* Re: [PATCH] ext4: possible use-after-free when remounting r/o a mmp-protected file system
@ 2021-07-02 20:49 kernel test robot
0 siblings, 0 replies; 7+ messages in thread
From: kernel test robot @ 2021-07-02 20:49 UTC (permalink / raw)
To: kbuild
[-- Attachment #1: Type: text/plain, Size: 12982 bytes --]
CC: kbuild-all(a)lists.01.org
In-Reply-To: <e525c0bf7b18da426bb3d3dd63830a3f85218a9e.1625244710.git.tytso@mit.edu>
References: <e525c0bf7b18da426bb3d3dd63830a3f85218a9e.1625244710.git.tytso(a)mit.edu>
TO: "Theodore Ts'o" <tytso@mit.edu>
TO: Ye Bin <yebin10@huawei.com>
CC: Ext4 Developers List <linux-ext4@vger.kernel.org>
CC: "Theodore Ts'o" <tytso@mit.edu>
Hi Theodore,
I love your patch! Perhaps something to improve:
[auto build test WARNING on ext4/dev]
[also build test WARNING on next-20210701]
[cannot apply to v5.13]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]
url: https://github.com/0day-ci/linux/commits/Theodore-Ts-o/ext4-possible-use-after-free-when-remounting-r-o-a-mmp-protected-file-system/20210703-005856
base: https://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git dev
:::::: branch date: 4 hours ago
:::::: commit date: 4 hours ago
config: h8300-randconfig-s031-20210702 (attached as .config)
compiler: h8300-linux-gcc (GCC) 9.3.0
reproduce:
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# apt-get install sparse
# sparse version: v0.6.3-341-g8af24329-dirty
# https://github.com/0day-ci/linux/commit/37b4aa9eef5b3f07f803e18d4dba7aba46148f87
git remote add linux-review https://github.com/0day-ci/linux
git fetch --no-tags linux-review Theodore-Ts-o/ext4-possible-use-after-free-when-remounting-r-o-a-mmp-protected-file-system/20210703-005856
git checkout 37b4aa9eef5b3f07f803e18d4dba7aba46148f87
# save the attached .config to linux build tree
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=gcc-9.3.0 make.cross C=1 CF='-fdiagnostic-prefix -D__CHECK_ENDIAN__' O=build_dir ARCH=h8300 SHELL=/bin/bash fs/ext4/
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
sparse warnings: (new ones prefixed by >>)
>> fs/ext4/mmp.c:247:1: sparse: sparse: unused label 'exit_thread'
vim +/exit_thread +247 fs/ext4/mmp.c
c5e06d101aaf72f1 Johann Lombardi 2011-05-24 124
c5e06d101aaf72f1 Johann Lombardi 2011-05-24 125 /*
c5e06d101aaf72f1 Johann Lombardi 2011-05-24 126 * kmmpd will update the MMP sequence every s_mmp_update_interval seconds
c5e06d101aaf72f1 Johann Lombardi 2011-05-24 127 */
c5e06d101aaf72f1 Johann Lombardi 2011-05-24 128 static int kmmpd(void *data)
c5e06d101aaf72f1 Johann Lombardi 2011-05-24 129 {
618f003199c6188e Pavel Skripkin 2021-04-30 130 struct super_block *sb = (struct super_block *) data;
c5e06d101aaf72f1 Johann Lombardi 2011-05-24 131 struct ext4_super_block *es = EXT4_SB(sb)->s_es;
618f003199c6188e Pavel Skripkin 2021-04-30 132 struct buffer_head *bh = EXT4_SB(sb)->s_mmp_bh;
c5e06d101aaf72f1 Johann Lombardi 2011-05-24 133 struct mmp_struct *mmp;
c5e06d101aaf72f1 Johann Lombardi 2011-05-24 134 ext4_fsblk_t mmp_block;
c5e06d101aaf72f1 Johann Lombardi 2011-05-24 135 u32 seq = 0;
c5e06d101aaf72f1 Johann Lombardi 2011-05-24 136 unsigned long failed_writes = 0;
c5e06d101aaf72f1 Johann Lombardi 2011-05-24 137 int mmp_update_interval = le16_to_cpu(es->s_mmp_update_interval);
c5e06d101aaf72f1 Johann Lombardi 2011-05-24 138 unsigned mmp_check_interval;
c5e06d101aaf72f1 Johann Lombardi 2011-05-24 139 unsigned long last_update_time;
c5e06d101aaf72f1 Johann Lombardi 2011-05-24 140 unsigned long diff;
c5e06d101aaf72f1 Johann Lombardi 2011-05-24 141 int retval;
c5e06d101aaf72f1 Johann Lombardi 2011-05-24 142
c5e06d101aaf72f1 Johann Lombardi 2011-05-24 143 mmp_block = le64_to_cpu(es->s_mmp_block);
c5e06d101aaf72f1 Johann Lombardi 2011-05-24 144 mmp = (struct mmp_struct *)(bh->b_data);
af123b3718592a66 Arnd Bergmann 2018-07-29 145 mmp->mmp_time = cpu_to_le64(ktime_get_real_seconds());
c5e06d101aaf72f1 Johann Lombardi 2011-05-24 146 /*
c5e06d101aaf72f1 Johann Lombardi 2011-05-24 147 * Start with the higher mmp_check_interval and reduce it if
c5e06d101aaf72f1 Johann Lombardi 2011-05-24 148 * the MMP block is being updated on time.
c5e06d101aaf72f1 Johann Lombardi 2011-05-24 149 */
c5e06d101aaf72f1 Johann Lombardi 2011-05-24 150 mmp_check_interval = max(EXT4_MMP_CHECK_MULT * mmp_update_interval,
c5e06d101aaf72f1 Johann Lombardi 2011-05-24 151 EXT4_MMP_MIN_CHECK_INTERVAL);
c5e06d101aaf72f1 Johann Lombardi 2011-05-24 152 mmp->mmp_check_interval = cpu_to_le16(mmp_check_interval);
14c9ca0583eee8df Andreas Dilger 2020-01-26 153 BUILD_BUG_ON(sizeof(mmp->mmp_bdevname) < BDEVNAME_SIZE);
c5e06d101aaf72f1 Johann Lombardi 2011-05-24 154 bdevname(bh->b_bdev, mmp->mmp_bdevname);
c5e06d101aaf72f1 Johann Lombardi 2011-05-24 155
215fc6af739d2dfd Nikitas Angelinas 2011-10-18 156 memcpy(mmp->mmp_nodename, init_utsname()->nodename,
c5e06d101aaf72f1 Johann Lombardi 2011-05-24 157 sizeof(mmp->mmp_nodename));
c5e06d101aaf72f1 Johann Lombardi 2011-05-24 158
c5e06d101aaf72f1 Johann Lombardi 2011-05-24 159 while (!kthread_should_stop()) {
37b4aa9eef5b3f07 Theodore Ts'o 2021-07-02 160 if (!(le32_to_cpu(es->s_feature_incompat) &
37b4aa9eef5b3f07 Theodore Ts'o 2021-07-02 161 EXT4_FEATURE_INCOMPAT_MMP)) {
37b4aa9eef5b3f07 Theodore Ts'o 2021-07-02 162 ext4_warning(sb, "kmmpd being stopped since MMP feature"
37b4aa9eef5b3f07 Theodore Ts'o 2021-07-02 163 " has been disabled.");
37b4aa9eef5b3f07 Theodore Ts'o 2021-07-02 164 goto wait_to_exit;
37b4aa9eef5b3f07 Theodore Ts'o 2021-07-02 165 }
37b4aa9eef5b3f07 Theodore Ts'o 2021-07-02 166 if (sb_rdonly(sb)) {
37b4aa9eef5b3f07 Theodore Ts'o 2021-07-02 167 schedule_timeout_interruptible(HZ);
37b4aa9eef5b3f07 Theodore Ts'o 2021-07-02 168 continue;
37b4aa9eef5b3f07 Theodore Ts'o 2021-07-02 169 }
c5e06d101aaf72f1 Johann Lombardi 2011-05-24 170 if (++seq > EXT4_MMP_SEQ_MAX)
c5e06d101aaf72f1 Johann Lombardi 2011-05-24 171 seq = 1;
c5e06d101aaf72f1 Johann Lombardi 2011-05-24 172
c5e06d101aaf72f1 Johann Lombardi 2011-05-24 173 mmp->mmp_seq = cpu_to_le32(seq);
af123b3718592a66 Arnd Bergmann 2018-07-29 174 mmp->mmp_time = cpu_to_le64(ktime_get_real_seconds());
c5e06d101aaf72f1 Johann Lombardi 2011-05-24 175 last_update_time = jiffies;
c5e06d101aaf72f1 Johann Lombardi 2011-05-24 176
5c359a47e7d999a0 Darrick J. Wong 2012-04-29 177 retval = write_mmp_block(sb, bh);
c5e06d101aaf72f1 Johann Lombardi 2011-05-24 178 /*
c5e06d101aaf72f1 Johann Lombardi 2011-05-24 179 * Don't spew too many error messages. Print one every
c5e06d101aaf72f1 Johann Lombardi 2011-05-24 180 * (s_mmp_update_interval * 60) seconds.
c5e06d101aaf72f1 Johann Lombardi 2011-05-24 181 */
bdfc230f33a9dab3 Nikitas Angelinas 2011-10-18 182 if (retval) {
878520ac45f9f698 Theodore Ts'o 2019-11-19 183 if ((failed_writes % 60) == 0) {
54d3adbc29f0c7c5 Theodore Ts'o 2020-03-28 184 ext4_error_err(sb, -retval,
54d3adbc29f0c7c5 Theodore Ts'o 2020-03-28 185 "Error writing to MMP block");
878520ac45f9f698 Theodore Ts'o 2019-11-19 186 }
c5e06d101aaf72f1 Johann Lombardi 2011-05-24 187 failed_writes++;
c5e06d101aaf72f1 Johann Lombardi 2011-05-24 188 }
c5e06d101aaf72f1 Johann Lombardi 2011-05-24 189
c5e06d101aaf72f1 Johann Lombardi 2011-05-24 190 diff = jiffies - last_update_time;
c5e06d101aaf72f1 Johann Lombardi 2011-05-24 191 if (diff < mmp_update_interval * HZ)
c5e06d101aaf72f1 Johann Lombardi 2011-05-24 192 schedule_timeout_interruptible(mmp_update_interval *
c5e06d101aaf72f1 Johann Lombardi 2011-05-24 193 HZ - diff);
c5e06d101aaf72f1 Johann Lombardi 2011-05-24 194
c5e06d101aaf72f1 Johann Lombardi 2011-05-24 195 /*
c5e06d101aaf72f1 Johann Lombardi 2011-05-24 196 * We need to make sure that more than mmp_check_interval
c5e06d101aaf72f1 Johann Lombardi 2011-05-24 197 * seconds have not passed since writing. If that has happened
c5e06d101aaf72f1 Johann Lombardi 2011-05-24 198 * we need to check if the MMP block is as we left it.
