrote:
> syzkaller found that with CONFIG_DEBUG_KOBJECT_RELEASE=y, unmounting an
> f2fs filesystem could result in the following splat:
>
> kobject: 'loop5' ((____ptrval____)): kobject_release, parent 0000000000000000 (delayed 250)
> kobject: 'f2fs_xattr_entry-7:5' ((____ptrval____)): kobject_release, parent 0000000000000000 (delayed 750)
> ------------[ cut here ]------------
> ODEBUG: free active (active state 0) object type: timer_list hint: delayed_work_timer_fn+0x0/0x98
> WARNING: CPU: 0 PID: 699 at lib/debugobjects.c:485 debug_print_object+0x180/0x240
> Kernel panic - not syncing: panic_on_warn set ...
> CPU: 0 PID: 699 Comm: syz-executor.5 Tainted: G S 5.9.0-rc8+ #101
> Hardware name: linux,dummy-virt (DT)
> Call trace:
> dump_backtrace+0x0/0x4d8
> show_stack+0x34/0x48
> dump_stack+0x174/0x1f8
> panic+0x360/0x7a0
> __warn+0x244/0x2ec
> report_bug+0x240/0x398
> bug_handler+0x50/0xc0
> call_break_hook+0x160/0x1d8
> brk_handler+0x30/0xc0
> do_debug_exception+0x184/0x340
> el1_dbg+0x48/0xb0
> el1_sync_handler+0x170/0x1c8
> el1_sync+0x80/0x100
> debug_print_object+0x180/0x240
> debug_check_no_obj_freed+0x200/0x430
> slab_free_freelist_hook+0x190/0x210
> kfree+0x13c/0x460
> f2fs_put_super+0x624/0xa58
> generic_shutdown_super+0x120/0x300
> kill_block_super+0x94/0xf8
> kill_f2fs_super+0x244/0x308
> deactivate_locked_super+0x104/0x150
> deactivate_super+0x118/0x148
> cleanup_mnt+0x27c/0x3c0
> __cleanup_mnt+0x28/0x38
> task_work_run+0x10c/0x248
> do_notify_resume+0x9d4/0x1188
> work_pending+0x8/0x34c
>
> Like the error handling for f2fs_register_sysfs(), we need to wait for
> the kobject to be destroyed before returning to prevent a potential
> use-after-free.
>
> Fixes: bf9e697ecd4 ("f2fs: expose features to sysfs entry")
> Cc: Jaegeuk Kim <jaegeuk@kernel.org>
> Cc: Chao Yu <chao@kernel.org>
> Signed-off-by: Jamie Iles <jamie@nuviainc.com>
Reviewed-by: Chao Yu <yuchao0@huawei.com>
Thanks,
_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2020-10-13 3:33 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-10-12 13:09 [f2fs-dev] [PATCH 2/5] f2fs: wait for sysfs kobject removal before freeing f2fs_sb_info Jamie Iles
2020-10-13 3:32 ` Chao Yu
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.