c5e06d101aaf72f1 Johann Lombardi 2011-05-24 199 */
c5e06d101aaf72f1 Johann Lombardi 2011-05-24 200 diff = jiffies - last_update_time;
c5e06d101aaf72f1 Johann Lombardi 2011-05-24 201 if (diff > mmp_check_interval * HZ) {
c5e06d101aaf72f1 Johann Lombardi 2011-05-24 202 struct buffer_head *bh_check = NULL;
c5e06d101aaf72f1 Johann Lombardi 2011-05-24 203 struct mmp_struct *mmp_check;
c5e06d101aaf72f1 Johann Lombardi 2011-05-24 204
c5e06d101aaf72f1 Johann Lombardi 2011-05-24 205 retval = read_mmp_block(sb, &bh_check, mmp_block);
c5e06d101aaf72f1 Johann Lombardi 2011-05-24 206 if (retval) {
54d3adbc29f0c7c5 Theodore Ts'o 2020-03-28 207 ext4_error_err(sb, -retval,
54d3adbc29f0c7c5 Theodore Ts'o 2020-03-28 208 "error reading MMP data: %d",
c5e06d101aaf72f1 Johann Lombardi 2011-05-24 209 retval);
37b4aa9eef5b3f07 Theodore Ts'o 2021-07-02 210 goto wait_to_exit;
c5e06d101aaf72f1 Johann Lombardi 2011-05-24 211 }
c5e06d101aaf72f1 Johann Lombardi 2011-05-24 212
c5e06d101aaf72f1 Johann Lombardi 2011-05-24 213 mmp_check = (struct mmp_struct *)(bh_check->b_data);
c5e06d101aaf72f1 Johann Lombardi 2011-05-24 214 if (mmp->mmp_seq != mmp_check->mmp_seq ||
c5e06d101aaf72f1 Johann Lombardi 2011-05-24 215 memcmp(mmp->mmp_nodename, mmp_check->mmp_nodename,
c5e06d101aaf72f1 Johann Lombardi 2011-05-24 216 sizeof(mmp->mmp_nodename))) {
c5e06d101aaf72f1 Johann Lombardi 2011-05-24 217 dump_mmp_msg(sb, mmp_check,
c5e06d101aaf72f1 Johann Lombardi 2011-05-24 218 "Error while updating MMP info. "
c5e06d101aaf72f1 Johann Lombardi 2011-05-24 219 "The filesystem seems to have been"
c5e06d101aaf72f1 Johann Lombardi 2011-05-24 220 " multiply mounted.");
54d3adbc29f0c7c5 Theodore Ts'o 2020-03-28 221 ext4_error_err(sb, EBUSY, "abort");
0304688676bdfc81 vikram.jadhav07 2016-03-13 222 put_bh(bh_check);
0304688676bdfc81 vikram.jadhav07 2016-03-13 223 retval = -EBUSY;
37b4aa9eef5b3f07 Theodore Ts'o 2021-07-02 224 goto wait_to_exit;
c5e06d101aaf72f1 Johann Lombardi 2011-05-24 225 }
c5e06d101aaf72f1 Johann Lombardi 2011-05-24 226 put_bh(bh_check);
c5e06d101aaf72f1 Johann Lombardi 2011-05-24 227 }
c5e06d101aaf72f1 Johann Lombardi 2011-05-24 228
c5e06d101aaf72f1 Johann Lombardi 2011-05-24 229 /*
c5e06d101aaf72f1 Johann Lombardi 2011-05-24 230 * Adjust the mmp_check_interval depending on how much time
c5e06d101aaf72f1 Johann Lombardi 2011-05-24 231 * it took for the MMP block to be written.
c5e06d101aaf72f1 Johann Lombardi 2011-05-24 232 */
c5e06d101aaf72f1 Johann Lombardi 2011-05-24 233 mmp_check_interval = max(min(EXT4_MMP_CHECK_MULT * diff / HZ,
c5e06d101aaf72f1 Johann Lombardi 2011-05-24 234 EXT4_MMP_MAX_CHECK_INTERVAL),
c5e06d101aaf72f1 Johann Lombardi 2011-05-24 235 EXT4_MMP_MIN_CHECK_INTERVAL);
c5e06d101aaf72f1 Johann Lombardi 2011-05-24 236 mmp->mmp_check_interval = cpu_to_le16(mmp_check_interval);
c5e06d101aaf72f1 Johann Lombardi 2011-05-24 237 }
c5e06d101aaf72f1 Johann Lombardi 2011-05-24 238
c5e06d101aaf72f1 Johann Lombardi 2011-05-24 239 /*
c5e06d101aaf72f1 Johann Lombardi 2011-05-24 240 * Unmount seems to be clean.
c5e06d101aaf72f1 Johann Lombardi 2011-05-24 241 */
c5e06d101aaf72f1 Johann Lombardi 2011-05-24 242 mmp->mmp_seq = cpu_to_le32(EXT4_MMP_SEQ_CLEAN);
af123b3718592a66 Arnd Bergmann 2018-07-29 243 mmp->mmp_time = cpu_to_le64(ktime_get_real_seconds());
c5e06d101aaf72f1 Johann Lombardi 2011-05-24 244
5c359a47e7d999a0 Darrick J. Wong 2012-04-29 245 retval = write_mmp_block(sb, bh);
c5e06d101aaf72f1 Johann Lombardi 2011-05-24 246
0304688676bdfc81 vikram.jadhav07 2016-03-13 @247 exit_thread:
c5e06d101aaf72f1 Johann Lombardi 2011-05-24 248 return retval;
37b4aa9eef5b3f07 Theodore Ts'o 2021-07-02 249 wait_to_exit:
37b4aa9eef5b3f07 Theodore Ts'o 2021-07-02 250 while (!kthread_should_stop())
37b4aa9eef5b3f07 Theodore Ts'o 2021-07-02 251 schedule();
37b4aa9eef5b3f07 Theodore Ts'o 2021-07-02 252 return retval;
37b4aa9eef5b3f07 Theodore Ts'o 2021-07-02 253
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all(a)lists.01.org
[-- Attachment #2: config.gz --]
[-- Type: application/gzip, Size: 30244 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] ext4: possible use-after-free when remounting r/o a mmp-protected file system
2021-07-02 16:57 ` [PATCH] ext4: possible use-after-free when remounting r/o a mmp-protected file system Theodore Ts'o
2021-07-02 21:36 ` kernel test robot
@ 2021-07-03 12:57 ` Dan Carpenter
1 sibling, 0 replies; 7+ messages in thread
From: Dan Carpenter @ 2021-07-03 12:57 UTC (permalink / raw)
To: kbuild, Theodore Ts'o, Ye Bin
Cc: lkp, kbuild-all, Ext4 Developers List, Theodore Ts'o
Hi Theodore,
url: https://github.com/0day-ci/linux/commits/Theodore-Ts-o/ext4-possible-use-after-free-when-remounting-r-o-a-mmp-protected-file-system/20210703-005856
base: https://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git dev
config: i386-randconfig-m021-20210702 (attached as .config)
compiler: gcc-9 (Debian 9.3.0-22) 9.3.0
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
smatch warnings:
fs/ext4/mmp.c:252 kmmpd() error: uninitialized symbol 'retval'.
vim +/retval +252 fs/ext4/mmp.c
c5e06d101aaf72 Johann Lombardi 2011-05-24 128 static int kmmpd(void *data)
c5e06d101aaf72 Johann Lombardi 2011-05-24 129 {
618f003199c618 Pavel Skripkin 2021-04-30 130 struct super_block *sb = (struct super_block *) data;
c5e06d101aaf72 Johann Lombardi 2011-05-24 131 struct ext4_super_block *es = EXT4_SB(sb)->s_es;
618f003199c618 Pavel Skripkin 2021-04-30 132 struct buffer_head *bh = EXT4_SB(sb)->s_mmp_bh;
c5e06d101aaf72 Johann Lombardi 2011-05-24 133 struct mmp_struct *mmp;
c5e06d101aaf72 Johann Lombardi 2011-05-24 134 ext4_fsblk_t mmp_block;
c5e06d101aaf72 Johann Lombardi 2011-05-24 135 u32 seq = 0;
c5e06d101aaf72 Johann Lombardi 2011-05-24 136 unsigned long failed_writes = 0;
c5e06d101aaf72 Johann Lombardi 2011-05-24 137 int mmp_update_interval = le16_to_cpu(es->s_mmp_update_interval);
c5e06d101aaf72 Johann Lombardi 2011-05-24 138 unsigned mmp_check_interval;
c5e06d101aaf72 Johann Lombardi 2011-05-24 139 unsigned long last_update_time;
c5e06d101aaf72 Johann Lombardi 2011-05-24 140 unsigned long diff;
c5e06d101aaf72 Johann Lombardi 2011-05-24 141 int retval;
c5e06d101aaf72 Johann Lombardi 2011-05-24 142
c5e06d101aaf72 Johann Lombardi 2011-05-24 143 mmp_block = le64_to_cpu(es->s_mmp_block);
c5e06d101aaf72 Johann Lombardi 2011-05-24 144 mmp = (struct mmp_struct *)(bh->b_data);
af123b3718592a Arnd Bergmann 2018-07-29 145 mmp->mmp_time = cpu_to_le64(ktime_get_real_seconds());
c5e06d101aaf72 Johann Lombardi 2011-05-24 146 /*
c5e06d101aaf72 Johann Lombardi 2011-05-24 147 * Start with the higher mmp_check_interval and reduce it if
c5e06d101aaf72 Johann Lombardi 2011-05-24 148 * the MMP block is being updated on time.
c5e06d101aaf72 Johann Lombardi 2011-05-24 149 */
c5e06d101aaf72 Johann Lombardi 2011-05-24 150 mmp_check_interval = max(EXT4_MMP_CHECK_MULT * mmp_update_interval,
c5e06d101aaf72 Johann Lombardi 2011-05-24 151 EXT4_MMP_MIN_CHECK_INTERVAL);
c5e06d101aaf72 Johann Lombardi 2011-05-24 152 mmp->mmp_check_interval = cpu_to_le16(mmp_check_interval);
14c9ca0583eee8 Andreas Dilger 2020-01-26 153 BUILD_BUG_ON(sizeof(mmp->mmp_bdevname) < BDEVNAME_SIZE);
c5e06d101aaf72 Johann Lombardi 2011-05-24 154 bdevname(bh->b_bdev, mmp->mmp_bdevname);
c5e06d101aaf72 Johann Lombardi 2011-05-24 155
215fc6af739d2d Nikitas Angelinas 2011-10-18 156 memcpy(mmp->mmp_nodename, init_utsname()->nodename,
c5e06d101aaf72 Johann Lombardi 2011-05-24 157 sizeof(mmp->mmp_nodename));
c5e06d101aaf72 Johann Lombardi 2011-05-24 158
c5e06d101aaf72 Johann Lombardi 2011-05-24 159 while (!kthread_should_stop()) {
37b4aa9eef5b3f Theodore Ts'o 2021-07-02 160 if (!(le32_to_cpu(es->s_feature_incompat) &
37b4aa9eef5b3f Theodore Ts'o 2021-07-02 161 EXT4_FEATURE_INCOMPAT_MMP)) {
37b4aa9eef5b3f Theodore Ts'o 2021-07-02 162 ext4_warning(sb, "kmmpd being stopped since MMP feature"
37b4aa9eef5b3f Theodore Ts'o 2021-07-02 163 " has been disabled.");
37b4aa9eef5b3f Theodore Ts'o 2021-07-02 164 goto wait_to_exit;
Smatch complains about this goto.
37b4aa9eef5b3f Theodore Ts'o 2021-07-02 165 }
37b4aa9eef5b3f Theodore Ts'o 2021-07-02 166 if (sb_rdonly(sb)) {
37b4aa9eef5b3f Theodore Ts'o 2021-07-02 167 schedule_timeout_interruptible(HZ);
37b4aa9eef5b3f Theodore Ts'o 2021-07-02 168 continue;
37b4aa9eef5b3f Theodore Ts'o 2021-07-02 169 }
c5e06d101aaf72 Johann Lombardi 2011-05-24 170 if (++seq > EXT4_MMP_SEQ_MAX)
c5e06d101aaf72 Johann Lombardi 2011-05-24 171 seq = 1;
c5e06d101aaf72 Johann Lombardi 2011-05-24 172
c5e06d101aaf72 Johann Lombardi 2011-05-24 173 mmp->mmp_seq = cpu_to_le32(seq);
af123b3718592a Arnd Bergmann 2018-07-29 174 mmp->mmp_time = cpu_to_le64(ktime_get_real_seconds());
c5e06d101aaf72 Johann Lombardi 2011-05-24 175 last_update_time = jiffies;
c5e06d101aaf72 Johann Lombardi 2011-05-24 176
5c359a47e7d999 Darrick J. Wong 2012-04-29 177 retval = write_mmp_block(sb, bh);
c5e06d101aaf72 Johann Lombardi 2011-05-24 178 /*
c5e06d101aaf72 Johann Lombardi 2011-05-24 179 * Don't spew too many error messages. Print one every
c5e06d101aaf72 Johann Lombardi 2011-05-24 180 * (s_mmp_update_interval * 60) seconds.
c5e06d101aaf72 Johann Lombardi 2011-05-24 181 */
bdfc230f33a9da Nikitas Angelinas 2011-10-18 182 if (retval) {
878520ac45f9f6 Theodore Ts'o 2019-11-19 183 if ((failed_writes % 60) == 0) {
54d3adbc29f0c7 Theodore Ts'o 2020-03-28 184 ext4_error_err(sb, -retval,
54d3adbc29f0c7 Theodore Ts'o 2020-03-28 185 "Error writing to MMP block");
878520ac45f9f6 Theodore Ts'o 2019-11-19 186 }
c5e06d101aaf72 Johann Lombardi 2011-05-24 187 failed_writes++;
c5e06d101aaf72 Johann Lombardi 2011-05-24 188 }
c5e06d101aaf72 Johann Lombardi 2011-05-24 189
c5e06d101aaf72 Johann Lombardi 2011-05-24 190 diff = jiffies - last_update_time;
c5e06d101aaf72 Johann Lombardi 2011-05-24 191 if (diff < mmp_update_interval * HZ)
c5e06d101aaf72 Johann Lombardi 2011-05-24 192 schedule_timeout_interruptible(mmp_update_interval *
c5e06d101aaf72 Johann Lombardi 2011-05-24 193 HZ - diff);
c5e06d101aaf72 Johann Lombardi 2011-05-24 194
c5e06d101aaf72 Johann Lombardi 2011-05-24 195 /*
c5e06d101aaf72 Johann Lombardi 2011-05-24 196 * We need to make sure that more than mmp_check_interval
c5e06d101aaf72 Johann Lombardi 2011-05-24 197 * seconds have not passed since writing. If that has happened
c5e06d101aaf72 Johann Lombardi 2011-05-24 198 * we need to check if the MMP block is as we left it.
c5e06d101aaf72 Johann Lombardi 2011-05-24 199 */
c5e06d101aaf72 Johann Lombardi 2011-05-24 200 diff = jiffies - last_update_time;
c5e06d101aaf72 Johann Lombardi 2011-05-24 201 if (diff > mmp_check_interval * HZ) {
c5e06d101aaf72 Johann Lombardi 2011-05-24 202 struct buffer_head *bh_check = NULL;
c5e06d101aaf72 Johann Lombardi 2011-05-24 203 struct mmp_struct *mmp_check;
c5e06d101aaf72 Johann Lombardi 2011-05-24 204
c5e06d101aaf72 Johann Lombardi 2011-05-24 205 retval = read_mmp_block(sb, &bh_check, mmp_block);
c5e06d101aaf72 Johann Lombardi 2011-05-24 206 if (retval) {
54d3adbc29f0c7 Theodore Ts'o 2020-03-28 207 ext4_error_err(sb, -retval,
54d3adbc29f0c7 Theodore Ts'o 2020-03-28 208 "error reading MMP data: %d",
c5e06d101aaf72 Johann Lombardi 2011-05-24 209 retval);
37b4aa9eef5b3f Theodore Ts'o 2021-07-02 210 goto wait_to_exit;
c5e06d101aaf72 Johann Lombardi 2011-05-24 211 }
c5e06d101aaf72 Johann Lombardi 2011-05-24 212
c5e06d101aaf72 Johann Lombardi 2011-05-24 213 mmp_check = (struct mmp_struct *)(bh_check->b_data);
c5e06d101aaf72 Johann Lombardi 2011-05-24 214 if (mmp->mmp_seq != mmp_check->mmp_seq ||
c5e06d101aaf72 Johann Lombardi 2011-05-24 215 memcmp(mmp->mmp_nodename, mmp_check->mmp_nodename,
c5e06d101aaf72 Johann Lombardi 2011-05-24 216 sizeof(mmp->mmp_nodename))) {
c5e06d101aaf72 Johann Lombardi 2011-05-24 217 dump_mmp_msg(sb, mmp_check,
c5e06d101aaf72 Johann Lombardi 2011-05-24 218 "Error while updating MMP info. "
c5e06d101aaf72 Johann Lombardi 2011-05-24 219 "The filesystem seems to have been"
c5e06d101aaf72 Johann Lombardi 2011-05-24 220 " multiply mounted.");
54d3adbc29f0c7 Theodore Ts'o 2020-03-28 221 ext4_error_err(sb, EBUSY, "abort");
0304688676bdfc vikram.jadhav07 2016-03-13 222 put_bh(bh_check);
0304688676bdfc vikram.jadhav07 2016-03-13 223 retval = -EBUSY;
37b4aa9eef5b3f Theodore Ts'o 2021-07-02 224 goto wait_to_exit;
c5e06d101aaf72 Johann Lombardi 2011-05-24 225 }
c5e06d101aaf72 Johann Lombardi 2011-05-24 226 put_bh(bh_check);
c5e06d101aaf72 Johann Lombardi 2011-05-24 227 }
c5e06d101aaf72 Johann Lombardi 2011-05-24 228
c5e06d101aaf72 Johann Lombardi 2011-05-24 229 /*
c5e06d101aaf72 Johann Lombardi 2011-05-24 230 * Adjust the mmp_check_interval depending on how much time
c5e06d101aaf72 Johann Lombardi 2011-05-24 231 * it took for the MMP block to be written.
c5e06d101aaf72 Johann Lombardi 2011-05-24 232 */
c5e06d101aaf72 Johann Lombardi 2011-05-24 233 mmp_check_interval = max(min(EXT4_MMP_CHECK_MULT * diff / HZ,
c5e06d101aaf72 Johann Lombardi 2011-05-24 234 EXT4_MMP_MAX_CHECK_INTERVAL),
c5e06d101aaf72 Johann Lombardi 2011-05-24 235 EXT4_MMP_MIN_CHECK_INTERVAL);
c5e06d101aaf72 Johann Lombardi 2011-05-24 236 mmp->mmp_check_interval = cpu_to_le16(mmp_check_interval);
c5e06d101aaf72 Johann Lombardi 2011-05-24 237 }
c5e06d101aaf72 Johann Lombardi 2011-05-24 238
c5e06d101aaf72 Johann Lombardi 2011-05-24 239 /*
c5e06d101aaf72 Johann Lombardi 2011-05-24 240 * Unmount seems to be clean.
c5e06d101aaf72 Johann Lombardi 2011-05-24 241 */
c5e06d101aaf72 Johann Lombardi 2011-05-24 242 mmp->mmp_seq = cpu_to_le32(EXT4_MMP_SEQ_CLEAN);
af123b3718592a Arnd Bergmann 2018-07-29 243 mmp->mmp_time = cpu_to_le64(ktime_get_real_seconds());
c5e06d101aaf72 Johann Lombardi 2011-05-24 244
5c359a47e7d999 Darrick J. Wong 2012-04-29 245 retval = write_mmp_block(sb, bh);
c5e06d101aaf72 Johann Lombardi 2011-05-24 246
0304688676bdfc vikram.jadhav07 2016-03-13 247 exit_thread:
c5e06d101aaf72 Johann Lombardi 2011-05-24 248 return retval;
37b4aa9eef5b3f Theodore Ts'o 2021-07-02 249 wait_to_exit:
37b4aa9eef5b3f Theodore Ts'o 2021-07-02 250 while (!kthread_should_stop())
37b4aa9eef5b3f Theodore Ts'o 2021-07-02 251 schedule();
37b4aa9eef5b3f Theodore Ts'o 2021-07-02 @252 return retval;
37b4aa9eef5b3f Theodore Ts'o 2021-07-02 253
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] ext4: possible use-after-free when remounting r/o a mmp-protected file system
@ 2021-07-03 12:57 ` Dan Carpenter
0 siblings, 0 replies; 7+ messages in thread
From: Dan Carpenter @ 2021-07-03 12:57 UTC (permalink / raw)
To: kbuild-all
[-- Attachment #1: Type: text/plain, Size: 10869 bytes --]
Hi Theodore,
url: https://github.com/0day-ci/linux/commits/Theodore-Ts-o/ext4-possible-use-after-free-when-remounting-r-o-a-mmp-protected-file-system/20210703-005856
base: https://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git dev
config: i386-randconfig-m021-20210702 (attached as .config)
compiler: gcc-9 (Debian 9.3.0-22) 9.3.0
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
smatch warnings:
fs/ext4/mmp.c:252 kmmpd() error: uninitialized symbol 'retval'.
vim +/retval +252 fs/ext4/mmp.c
c5e06d101aaf72 Johann Lombardi 2011-05-24 128 static int kmmpd(void *data)
c5e06d101aaf72 Johann Lombardi 2011-05-24 129 {
618f003199c618 Pavel Skripkin 2021-04-30 130 struct super_block *sb = (struct super_block *) data;
c5e06d101aaf72 Johann Lombardi 2011-05-24 131 struct ext4_super_block *es = EXT4_SB(sb)->s_es;
618f003199c618 Pavel Skripkin 2021-04-30 132 struct buffer_head *bh = EXT4_SB(sb)->s_mmp_bh;
c5e06d101aaf72 Johann Lombardi 2011-05-24 133 struct mmp_struct *mmp;
c5e06d101aaf72 Johann Lombardi 2011-05-24 134 ext4_fsblk_t mmp_block;
c5e06d101aaf72 Johann Lombardi 2011-05-24 135 u32 seq = 0;
c5e06d101aaf72 Johann Lombardi 2011-05-24 136 unsigned long failed_writes = 0;
c5e06d101aaf72 Johann Lombardi 2011-05-24 137 int mmp_update_interval = le16_to_cpu(es->s_mmp_update_interval);
c5e06d101aaf72 Johann Lombardi 2011-05-24 138 unsigned mmp_check_interval;
c5e06d101aaf72 Johann Lombardi 2011-05-24 139 unsigned long last_update_time;
c5e06d101aaf72 Johann Lombardi 2011-05-24 140 unsigned long diff;
c5e06d101aaf72 Johann Lombardi 2011-05-24 141 int retval;
c5e06d101aaf72 Johann Lombardi 2011-05-24 142
c5e06d101aaf72 Johann Lombardi 2011-05-24 143 mmp_block = le64_to_cpu(es->s_mmp_block);
c5e06d101aaf72 Johann Lombardi 2011-05-24 144 mmp = (struct mmp_struct *)(bh->b_data);
af123b3718592a Arnd Bergmann 2018-07-29 145 mmp->mmp_time = cpu_to_le64(ktime_get_real_seconds());
c5e06d101aaf72 Johann Lombardi 2011-05-24 146 /*
c5e06d101aaf72 Johann Lombardi 2011-05-24 147 * Start with the higher mmp_check_interval and reduce it if
c5e06d101aaf72 Johann Lombardi 2011-05-24 148 * the MMP block is being updated on time.
c5e06d101aaf72 Johann Lombardi 2011-05-24 149 */
c5e06d101aaf72 Johann Lombardi 2011-05-24 150 mmp_check_interval = max(EXT4_MMP_CHECK_MULT * mmp_update_interval,
c5e06d101aaf72 Johann Lombardi 2011-05-24 151 EXT4_MMP_MIN_CHECK_INTERVAL);
c5e06d101aaf72 Johann Lombardi 2011-05-24 152 mmp->mmp_check_interval = cpu_to_le16(mmp_check_interval);
14c9ca0583eee8 Andreas Dilger 2020-01-26 153 BUILD_BUG_ON(sizeof(mmp->mmp_bdevname) < BDEVNAME_SIZE);
c5e06d101aaf72 Johann Lombardi 2011-05-24 154 bdevname(bh->b_bdev, mmp->mmp_bdevname);
c5e06d101aaf72 Johann Lombardi 2011-05-24 155
215fc6af739d2d Nikitas Angelinas 2011-10-18 156 memcpy(mmp->mmp_nodename, init_utsname()->nodename,
c5e06d101aaf72 Johann Lombardi 2011-05-24 157 sizeof(mmp->mmp_nodename));
c5e06d101aaf72 Johann Lombardi 2011-05-24 158
c5e06d101aaf72 Johann Lombardi 2011-05-24 159 while (!kthread_should_stop()) {
37b4aa9eef5b3f Theodore Ts'o 2021-07-02 160 if (!(le32_to_cpu(es->s_feature_incompat) &
37b4aa9eef5b3f Theodore Ts'o 2021-07-02 161 EXT4_FEATURE_INCOMPAT_MMP)) {
37b4aa9eef5b3f Theodore Ts'o 2021-07-02 162 ext4_warning(sb, "kmmpd being stopped since MMP feature"
37b4aa9eef5b3f Theodore Ts'o 2021-07-02 163 " has been disabled.");
37b4aa9eef5b3f Theodore Ts'o 2021-07-02 164 goto wait_to_exit;
Smatch complains about this goto.
37b4aa9eef5b3f Theodore Ts'o 2021-07-02 165 }
37b4aa9eef5b3f Theodore Ts'o 2021-07-02 166 if (sb_rdonly(sb)) {
37b4aa9eef5b3f Theodore Ts'o 2021-07-02 167 schedule_timeout_interruptible(HZ);
37b4aa9eef5b3f Theodore Ts'o 2021-07-02 168 continue;
37b4aa9eef5b3f Theodore Ts'o 2021-07-02 169 }
c5e06d101aaf72 Johann Lombardi 2011-05-24 170 if (++seq > EXT4_MMP_SEQ_MAX)
c5e06d101aaf72 Johann Lombardi 2011-05-24 171 seq = 1;
c5e06d101aaf72 Johann Lombardi 2011-05-24 172
c5e06d101aaf72 Johann Lombardi 2011-05-24 173 mmp->mmp_seq = cpu_to_le32(seq);
af123b3718592a Arnd Bergmann 2018-07-29 174 mmp->mmp_time = cpu_to_le64(ktime_get_real_seconds());
c5e06d101aaf72 Johann Lombardi 2011-05-24 175 last_update_time = jiffies;
c5e06d101aaf72 Johann Lombardi 2011-05-24 176
5c359a47e7d999 Darrick J. Wong 2012-04-29 177 retval = write_mmp_block(sb, bh);
c5e06d101aaf72 Johann Lombardi 2011-05-24 178 /*
c5e06d101aaf72 Johann Lombardi 2011-05-24 179 * Don't spew too many error messages. Print one every
c5e06d101aaf72 Johann Lombardi 2011-05-24 180 * (s_mmp_update_interval * 60) seconds.
c5e06d101aaf72 Johann Lombardi 2011-05-24 181 */
bdfc230f33a9da Nikitas Angelinas 2011-10-18 182 if (retval) {
878520ac45f9f6 Theodore Ts'o 2019-11-19 183 if ((failed_writes % 60) == 0) {
54d3adbc29f0c7 Theodore Ts'o 2020-03-28 184 ext4_error_err(sb, -retval,
54d3adbc29f0c7 Theodore Ts'o 2020-03-28 185 "Error writing to MMP block");
878520ac45f9f6 Theodore Ts'o 2019-11-19 186 }
c5e06d101aaf72 Johann Lombardi 2011-05-24 187 failed_writes++;
c5e06d101aaf72 Johann Lombardi 2011-05-24 188 }
c5e06d101aaf72 Johann Lombardi 2011-05-24 189
c5e06d101aaf72 Johann Lombardi 2011-05-24 190 diff = jiffies - last_update_time;
c5e06d101aaf72 Johann Lombardi 2011-05-24 191 if (diff < mmp_update_interval * HZ)
c5e06d101aaf72 Johann Lombardi 2011-05-24 192 schedule_timeout_interruptible(mmp_update_interval *
c5e06d101aaf72 Johann Lombardi 2011-05-24 193 HZ - diff);
c5e06d101aaf72 Johann Lombardi 2011-05-24 194
c5e06d101aaf72 Johann Lombardi 2011-05-24 195 /*
c5e06d101aaf72 Johann Lombardi 2011-05-24 196 * We need to make sure that more than mmp_check_interval
c5e06d101aaf72 Johann Lombardi 2011-05-24 197 * seconds have not passed since writing. If that has happened
c5e06d101aaf72 Johann Lombardi 2011-05-24 198 * we need to check if the MMP block is as we left it.
c5e06d101aaf72 Johann Lombardi 2011-05-24 199 */
c5e06d101aaf72 Johann Lombardi 2011-05-24 200 diff = jiffies - last_update_time;
c5e06d101aaf72 Johann Lombardi 2011-05-24 201 if (diff > mmp_check_interval * HZ) {
c5e06d101aaf72 Johann Lombardi 2011-05-24 202 struct buffer_head *bh_check = NULL;
c5e06d101aaf72 Johann Lombardi 2011-05-24 203 struct mmp_struct *mmp_check;
c5e06d101aaf72 Johann Lombardi 2011-05-24 204
c5e06d101aaf72 Johann Lombardi 2011-05-24 205 retval = read_mmp_block(sb, &bh_check, mmp_block);
c5e06d101aaf72 Johann Lombardi 2011-05-24 206 if (retval) {
54d3adbc29f0c7 Theodore Ts'o 2020-03-28 207 ext4_error_err(sb, -retval,
54d3adbc29f0c7 Theodore Ts'o 2020-03-28 208 "error reading MMP data: %d",
c5e06d101aaf72 Johann Lombardi 2011-05-24 209 retval);
37b4aa9eef5b3f Theodore Ts'o 2021-07-02 210 goto wait_to_exit;
c5e06d101aaf72 Johann Lombardi 2011-05-24 211 }
c5e06d101aaf72 Johann Lombardi 2011-05-24 212
c5e06d101aaf72 Johann Lombardi 2011-05-24 213 mmp_check = (struct mmp_struct *)(bh_check->b_data);
c5e06d101aaf72 Johann Lombardi 2011-05-24 214 if (mmp->mmp_seq != mmp_check->mmp_seq ||
c5e06d101aaf72 Johann Lombardi 2011-05-24 215 memcmp(mmp->mmp_nodename, mmp_check->mmp_nodename,
c5e06d101aaf72 Johann Lombardi 2011-05-24 216 sizeof(mmp->mmp_nodename))) {
c5e06d101aaf72 Johann Lombardi 2011-05-24 217 dump_mmp_msg(sb, mmp_check,
c5e06d101aaf72 Johann Lombardi 2011-05-24 218 "Error while updating MMP info. "
c5e06d101aaf72 Johann Lombardi 2011-05-24 219 "The filesystem seems to have been"
c5e06d101aaf72 Johann Lombardi 2011-05-24 220 " multiply mounted.");
54d3adbc29f0c7 Theodore Ts'o 2020-03-28 221 ext4_error_err(sb, EBUSY, "abort");
0304688676bdfc vikram.jadhav07 2016-03-13 222 put_bh(bh_check);
0304688676bdfc vikram.jadhav07 2016-03-13 223 retval = -EBUSY;
37b4aa9eef5b3f Theodore Ts'o 2021-07-02 224 goto wait_to_exit;
c5e06d101aaf72 Johann Lombardi 2011-05-24 225 }
c5e06d101aaf72 Johann Lombardi 2011-05-24 226 put_bh(bh_check);
c5e06d101aaf72 Johann Lombardi 2011-05-24 227 }
c5e06d101aaf72 Johann Lombardi 2011-05-24 228
c5e06d101aaf72 Johann Lombardi 2011-05-24 229 /*
c5e06d101aaf72 Johann Lombardi 2011-05-24 230 * Adjust the mmp_check_interval depending on how much time
c5e06d101aaf72 Johann Lombardi 2011-05-24 231 * it took for the MMP block to be written.
c5e06d101aaf72 Johann Lombardi 2011-05-24 232 */
c5e06d101aaf72 Johann Lombardi 2011-05-24 233 mmp_check_interval = max(min(EXT4_MMP_CHECK_MULT * diff / HZ,
c5e06d101aaf72 Johann Lombardi 2011-05-24 234 EXT4_MMP_MAX_CHECK_INTERVAL),
c5e06d101aaf72 Johann Lombardi 2011-05-24 235 EXT4_MMP_MIN_CHECK_INTERVAL);
c5e06d101aaf72 Johann Lombardi 2011-05-24 236 mmp->mmp_check_interval = cpu_to_le16(mmp_check_interval);
c5e06d101aaf72 Johann Lombardi 2011-05-24 237 }
c5e06d101aaf72 Johann Lombardi 2011-05-24 238
c5e06d101aaf72 Johann Lombardi 2011-05-24 239 /*
c5e06d101aaf72 Johann Lombardi 2011-05-24 240 * Unmount seems to be clean.
c5e06d101aaf72 Johann Lombardi 2011-05-24 241 */
c5e06d101aaf72 Johann Lombardi 2011-05-24 242 mmp->mmp_seq = cpu_to_le32(EXT4_MMP_SEQ_CLEAN);
af123b3718592a Arnd Bergmann 2018-07-29 243 mmp->mmp_time = cpu_to_le64(ktime_get_real_seconds());
c5e06d101aaf72 Johann Lombardi 2011-05-24 244
5c359a47e7d999 Darrick J. Wong 2012-04-29 245 retval = write_mmp_block(sb, bh);
c5e06d101aaf72 Johann Lombardi 2011-05-24 246
0304688676bdfc vikram.jadhav07 2016-03-13 247 exit_thread:
c5e06d101aaf72 Johann Lombardi 2011-05-24 248 return retval;
37b4aa9eef5b3f Theodore Ts'o 2021-07-02 249 wait_to_exit:
37b4aa9eef5b3f Theodore Ts'o 2021-07-02 250 while (!kthread_should_stop())
37b4aa9eef5b3f Theodore Ts'o 2021-07-02 251 schedule();
37b4aa9eef5b3f Theodore Ts'o 2021-07-02 @252 return retval;
37b4aa9eef5b3f Theodore Ts'o 2021-07-02 253
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all(a)lists.01.org
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] ext4: possible use-after-free when remounting r/o a mmp-protected file system
@ 2021-07-03 12:57 ` Dan Carpenter
0 siblings, 0 replies; 7+ messages in thread
From: kernel test robot @ 2021-07-02 23:52 UTC (permalink / raw)
To: kbuild
[-- Attachment #1: Type: text/plain, Size: 11901 bytes --]
CC: kbuild-all(a)lists.01.org
In-Reply-To: <e525c0bf7b18da426bb3d3dd63830a3f85218a9e.1625244710.git.tytso@mit.edu>
References: <e525c0bf7b18da426bb3d3dd63830a3f85218a9e.1625244710.git.tytso(a)mit.edu>
TO: "Theodore Ts'o" <tytso@mit.edu>
TO: Ye Bin <yebin10@huawei.com>
CC: Ext4 Developers List <linux-ext4@vger.kernel.org>
CC: "Theodore Ts'o" <tytso@mit.edu>
Hi Theodore,
I love your patch! Perhaps something to improve:
[auto build test WARNING on ext4/dev]
[also build test WARNING on next-20210701]
[cannot apply to v5.13]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]
url: https://github.com/0day-ci/linux/commits/Theodore-Ts-o/ext4-possible-use-after-free-when-remounting-r-o-a-mmp-protected-file-system/20210703-005856
base: https://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git dev
:::::: branch date: 7 hours ago
:::::: commit date: 7 hours ago
config: i386-randconfig-m021-20210702 (attached as .config)
compiler: gcc-9 (Debian 9.3.0-22) 9.3.0
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@oracle.com>
smatch warnings:
fs/ext4/mmp.c:252 kmmpd() error: uninitialized symbol 'retval'.
vim +/retval +252 fs/ext4/mmp.c
c5e06d101aaf72 Johann Lombardi 2011-05-24 124
c5e06d101aaf72 Johann Lombardi 2011-05-24 125 /*
c5e06d101aaf72 Johann Lombardi 2011-05-24 126 * kmmpd will update the MMP sequence every s_mmp_update_interval seconds
c5e06d101aaf72 Johann Lombardi 2011-05-24 127 */
c5e06d101aaf72 Johann Lombardi 2011-05-24 128 static int kmmpd(void *data)
c5e06d101aaf72 Johann Lombardi 2011-05-24 129 {
618f003199c618 Pavel Skripkin 2021-04-30 130 struct super_block *sb = (struct super_block *) data;
c5e06d101aaf72 Johann Lombardi 2011-05-24 131 struct ext4_super_block *es = EXT4_SB(sb)->s_es;
618f003199c618 Pavel Skripkin 2021-04-30 132 struct buffer_head *bh = EXT4_SB(sb)->s_mmp_bh;
c5e06d101aaf72 Johann Lombardi 2011-05-24 133 struct mmp_struct *mmp;
c5e06d101aaf72 Johann Lombardi 2011-05-24 134 ext4_fsblk_t mmp_block;
c5e06d101aaf72 Johann Lombardi 2011-05-24 135 u32 seq = 0;
c5e06d101aaf72 Johann Lombardi 2011-05-24 136 unsigned long failed_writes = 0;
c5e06d101aaf72 Johann Lombardi 2011-05-24 137 int mmp_update_interval = le16_to_cpu(es->s_mmp_update_interval);
c5e06d101aaf72 Johann Lombardi 2011-05-24 138 unsigned mmp_check_interval;
c5e06d101aaf72 Johann Lombardi 2011-05-24 139 unsigned long last_update_time;
c5e06d101aaf72 Johann Lombardi 2011-05-24 140 unsigned long diff;
c5e06d101aaf72 Johann Lombardi 2011-05-24 141 int retval;
c5e06d101aaf72 Johann Lombardi 2011-05-24 142
c5e06d101aaf72 Johann Lombardi 2011-05-24 143 mmp_block = le64_to_cpu(es->s_mmp_block);
c5e06d101aaf72 Johann Lombardi 2011-05-24 144 mmp = (struct mmp_struct *)(bh->b_data);
af123b3718592a Arnd Bergmann 2018-07-29 145 mmp->mmp_time = cpu_to_le64(ktime_get_real_seconds());
c5e06d101aaf72 Johann Lombardi 2011-05-24 146 /*
c5e06d101aaf72 Johann Lombardi 2011-05-24 147 * Start with the higher mmp_check_interval and reduce it if
c5e06d101aaf72 Johann Lombardi 2011-05-24 148 * the MMP block is being updated on time.
c5e06d101aaf72 Johann Lombardi 2011-05-24 149 */
c5e06d101aaf72 Johann Lombardi 2011-05-24 150 mmp_check_interval = max(EXT4_MMP_CHECK_MULT * mmp_update_interval,
c5e06d101aaf72 Johann Lombardi 2011-05-24 151 EXT4_MMP_MIN_CHECK_INTERVAL);
c5e06d101aaf72 Johann Lombardi 2011-05-24 152 mmp->mmp_check_interval = cpu_to_le16(mmp_check_interval);
14c9ca0583eee8 Andreas Dilger 2020-01-26 153 BUILD_BUG_ON(sizeof(mmp->mmp_bdevname) < BDEVNAME_SIZE);
c5e06d101aaf72 Johann Lombardi 2011-05-24 154 bdevname(bh->b_bdev, mmp->mmp_bdevname);
c5e06d101aaf72 Johann Lombardi 2011-05-24 155
215fc6af739d2d Nikitas Angelinas 2011-10-18 156 memcpy(mmp->mmp_nodename, init_utsname()->nodename,
c5e06d101aaf72 Johann Lombardi 2011-05-24 157 sizeof(mmp->mmp_nodename));
c5e06d101aaf72 Johann Lombardi 2011-05-24 158
c5e06d101aaf72 Johann Lombardi 2011-05-24 159 while (!kthread_should_stop()) {
37b4aa9eef5b3f Theodore Ts'o 2021-07-02 160 if (!(le32_to_cpu(es->s_feature_incompat) &
37b4aa9eef5b3f Theodore Ts'o 2021-07-02 161 EXT4_FEATURE_INCOMPAT_MMP)) {
37b4aa9eef5b3f Theodore Ts'o 2021-07-02 162 ext4_warning(sb, "kmmpd being stopped since MMP feature"
37b4aa9eef5b3f Theodore Ts'o 2021-07-02 163 " has been disabled.");
37b4aa9eef5b3f Theodore Ts'o 2021-07-02 164 goto wait_to_exit;
37b4aa9eef5b3f Theodore Ts'o 2021-07-02 165 }
37b4aa9eef5b3f Theodore Ts'o 2021-07-02 166 if (sb_rdonly(sb)) {
37b4aa9eef5b3f Theodore Ts'o 2021-07-02 167 schedule_timeout_interruptible(HZ);
37b4aa9eef5b3f Theodore Ts'o 2021-07-02 168 continue;
37b4aa9eef5b3f Theodore Ts'o 2021-07-02 169 }
c5e06d101aaf72 Johann Lombardi 2011-05-24 170 if (++seq > EXT4_MMP_SEQ_MAX)
c5e06d101aaf72 Johann Lombardi 2011-05-24 171 seq = 1;
c5e06d101aaf72 Johann Lombardi 2011-05-24 172
c5e06d101aaf72 Johann Lombardi 2011-05-24 173 mmp->mmp_seq = cpu_to_le32(seq);
af123b3718592a Arnd Bergmann 2018-07-29 174 mmp->mmp_time = cpu_to_le64(ktime_get_real_seconds());
c5e06d101aaf72 Johann Lombardi 2011-05-24 175 last_update_time = jiffies;
c5e06d101aaf72 Johann Lombardi 2011-05-24 176
5c359a47e7d999 Darrick J. Wong 2012-04-29 177 retval = write_mmp_block(sb, bh);
c5e06d101aaf72 Johann Lombardi 2011-05-24 178 /*
c5e06d101aaf72 Johann Lombardi 2011-05-24 179 * Don't spew too many error messages. Print one every
c5e06d101aaf72 Johann Lombardi 2011-05-24 180 * (s_mmp_update_interval * 60) seconds.
c5e06d101aaf72 Johann Lombardi 2011-05-24 181 */
bdfc230f33a9da Nikitas Angelinas 2011-10-18 182 if (retval) {
878520ac45f9f6 Theodore Ts'o 2019-11-19 183 if ((failed_writes % 60) == 0) {
54d3adbc29f0c7 Theodore Ts'o 2020-03-28 184 ext4_error_err(sb, -retval,
54d3adbc29f0c7 Theodore Ts'o 2020-03-28 185 "Error writing to MMP block");
878520ac45f9f6 Theodore Ts'o 2019-11-19 186 }
c5e06d101aaf72 Johann Lombardi 2011-05-24 187 failed_writes++;
c5e06d101aaf72 Johann Lombardi 2011-05-24 188 }
c5e06d101aaf72 Johann Lombardi 2011-05-24 189
c5e06d101aaf72 Johann Lombardi 2011-05-24 190 diff = jiffies - last_update_time;
c5e06d101aaf72 Johann Lombardi 2011-05-24 191 if (diff < mmp_update_interval * HZ)
c5e06d101aaf72 Johann Lombardi 2011-05-24 192 schedule_timeout_interruptible(mmp_update_interval *
c5e06d101aaf72 Johann Lombardi 2011-05-24 193 HZ - diff);
c5e06d101aaf72 Johann Lombardi 2011-05-24 194
c5e06d101aaf72 Johann Lombardi 2011-05-24 195 /*
c5e06d101aaf72 Johann Lombardi 2011-05-24 196 * We need to make sure that more than mmp_check_interval
c5e06d101aaf72 Johann Lombardi 2011-05-24 197 * seconds have not passed since writing. If that has happened
c5e06d101aaf72 Johann Lombardi 2011-05-24 198 * we need to check if the MMP block is as we left it.
c5e06d101aaf72 Johann Lombardi 2011-05-24 199 */
c5e06d101aaf72 Johann Lombardi 2011-05-24 200 diff = jiffies - last_update_time;
c5e06d101aaf72 Johann Lombardi 2011-05-24 201 if (diff > mmp_check_interval * HZ) {
c5e06d101aaf72 Johann Lombardi 2011-05-24 202 struct buffer_head *bh_check = NULL;
c5e06d101aaf72 Johann Lombardi 2011-05-24 203 struct mmp_struct *mmp_check;
c5e06d101aaf72 Johann Lombardi 2011-05-24 204
c5e06d101aaf72 Johann Lombardi 2011-05-24 205 retval = read_mmp_block(sb, &bh_check, mmp_block);
c5e06d101aaf72 Johann Lombardi 2011-05-24 206 if (retval) {
54d3adbc29f0c7 Theodore Ts'o 2020-03-28 207 ext4_error_err(sb, -retval,
54d3adbc29f0c7 Theodore Ts'o 2020-03-28 208 "error reading MMP data: %d",
c5e06d101aaf72 Johann Lombardi 2011-05-24 209 retval);
37b4aa9eef5b3f Theodore Ts'o 2021-07-02 210 goto wait_to_exit;
c5e06d101aaf72 Johann Lombardi 2011-05-24 211 }
c5e06d101aaf72 Johann Lombardi 2011-05-24 212
c5e06d101aaf72 Johann Lombardi 2011-05-24 213 mmp_check = (struct mmp_struct *)(bh_check->b_data);
c5e06d101aaf72 Johann Lombardi 2011-05-24 214 if (mmp->mmp_seq != mmp_check->mmp_seq ||
c5e06d101aaf72 Johann Lombardi 2011-05-24 215 memcmp(mmp->mmp_nodename, mmp_check->mmp_nodename,
c5e06d101aaf72 Johann Lombardi 2011-05-24 216 sizeof(mmp->mmp_nodename))) {
c5e06d101aaf72 Johann Lombardi 2011-05-24 217 dump_mmp_msg(sb, mmp_check,
c5e06d101aaf72 Johann Lombardi 2011-05-24 218 "Error while updating MMP info. "
c5e06d101aaf72 Johann Lombardi 2011-05-24 219 "The filesystem seems to have been"
c5e06d101aaf72 Johann Lombardi 2011-05-24 220 " multiply mounted.");
54d3adbc29f0c7 Theodore Ts'o 2020-03-28 221 ext4_error_err(sb, EBUSY, "abort");
0304688676bdfc vikram.jadhav07 2016-03-13 222 put_bh(bh_check);
0304688676bdfc vikram.jadhav07 2016-03-13 223 retval = -EBUSY;
37b4aa9eef5b3f Theodore Ts'o 2021-07-02 224 goto wait_to_exit;
c5e06d101aaf72 Johann Lombardi 2011-05-24 225 }
c5e06d101aaf72 Johann Lombardi 2011-05-24 226 put_bh(bh_check);
c5e06d101aaf72 Johann Lombardi 2011-05-24 227 }
c5e06d101aaf72 Johann Lombardi 2011-05-24 228
c5e06d101aaf72 Johann Lombardi 2011-05-24 229 /*
c5e06d101aaf72 Johann Lombardi 2011-05-24 230 * Adjust the mmp_check_interval depending on how much time
c5e06d101aaf72 Johann Lombardi 2011-05-24 231 * it took for the MMP block to be written.
c5e06d101aaf72 Johann Lombardi 2011-05-24 232 */
c5e06d101aaf72 Johann Lombardi 2011-05-24 233 mmp_check_interval = max(min(EXT4_MMP_CHECK_MULT * diff / HZ,
c5e06d101aaf72 Johann Lombardi 2011-05-24 234 EXT4_MMP_MAX_CHECK_INTERVAL),
c5e06d101aaf72 Johann Lombardi 2011-05-24 235 EXT4_MMP_MIN_CHECK_INTERVAL);
c5e06d101aaf72 Johann Lombardi 2011-05-24 236 mmp->mmp_check_interval = cpu_to_le16(mmp_check_interval);
c5e06d101aaf72 Johann Lombardi 2011-05-24 237 }
c5e06d101aaf72 Johann Lombardi 2011-05-24 238
c5e06d101aaf72 Johann Lombardi 2011-05-24 239 /*
c5e06d101aaf72 Johann Lombardi 2011-05-24 240 * Unmount seems to be clean.
c5e06d101aaf72 Johann Lombardi 2011-05-24 241 */
c5e06d101aaf72 Johann Lombardi 2011-05-24 242 mmp->mmp_seq = cpu_to_le32(EXT4_MMP_SEQ_CLEAN);
af123b3718592a Arnd Bergmann 2018-07-29 243 mmp->mmp_time = cpu_to_le64(ktime_get_real_seconds());
c5e06d101aaf72 Johann Lombardi 2011-05-24 244
5c359a47e7d999 Darrick J. Wong 2012-04-29 245 retval = write_mmp_block(sb, bh);
c5e06d101aaf72 Johann Lombardi 2011-05-24 246
0304688676bdfc vikram.jadhav07 2016-03-13 247 exit_thread:
c5e06d101aaf72 Johann Lombardi 2011-05-24 248 return retval;
37b4aa9eef5b3f Theodore Ts'o 2021-07-02 249 wait_to_exit:
37b4aa9eef5b3f Theodore Ts'o 2021-07-02 250 while (!kthread_should_stop())
37b4aa9eef5b3f Theodore Ts'o 2021-07-02 251 schedule();
37b4aa9eef5b3f Theodore Ts'o 2021-07-02 @252 return retval;
37b4aa9eef5b3f Theodore Ts'o 2021-07-02 253
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all(a)lists.01.org
[-- Attachment #2: config.gz --]
[-- Type: application/gzip, Size: 43884 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] ext4: possible use-after-free when remounting r/o a mmp-protected file system
2021-07-02 16:57 ` [PATCH] ext4: possible use-after-free when remounting r/o a mmp-protected file system Theodore Ts'o
@ 2021-07-02 21:36 ` kernel test robot
2021-07-03 12:57 ` Dan Carpenter
1 sibling, 0 replies; 7+ messages in thread
From: kernel test robot @ 2021-07-02 21:36 UTC (permalink / raw)
To: Theodore Ts'o, Ye Bin
Cc: clang-built-linux, kbuild-all, Ext4 Developers List, Theodore Ts'o
[-- Attachment #1: Type: text/plain, Size: 12209 bytes --]
Hi Theodore,
I love your patch! Perhaps something to improve:
[auto build test WARNING on ext4/dev]
[also build test WARNING on next-20210701]
[cannot apply to v5.13]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]
url: https://github.com/0day-ci/linux/commits/Theodore-Ts-o/ext4-possible-use-after-free-when-remounting-r-o-a-mmp-protected-file-system/20210703-005856
base: https://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git dev
config: mips-randconfig-r021-20210702 (attached as .config)
compiler: clang version 13.0.0 (https://github.com/llvm/llvm-project 9eb613b2de3163686b1a4bd1160f15ac56a4b083)
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# install mips cross compiling tool for clang build
# apt-get install binutils-mips-linux-gnu
# https://github.com/0day-ci/linux/commit/37b4aa9eef5b3f07f803e18d4dba7aba46148f87
git remote add linux-review https://github.com/0day-ci/linux
git fetch --no-tags linux-review Theodore-Ts-o/ext4-possible-use-after-free-when-remounting-r-o-a-mmp-protected-file-system/20210703-005856
git checkout 37b4aa9eef5b3f07f803e18d4dba7aba46148f87
# save the attached .config to linux build tree
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross ARCH=mips
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
All warnings (new ones prefixed by >>):
>> fs/ext4/mmp.c:247:1: warning: unused label 'exit_thread' [-Wunused-label]
exit_thread:
^~~~~~~~~~~~
1 warning generated.
vim +/exit_thread +247 fs/ext4/mmp.c
c5e06d101aaf72 Johann Lombardi 2011-05-24 124
c5e06d101aaf72 Johann Lombardi 2011-05-24 125 /*
c5e06d101aaf72 Johann Lombardi 2011-05-24 126 * kmmpd will update the MMP sequence every s_mmp_update_interval seconds
c5e06d101aaf72 Johann Lombardi 2011-05-24 127 */
c5e06d101aaf72 Johann Lombardi 2011-05-24 128 static int kmmpd(void *data)
c5e06d101aaf72 Johann Lombardi 2011-05-24 129 {
618f003199c618 Pavel Skripkin 2021-04-30 130 struct super_block *sb = (struct super_block *) data;
c5e06d101aaf72 Johann Lombardi 2011-05-24 131 struct ext4_super_block *es = EXT4_SB(sb)->s_es;
618f003199c618 Pavel Skripkin 2021-04-30 132 struct buffer_head *bh = EXT4_SB(sb)->s_mmp_bh;
c5e06d101aaf72 Johann Lombardi 2011-05-24 133 struct mmp_struct *mmp;
c5e06d101aaf72 Johann Lombardi 2011-05-24 134 ext4_fsblk_t mmp_block;
c5e06d101aaf72 Johann Lombardi 2011-05-24 135 u32 seq = 0;
c5e06d101aaf72 Johann Lombardi 2011-05-24 136 unsigned long failed_writes = 0;
c5e06d101aaf72 Johann Lombardi 2011-05-24 137 int mmp_update_interval = le16_to_cpu(es->s_mmp_update_interval);
c5e06d101aaf72 Johann Lombardi 2011-05-24 138 unsigned mmp_check_interval;
c5e06d101aaf72 Johann Lombardi 2011-05-24 139 unsigned long last_update_time;
c5e06d101aaf72 Johann Lombardi 2011-05-24 140 unsigned long diff;
c5e06d101aaf72 Johann Lombardi 2011-05-24 141 int retval;
c5e06d101aaf72 Johann Lombardi 2011-05-24 142
c5e06d101aaf72 Johann Lombardi 2011-05-24 143 mmp_block = le64_to_cpu(es->s_mmp_block);
c5e06d101aaf72 Johann Lombardi 2011-05-24 144 mmp = (struct mmp_struct *)(bh->b_data);
af123b3718592a Arnd Bergmann 2018-07-29 145 mmp->mmp_time = cpu_to_le64(ktime_get_real_seconds());
c5e06d101aaf72 Johann Lombardi 2011-05-24 146 /*
c5e06d101aaf72 Johann Lombardi 2011-05-24 147 * Start with the higher mmp_check_interval and reduce it if
c5e06d101aaf72 Johann Lombardi 2011-05-24 148 * the MMP block is being updated on time.
c5e06d101aaf72 Johann Lombardi 2011-05-24 149 */
c5e06d101aaf72 Johann Lombardi 2011-05-24 150 mmp_check_interval = max(EXT4_MMP_CHECK_MULT * mmp_update_interval,
c5e06d101aaf72 Johann Lombardi 2011-05-24 151 EXT4_MMP_MIN_CHECK_INTERVAL);
c5e06d101aaf72 Johann Lombardi 2011-05-24 152 mmp->mmp_check_interval = cpu_to_le16(mmp_check_interval);
14c9ca0583eee8 Andreas Dilger 2020-01-26 153 BUILD_BUG_ON(sizeof(mmp->mmp_bdevname) < BDEVNAME_SIZE);
c5e06d101aaf72 Johann Lombardi 2011-05-24 154 bdevname(bh->b_bdev, mmp->mmp_bdevname);
c5e06d101aaf72 Johann Lombardi 2011-05-24 155
215fc6af739d2d Nikitas Angelinas 2011-10-18 156 memcpy(mmp->mmp_nodename, init_utsname()->nodename,
c5e06d101aaf72 Johann Lombardi 2011-05-24 157 sizeof(mmp->mmp_nodename));
c5e06d101aaf72 Johann Lombardi 2011-05-24 158
c5e06d101aaf72 Johann Lombardi 2011-05-24 159 while (!kthread_should_stop()) {
37b4aa9eef5b3f Theodore Ts'o 2021-07-02 160 if (!(le32_to_cpu(es->s_feature_incompat) &
37b4aa9eef5b3f Theodore Ts'o 2021-07-02 161 EXT4_FEATURE_INCOMPAT_MMP)) {
37b4aa9eef5b3f Theodore Ts'o 2021-07-02 162 ext4_warning(sb, "kmmpd being stopped since MMP feature"
37b4aa9eef5b3f Theodore Ts'o 2021-07-02 163 " has been disabled.");
37b4aa9eef5b3f Theodore Ts'o 2021-07-02 164 goto wait_to_exit;
37b4aa9eef5b3f Theodore Ts'o 2021-07-02 165 }
37b4aa9eef5b3f Theodore Ts'o 2021-07-02 166 if (sb_rdonly(sb)) {
37b4aa9eef5b3f Theodore Ts'o 2021-07-02 167 schedule_timeout_interruptible(HZ);
37b4aa9eef5b3f Theodore Ts'o 2021-07-02 168 continue;
37b4aa9eef5b3f Theodore Ts'o 2021-07-02 169 }
c5e06d101aaf72 Johann Lombardi 2011-05-24 170 if (++seq > EXT4_MMP_SEQ_MAX)
c5e06d101aaf72 Johann Lombardi 2011-05-24 171 seq = 1;
c5e06d101aaf72 Johann Lombardi 2011-05-24 172
c5e06d101aaf72 Johann Lombardi 2011-05-24 173 mmp->mmp_seq = cpu_to_le32(seq);
af123b3718592a Arnd Bergmann 2018-07-29 174 mmp->mmp_time = cpu_to_le64(ktime_get_real_seconds());
c5e06d101aaf72 Johann Lombardi 2011-05-24 175 last_update_time = jiffies;
c5e06d101aaf72 Johann Lombardi 2011-05-24 176
5c359a47e7d999 Darrick J. Wong 2012-04-29 177 retval = write_mmp_block(sb, bh);
c5e06d101aaf72 Johann Lombardi 2011-05-24 178 /*
c5e06d101aaf72 Johann Lombardi 2011-05-24 179 * Don't spew too many error messages. Print one every
c5e06d101aaf72 Johann Lombardi 2011-05-24 180 * (s_mmp_update_interval * 60) seconds.
c5e06d101aaf72 Johann Lombardi 2011-05-24 181 */
bdfc230f33a9da Nikitas Angelinas 2011-10-18 182 if (retval) {
878520ac45f9f6 Theodore Ts'o 2019-11-19 183 if ((failed_writes % 60) == 0) {
54d3adbc29f0c7 Theodore Ts'o 2020-03-28 184 ext4_error_err(sb, -retval,
54d3adbc29f0c7 Theodore Ts'o 2020-03-28 185 "Error writing to MMP block");
878520ac45f9f6 Theodore Ts'o 2019-11-19 186 }
c5e06d101aaf72 Johann Lombardi 2011-05-24 187 failed_writes++;
c5e06d101aaf72 Johann Lombardi 2011-05-24 188 }
c5e06d101aaf72 Johann Lombardi 2011-05-24 189
c5e06d101aaf72 Johann Lombardi 2011-05-24 190 diff = jiffies - last_update_time;
c5e06d101aaf72 Johann Lombardi 2011-05-24 191 if (diff < mmp_update_interval * HZ)
c5e06d101aaf72 Johann Lombardi 2011-05-24 192 schedule_timeout_interruptible(mmp_update_interval *
c5e06d101aaf72 Johann Lombardi 2011-05-24 193 HZ - diff);
c5e06d101aaf72 Johann Lombardi 2011-05-24 194
c5e06d101aaf72 Johann Lombardi 2011-05-24 195 /*
c5e06d101aaf72 Johann Lombardi 2011-05-24 196 * We need to make sure that more than mmp_check_interval
c5e06d101aaf72 Johann Lombardi 2011-05-24 197 * seconds have not passed since writing. If that has happened
c5e06d101aaf72 Johann Lombardi 2011-05-24 198 * we need to check if the MMP block is as we left it.
c5e06d101aaf72 Johann Lombardi 2011-05-24 199 */
c5e06d101aaf72 Johann Lombardi 2011-05-24 200 diff = jiffies - last_update_time;
c5e06d101aaf72 Johann Lombardi 2011-05-24 201 if (diff > mmp_check_interval * HZ) {
c5e06d101aaf72 Johann Lombardi 2011-05-24 202 struct buffer_head *bh_check = NULL;
c5e06d101aaf72 Johann Lombardi 2011-05-24 203 struct mmp_struct *mmp_check;
c5e06d101aaf72 Johann Lombardi 2011-05-24 204
c5e06d101aaf72 Johann Lombardi 2011-05-24 205 retval = read_mmp_block(sb, &bh_check, mmp_block);
c5e06d101aaf72 Johann Lombardi 2011-05-24 206 if (retval) {
54d3adbc29f0c7 Theodore Ts'o 2020-03-28 207 ext4_error_err(sb, -retval,
54d3adbc29f0c7 Theodore Ts'o 2020-03-28 208 "error reading MMP data: %d",
c5e06d101aaf72 Johann Lombardi 2011-05-24 209 retval);
37b4aa9eef5b3f Theodore Ts'o 2021-07-02 210 goto wait_to_exit;
c5e06d101aaf72 Johann Lombardi 2011-05-24 211 }
c5e06d101aaf72 Johann Lombardi 2011-05-24 212
c5e06d101aaf72 Johann Lombardi 2011-05-24 213 mmp_check = (struct mmp_struct *)(bh_check->b_data);
c5e06d101aaf72 Johann Lombardi 2011-05-24 214 if (mmp->mmp_seq != mmp_check->mmp_seq ||
c5e06d101aaf72 Johann Lombardi 2011-05-24 215 memcmp(mmp->mmp_nodename, mmp_check->mmp_nodename,
c5e06d101aaf72 Johann Lombardi 2011-05-24 216 sizeof(mmp->mmp_nodename))) {
c5e06d101aaf72 Johann Lombardi 2011-05-24 217 dump_mmp_msg(sb, mmp_check,
c5e06d101aaf72 Johann Lombardi 2011-05-24 218 "Error while updating MMP info. "
c5e06d101aaf72 Johann Lombardi 2011-05-24 219 "The filesystem seems to have been"
c5e06d101aaf72 Johann Lombardi 2011-05-24 220 " multiply mounted.");
54d3adbc29f0c7 Theodore Ts'o 2020-03-28 221 ext4_error_err(sb, EBUSY, "abort");
0304688676bdfc vikram.jadhav07 2016-03-13 222 put_bh(bh_check);
0304688676bdfc vikram.jadhav07 2016-03-13 223 retval = -EBUSY;
37b4aa9eef5b3f Theodore Ts'o 2021-07-02 224 goto wait_to_exit;
c5e06d101aaf72 Johann Lombardi 2011-05-24 225 }
c5e06d101aaf72 Johann Lombardi 2011-05-24 226 put_bh(bh_check);
c5e06d101aaf72 Johann Lombardi 2011-05-24 227 }
c5e06d101aaf72 Johann Lombardi 2011-05-24 228
c5e06d101aaf72 Johann Lombardi 2011-05-24 229 /*
c5e06d101aaf72 Johann Lombardi 2011-05-24 230 * Adjust the mmp_check_interval depending on how much time
c5e06d101aaf72 Johann Lombardi 2011-05-24 231 * it took for the MMP block to be written.
c5e06d101aaf72 Johann Lombardi 2011-05-24 232 */
c5e06d101aaf72 Johann Lombardi 2011-05-24 233 mmp_check_interval = max(min(EXT4_MMP_CHECK_MULT * diff / HZ,
c5e06d101aaf72 Johann Lombardi 2011-05-24 234 EXT4_MMP_MAX_CHECK_INTERVAL),
c5e06d101aaf72 Johann Lombardi 2011-05-24 235 EXT4_MMP_MIN_CHECK_INTERVAL);
c5e06d101aaf72 Johann Lombardi 2011-05-24 236 mmp->mmp_check_interval = cpu_to_le16(mmp_check_interval);
c5e06d101aaf72 Johann Lombardi 2011-05-24 237 }
c5e06d101aaf72 Johann Lombardi 2011-05-24 238
c5e06d101aaf72 Johann Lombardi 2011-05-24 239 /*
c5e06d101aaf72 Johann Lombardi 2011-05-24 240 * Unmount seems to be clean.
c5e06d101aaf72 Johann Lombardi 2011-05-24 241 */
c5e06d101aaf72 Johann Lombardi 2011-05-24 242 mmp->mmp_seq = cpu_to_le32(EXT4_MMP_SEQ_CLEAN);
af123b3718592a Arnd Bergmann 2018-07-29 243 mmp->mmp_time = cpu_to_le64(ktime_get_real_seconds());
c5e06d101aaf72 Johann Lombardi 2011-05-24 244
5c359a47e7d999 Darrick J. Wong 2012-04-29 245 retval = write_mmp_block(sb, bh);
c5e06d101aaf72 Johann Lombardi 2011-05-24 246
0304688676bdfc vikram.jadhav07 2016-03-13 @247 exit_thread:
c5e06d101aaf72 Johann Lombardi 2011-05-24 248 return retval;
37b4aa9eef5b3f Theodore Ts'o 2021-07-02 249 wait_to_exit:
37b4aa9eef5b3f Theodore Ts'o 2021-07-02 250 while (!kthread_should_stop())
37b4aa9eef5b3f Theodore Ts'o 2021-07-02 251 schedule();
37b4aa9eef5b3f Theodore Ts'o 2021-07-02 252 return retval;
37b4aa9eef5b3f Theodore Ts'o 2021-07-02 253
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org
[-- Attachment #2: .config.gz --]
[-- Type: application/gzip, Size: 33147 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: [PATCH] ext4: possible use-after-free when remounting r/o a mmp-protected file system
@ 2021-07-02 21:36 ` kernel test robot
0 siblings, 0 replies; 7+ messages in thread
From: kernel test robot @ 2021-07-02 21:36 UTC (permalink / raw)
To: kbuild-all
[-- Attachment #1: Type: text/plain, Size: 12385 bytes --]
Hi Theodore,
I love your patch! Perhaps something to improve:
[auto build test WARNING on ext4/dev]
[also build test WARNING on next-20210701]
[cannot apply to v5.13]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]
url: https://github.com/0day-ci/linux/commits/Theodore-Ts-o/ext4-possible-use-after-free-when-remounting-r-o-a-mmp-protected-file-system/20210703-005856
base: https://git.kernel.org/pub/scm/linux/kernel/git/tytso/ext4.git dev
config: mips-randconfig-r021-20210702 (attached as .config)
compiler: clang version 13.0.0 (https://github.com/llvm/llvm-project 9eb613b2de3163686b1a4bd1160f15ac56a4b083)
reproduce (this is a W=1 build):
wget https://raw.githubusercontent.com/intel/lkp-tests/master/sbin/make.cross -O ~/bin/make.cross
chmod +x ~/bin/make.cross
# install mips cross compiling tool for clang build
# apt-get install binutils-mips-linux-gnu
# https://github.com/0day-ci/linux/commit/37b4aa9eef5b3f07f803e18d4dba7aba46148f87
git remote add linux-review https://github.com/0day-ci/linux
git fetch --no-tags linux-review Theodore-Ts-o/ext4-possible-use-after-free-when-remounting-r-o-a-mmp-protected-file-system/20210703-005856
git checkout 37b4aa9eef5b3f07f803e18d4dba7aba46148f87
# save the attached .config to linux build tree
COMPILER_INSTALL_PATH=$HOME/0day COMPILER=clang make.cross ARCH=mips
If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>
All warnings (new ones prefixed by >>):
>> fs/ext4/mmp.c:247:1: warning: unused label 'exit_thread' [-Wunused-label]
exit_thread:
^~~~~~~~~~~~
1 warning generated.
vim +/exit_thread +247 fs/ext4/mmp.c
c5e06d101aaf72 Johann Lombardi 2011-05-24 124
c5e06d101aaf72 Johann Lombardi 2011-05-24 125 /*
c5e06d101aaf72 Johann Lombardi 2011-05-24 126 * kmmpd will update the MMP sequence every s_mmp_update_interval seconds
c5e06d101aaf72 Johann Lombardi 2011-05-24 127 */
c5e06d101aaf72 Johann Lombardi 2011-05-24 128 static int kmmpd(void *data)
c5e06d101aaf72 Johann Lombardi 2011-05-24 129 {
618f003199c618 Pavel Skripkin 2021-04-30 130 struct super_block *sb = (struct super_block *) data;
c5e06d101aaf72 Johann Lombardi 2011-05-24 131 struct ext4_super_block *es = EXT4_SB(sb)->s_es;
618f003199c618 Pavel Skripkin 2021-04-30 132 struct buffer_head *bh = EXT4_SB(sb)->s_mmp_bh;
c5e06d101aaf72 Johann Lombardi 2011-05-24 133 struct mmp_struct *mmp;
c5e06d101aaf72 Johann Lombardi 2011-05-24 134 ext4_fsblk_t mmp_block;
c5e06d101aaf72 Johann Lombardi 2011-05-24 135 u32 seq = 0;
c5e06d101aaf72 Johann Lombardi 2011-05-24 136 unsigned long failed_writes = 0;
c5e06d101aaf72 Johann Lombardi 2011-05-24 137 int mmp_update_interval = le16_to_cpu(es->s_mmp_update_interval);
c5e06d101aaf72 Johann Lombardi 2011-05-24 138 unsigned mmp_check_interval;
c5e06d101aaf72 Johann Lombardi 2011-05-24 139 unsigned long last_update_time;
c5e06d101aaf72 Johann Lombardi 2011-05-24 140 unsigned long diff;
c5e06d101aaf72 Johann Lombardi 2011-05-24 141 int retval;
c5e06d101aaf72 Johann Lombardi 2011-05-24 142
c5e06d101aaf72 Johann Lombardi 2011-05-24 143 mmp_block = le64_to_cpu(es->s_mmp_block);
c5e06d101aaf72 Johann Lombardi 2011-05-24 144 mmp = (struct mmp_struct *)(bh->b_data);
af123b3718592a Arnd Bergmann 2018-07-29 145 mmp->mmp_time = cpu_to_le64(ktime_get_real_seconds());
c5e06d101aaf72 Johann Lombardi 2011-05-24 146 /*
c5e06d101aaf72 Johann Lombardi 2011-05-24 147 * Start with the higher mmp_check_interval and reduce it if
c5e06d101aaf72 Johann Lombardi 2011-05-24 148 * the MMP block is being updated on time.
c5e06d101aaf72 Johann Lombardi 2011-05-24 149 */
c5e06d101aaf72 Johann Lombardi 2011-05-24 150 mmp_check_interval = max(EXT4_MMP_CHECK_MULT * mmp_update_interval,
c5e06d101aaf72 Johann Lombardi 2011-05-24 151 EXT4_MMP_MIN_CHECK_INTERVAL);
c5e06d101aaf72 Johann Lombardi 2011-05-24 152 mmp->mmp_check_interval = cpu_to_le16(mmp_check_interval);
14c9ca0583eee8 Andreas Dilger 2020-01-26 153 BUILD_BUG_ON(sizeof(mmp->mmp_bdevname) < BDEVNAME_SIZE);
c5e06d101aaf72 Johann Lombardi 2011-05-24 154 bdevname(bh->b_bdev, mmp->mmp_bdevname);
c5e06d101aaf72 Johann Lombardi 2011-05-24 155
215fc6af739d2d Nikitas Angelinas 2011-10-18 156 memcpy(mmp->mmp_nodename, init_utsname()->nodename,
c5e06d101aaf72 Johann Lombardi 2011-05-24 157 sizeof(mmp->mmp_nodename));
c5e06d101aaf72 Johann Lombardi 2011-05-24 158
c5e06d101aaf72 Johann Lombardi 2011-05-24 159 while (!kthread_should_stop()) {
37b4aa9eef5b3f Theodore Ts'o 2021-07-02 160 if (!(le32_to_cpu(es->s_feature_incompat) &
37b4aa9eef5b3f Theodore Ts'o 2021-07-02 161 EXT4_FEATURE_INCOMPAT_MMP)) {
37b4aa9eef5b3f Theodore Ts'o 2021-07-02 162 ext4_warning(sb, "kmmpd being stopped since MMP feature"
37b4aa9eef5b3f Theodore Ts'o 2021-07-02 163 " has been disabled.");
37b4aa9eef5b3f Theodore Ts'o 2021-07-02 164 goto wait_to_exit;
37b4aa9eef5b3f Theodore Ts'o 2021-07-02 165 }
37b4aa9eef5b3f Theodore Ts'o 2021-07-02 166 if (sb_rdonly(sb)) {
37b4aa9eef5b3f Theodore Ts'o 2021-07-02 167 schedule_timeout_interruptible(HZ);
37b4aa9eef5b3f Theodore Ts'o 2021-07-02 168 continue;
37b4aa9eef5b3f Theodore Ts'o 2021-07-02 169 }
c5e06d101aaf72 Johann Lombardi 2011-05-24 170 if (++seq > EXT4_MMP_SEQ_MAX)
c5e06d101aaf72 Johann Lombardi 2011-05-24 171 seq = 1;
c5e06d101aaf72 Johann Lombardi 2011-05-24 172
c5e06d101aaf72 Johann Lombardi 2011-05-24 173 mmp->mmp_seq = cpu_to_le32(seq);
af123b3718592a Arnd Bergmann 2018-07-29 174 mmp->mmp_time = cpu_to_le64(ktime_get_real_seconds());
c5e06d101aaf72 Johann Lombardi 2011-05-24 175 last_update_time = jiffies;
c5e06d101aaf72 Johann Lombardi 2011-05-24 176
5c359a47e7d999 Darrick J. Wong 2012-04-29 177 retval = write_mmp_block(sb, bh);
c5e06d101aaf72 Johann Lombardi 2011-05-24 178 /*
c5e06d101aaf72 Johann Lombardi 2011-05-24 179 * Don't spew too many error messages. Print one every
c5e06d101aaf72 Johann Lombardi 2011-05-24 180 * (s_mmp_update_interval * 60) seconds.
c5e06d101aaf72 Johann Lombardi 2011-05-24 181 */
bdfc230f33a9da Nikitas Angelinas 2011-10-18 182 if (retval) {
878520ac45f9f6 Theodore Ts'o 2019-11-19 183 if ((failed_writes % 60) == 0) {
54d3adbc29f0c7 Theodore Ts'o 2020-03-28 184 ext4_error_err(sb, -retval,
54d3adbc29f0c7 Theodore Ts'o 2020-03-28 185 "Error writing to MMP block");
878520ac45f9f6 Theodore Ts'o 2019-11-19 186 }
c5e06d101aaf72 Johann Lombardi 2011-05-24 187 failed_writes++;
c5e06d101aaf72 Johann Lombardi 2011-05-24 188 }
c5e06d101aaf72 Johann Lombardi 2011-05-24 189
c5e06d101aaf72 Johann Lombardi 2011-05-24 190 diff = jiffies - last_update_time;
c5e06d101aaf72 Johann Lombardi 2011-05-24 191 if (diff < mmp_update_interval * HZ)
c5e06d101aaf72 Johann Lombardi 2011-05-24 192 schedule_timeout_interruptible(mmp_update_interval *
c5e06d101aaf72 Johann Lombardi 2011-05-24 193 HZ - diff);
c5e06d101aaf72 Johann Lombardi 2011-05-24 194
c5e06d101aaf72 Johann Lombardi 2011-05-24 195 /*
c5e06d101aaf72 Johann Lombardi 2011-05-24 196 * We need to make sure that more than mmp_check_interval
c5e06d101aaf72 Johann Lombardi 2011-05-24 197 * seconds have not passed since writing. If that has happened
c5e06d101aaf72 Johann Lombardi 2011-05-24 198 * we need to check if the MMP block is as we left it.
c5e06d101aaf72 Johann Lombardi 2011-05-24 199 */
c5e06d101aaf72 Johann Lombardi 2011-05-24 200 diff = jiffies - last_update_time;
c5e06d101aaf72 Johann Lombardi 2011-05-24 201 if (diff > mmp_check_interval * HZ) {
c5e06d101aaf72 Johann Lombardi 2011-05-24 202 struct buffer_head *bh_check = NULL;
c5e06d101aaf72 Johann Lombardi 2011-05-24 203 struct mmp_struct *mmp_check;
c5e06d101aaf72 Johann Lombardi 2011-05-24 204
c5e06d101aaf72 Johann Lombardi 2011-05-24 205 retval = read_mmp_block(sb, &bh_check, mmp_block);
c5e06d101aaf72 Johann Lombardi 2011-05-24 206 if (retval) {
54d3adbc29f0c7 Theodore Ts'o 2020-03-28 207 ext4_error_err(sb, -retval,
54d3adbc29f0c7 Theodore Ts'o 2020-03-28 208 "error reading MMP data: %d",
c5e06d101aaf72 Johann Lombardi 2011-05-24 209 retval);
37b4aa9eef5b3f Theodore Ts'o 2021-07-02 210 goto wait_to_exit;
c5e06d101aaf72 Johann Lombardi 2011-05-24 211 }
c5e06d101aaf72 Johann Lombardi 2011-05-24 212
c5e06d101aaf72 Johann Lombardi 2011-05-24 213 mmp_check = (struct mmp_struct *)(bh_check->b_data);
c5e06d101aaf72 Johann Lombardi 2011-05-24 214 if (mmp->mmp_seq != mmp_check->mmp_seq ||
c5e06d101aaf72 Johann Lombardi 2011-05-24 215 memcmp(mmp->mmp_nodename, mmp_check->mmp_nodename,
c5e06d101aaf72 Johann Lombardi 2011-05-24 216 sizeof(mmp->mmp_nodename))) {
c5e06d101aaf72 Johann Lombardi 2011-05-24 217 dump_mmp_msg(sb, mmp_check,
c5e06d101aaf72 Johann Lombardi 2011-05-24 218 "Error while updating MMP info. "
c5e06d101aaf72 Johann Lombardi 2011-05-24 219 "The filesystem seems to have been"
c5e06d101aaf72 Johann Lombardi 2011-05-24 220 " multiply mounted.");
54d3adbc29f0c7 Theodore Ts'o 2020-03-28 221 ext4_error_err(sb, EBUSY, "abort");
0304688676bdfc vikram.jadhav07 2016-03-13 222 put_bh(bh_check);
0304688676bdfc vikram.jadhav07 2016-03-13 223 retval = -EBUSY;
37b4aa9eef5b3f Theodore Ts'o 2021-07-02 224 goto wait_to_exit;
c5e06d101aaf72 Johann Lombardi 2011-05-24 225 }
c5e06d101aaf72 Johann Lombardi 2011-05-24 226 put_bh(bh_check);
c5e06d101aaf72 Johann Lombardi 2011-05-24 227 }
c5e06d101aaf72 Johann Lombardi 2011-05-24 228
c5e06d101aaf72 Johann Lombardi 2011-05-24 229 /*
c5e06d101aaf72 Johann Lombardi 2011-05-24 230 * Adjust the mmp_check_interval depending on how much time
c5e06d101aaf72 Johann Lombardi 2011-05-24 231 * it took for the MMP block to be written.
c5e06d101aaf72 Johann Lombardi 2011-05-24 232 */
c5e06d101aaf72 Johann Lombardi 2011-05-24 233 mmp_check_interval = max(min(EXT4_MMP_CHECK_MULT * diff / HZ,
c5e06d101aaf72 Johann Lombardi 2011-05-24 234 EXT4_MMP_MAX_CHECK_INTERVAL),
c5e06d101aaf72 Johann Lombardi 2011-05-24 235 EXT4_MMP_MIN_CHECK_INTERVAL);
c5e06d101aaf72 Johann Lombardi 2011-05-24 236 mmp->mmp_check_interval = cpu_to_le16(mmp_check_interval);
c5e06d101aaf72 Johann Lombardi 2011-05-24 237 }
c5e06d101aaf72 Johann Lombardi 2011-05-24 238
c5e06d101aaf72 Johann Lombardi 2011-05-24 239 /*
c5e06d101aaf72 Johann Lombardi 2011-05-24 240 * Unmount seems to be clean.
c5e06d101aaf72 Johann Lombardi 2011-05-24 241 */
c5e06d101aaf72 Johann Lombardi 2011-05-24 242 mmp->mmp_seq = cpu_to_le32(EXT4_MMP_SEQ_CLEAN);
af123b3718592a Arnd Bergmann 2018-07-29 243 mmp->mmp_time = cpu_to_le64(ktime_get_real_seconds());
c5e06d101aaf72 Johann Lombardi 2011-05-24 244
5c359a47e7d999 Darrick J. Wong 2012-04-29 245 retval = write_mmp_block(sb, bh);
c5e06d101aaf72 Johann Lombardi 2011-05-24 246
0304688676bdfc vikram.jadhav07 2016-03-13 @247 exit_thread:
c5e06d101aaf72 Johann Lombardi 2011-05-24 248 return retval;
37b4aa9eef5b3f Theodore Ts'o 2021-07-02 249 wait_to_exit:
37b4aa9eef5b3f Theodore Ts'o 2021-07-02 250 while (!kthread_should_stop())
37b4aa9eef5b3f Theodore Ts'o 2021-07-02 251 schedule();
37b4aa9eef5b3f Theodore Ts'o 2021-07-02 252 return retval;
37b4aa9eef5b3f Theodore Ts'o 2021-07-02 253
---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all(a)lists.01.org
[-- Attachment #2: config.gz --]
[-- Type: application/gzip, Size: 33147 bytes --]
^ permalink raw reply [flat|nested] 7+ messages in thread
* [PATCH] ext4: possible use-after-free when remounting r/o a mmp-protected file system
2021-06-29 14:36 [PATCH 0/2] Fix use-after-free about sbi->s_mmp_tsk Ye Bin
@ 2021-07-02 16:57 ` Theodore Ts'o
2021-07-02 21:36 ` kernel test robot
2021-07-03 12:57 ` Dan Carpenter
0 siblings, 2 replies; 7+ messages in thread
From: Theodore Ts'o @ 2021-07-02 16:57 UTC (permalink / raw)
To: Ye Bin; +Cc: Ext4 Developers List, Theodore Ts'o
After commit 618f003199c6 ("ext4: fix memory leak in
ext4_fill_super"), after the file system is remounted read-only, there
is a race where the kmmpd thread can exit, causing sbi->s_mmp_tsk to
point at freed memory, which the call to ext4_stop_mmpd() can trip
over.
Fix this by only allowing kmmpd() to exit when it is stopped via
ext4_stop_mmpd().
Link: https://lore.kernel.org/r/e525c0bf7b18da426bb3d3dd63830a3f85218a9e.1625244710.git.tytso@mit.edu
Reported-by: Ye Bin <yebin10@huawei.com>
Bug-Report-Link: <20210629143603.2166962-1-yebin10@huawei.com>
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
---
Ye, thanks for reporting the bug! I think this might be a better way
to address the problem, since it avoids adding a mutex just to protect
s_mmp_tsk. What do you think?
fs/ext4/mmp.c | 31 +++++++++++++++++--------------
fs/ext4/super.c | 6 +++++-
2 files changed, 22 insertions(+), 15 deletions(-)
diff --git a/fs/ext4/mmp.c b/fs/ext4/mmp.c
index 6cb598b549ca..af461df1c1ec 100644
--- a/fs/ext4/mmp.c
+++ b/fs/ext4/mmp.c
@@ -157,6 +157,16 @@ static int kmmpd(void *data)
sizeof(mmp->mmp_nodename));
while (!kthread_should_stop()) {
+ if (!(le32_to_cpu(es->s_feature_incompat) &
+ EXT4_FEATURE_INCOMPAT_MMP)) {
+ ext4_warning(sb, "kmmpd being stopped since MMP feature"
+ " has been disabled.");
+ goto wait_to_exit;
+ }
+ if (sb_rdonly(sb)) {
+ schedule_timeout_interruptible(HZ);
+ continue;
+ }
if (++seq > EXT4_MMP_SEQ_MAX)
seq = 1;
@@ -177,16 +187,6 @@ static int kmmpd(void *data)
failed_writes++;
}
- if (!(le32_to_cpu(es->s_feature_incompat) &
- EXT4_FEATURE_INCOMPAT_MMP)) {
- ext4_warning(sb, "kmmpd being stopped since MMP feature"
- " has been disabled.");
- goto exit_thread;
- }
-
- if (sb_rdonly(sb))
- break;
-
diff = jiffies - last_update_time;
if (diff < mmp_update_interval * HZ)
schedule_timeout_interruptible(mmp_update_interval *
@@ -207,7 +207,7 @@ static int kmmpd(void *data)
ext4_error_err(sb, -retval,
"error reading MMP data: %d",
retval);
- goto exit_thread;
+ goto wait_to_exit;
}
mmp_check = (struct mmp_struct *)(bh_check->b_data);
@@ -221,7 +221,7 @@ static int kmmpd(void *data)
ext4_error_err(sb, EBUSY, "abort");
put_bh(bh_check);
retval = -EBUSY;
- goto exit_thread;
+ goto wait_to_exit;
}
put_bh(bh_check);
}
@@ -246,6 +246,11 @@ static int kmmpd(void *data)
exit_thread:
return retval;
+wait_to_exit:
+ while (!kthread_should_stop())
+ schedule();
+ return retval;
+
}
void ext4_stop_mmpd(struct ext4_sb_info *sbi)
@@ -391,5 +396,3 @@ int ext4_multi_mount_protect(struct super_block *sb,
brelse(bh);
return 1;
}
-
-
diff --git a/fs/ext4/super.c b/fs/ext4/super.c
index cdbe71d935e8..b8ff0399e171 100644
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -5993,7 +5993,6 @@ static int ext4_remount(struct super_block *sb, int *flags, char *data)
*/
ext4_mark_recovery_complete(sb, es);
}
- ext4_stop_mmpd(sbi);
} else {
/* Make sure we can mount this feature set readwrite */
if (ext4_has_feature_readonly(sb) ||
@@ -6107,6 +6106,9 @@ static int ext4_remount(struct super_block *sb, int *flags, char *data)
if (!test_opt(sb, BLOCK_VALIDITY) && sbi->s_system_blks)
ext4_release_system_zone(sb);
+ if (!ext4_has_feature_mmp(sb) || sb_rdonly(sb))
+ ext4_stop_mmpd(sbi);
+
/*
* Some options can be enabled by ext4 and/or by VFS mount flag
* either way we need to make sure it matches in both *flags and
@@ -6140,6 +6142,8 @@ static int ext4_remount(struct super_block *sb, int *flags, char *data)
for (i = 0; i < EXT4_MAXQUOTAS; i++)
kfree(to_free[i]);
#endif
+ if (!ext4_has_feature_mmp(sb) || sb_rdonly(sb))
+ ext4_stop_mmpd(sbi);
kfree(orig_data);
return err;
}
--
2.31.0
^ permalink raw reply related [flat|nested] 7+ messages in thread
end of thread, other threads:[~2021-07-03 12:58 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-07-02 20:49 [PATCH] ext4: possible use-after-free when remounting r/o a mmp-protected file system kernel test robot
-- strict thread matches above, loose matches on Subject: below --
2021-06-29 14:36 [PATCH 0/2] Fix use-after-free about sbi->s_mmp_tsk Ye Bin
2021-07-02 16:57 ` [PATCH] ext4: possible use-after-free when remounting r/o a mmp-protected file system Theodore Ts'o
2021-07-02 21:36 ` kernel test robot
2021-07-02 21:36 ` kernel test robot
2021-07-03 12:57 ` Dan Carpenter
2021-07-02 23:52 ` kernel test robot
2021-07-03 12:57 ` Dan Carpenter
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.