From: Chandan Babu R <chandan.babu@oracle.com>
To: djwong@kernel.org
Cc: chandan.babu@oracle.com, linux-xfs@vger.kernel.org,
amir73il@gmail.com, leah.rumancik@gmail.com
Subject: [PATCH 5.4 CANDIDATE 26/26] xfs: fix use-after-free on CIL context on shutdown
Date: Mon, 24 Oct 2022 10:23:14 +0530 [thread overview]
Message-ID: <20221024045314.110453-27-chandan.babu@oracle.com> (raw)
In-Reply-To: <20221024045314.110453-1-chandan.babu@oracle.com>
From: Dave Chinner <dchinner@redhat.com>
commit c7f87f3984cfa1e6d32806a715f35c5947ad9c09 upstream.
xlog_wait() on the CIL context can reference a freed context if the
waiter doesn't get scheduled before the CIL context is freed. This
can happen when a task is on the hard throttle and the CIL push
aborts due to a shutdown. This was detected by generic/019:
thread 1 thread 2
__xfs_trans_commit
xfs_log_commit_cil
<CIL size over hard throttle limit>
xlog_wait
schedule
xlog_cil_push_work
wake_up_all
<shutdown aborts commit>
xlog_cil_committed
kmem_free
remove_wait_queue
spin_lock_irqsave --> UAF
Fix it by moving the wait queue to the CIL rather than keeping it in
in the CIL context that gets freed on push completion. Because the
wait queue is now independent of the CIL context and we might have
multiple contexts in flight at once, only wake the waiters on the
push throttle when the context we are pushing is over the hard
throttle size threshold.
Fixes: 0e7ab7efe7745 ("xfs: Throttle commits on delayed background CIL push")
Reported-by: Yu Kuai <yukuai3@huawei.com>
Signed-off-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Chandan Babu R <chandan.babu@oracle.com>
---
fs/xfs/xfs_log_cil.c | 10 +++++-----
fs/xfs/xfs_log_priv.h | 2 +-
2 files changed, 6 insertions(+), 6 deletions(-)
diff --git a/fs/xfs/xfs_log_cil.c b/fs/xfs/xfs_log_cil.c
index 4a09d50e1368..550fd5de2404 100644
--- a/fs/xfs/xfs_log_cil.c
+++ b/fs/xfs/xfs_log_cil.c
@@ -673,7 +673,8 @@ xlog_cil_push(
/*
* Wake up any background push waiters now this context is being pushed.
*/
- wake_up_all(&ctx->push_wait);
+ if (ctx->space_used >= XLOG_CIL_BLOCKING_SPACE_LIMIT(log))
+ wake_up_all(&cil->xc_push_wait);
/*
* Check if we've anything to push. If there is nothing, then we don't
@@ -745,13 +746,12 @@ xlog_cil_push(
/*
* initialise the new context and attach it to the CIL. Then attach
- * the current context to the CIL committing lsit so it can be found
+ * the current context to the CIL committing list so it can be found
* during log forces to extract the commit lsn of the sequence that
* needs to be forced.
*/
INIT_LIST_HEAD(&new_ctx->committing);
INIT_LIST_HEAD(&new_ctx->busy_extents);
- init_waitqueue_head(&new_ctx->push_wait);
new_ctx->sequence = ctx->sequence + 1;
new_ctx->cil = cil;
cil->xc_ctx = new_ctx;
@@ -946,7 +946,7 @@ xlog_cil_push_background(
if (cil->xc_ctx->space_used >= XLOG_CIL_BLOCKING_SPACE_LIMIT(log)) {
trace_xfs_log_cil_wait(log, cil->xc_ctx->ticket);
ASSERT(cil->xc_ctx->space_used < log->l_logsize);
- xlog_wait(&cil->xc_ctx->push_wait, &cil->xc_push_lock);
+ xlog_wait(&cil->xc_push_wait, &cil->xc_push_lock);
return;
}
@@ -1222,12 +1222,12 @@ xlog_cil_init(
INIT_LIST_HEAD(&cil->xc_committing);
spin_lock_init(&cil->xc_cil_lock);
spin_lock_init(&cil->xc_push_lock);
+ init_waitqueue_head(&cil->xc_push_wait);
init_rwsem(&cil->xc_ctx_lock);
init_waitqueue_head(&cil->xc_commit_wait);
INIT_LIST_HEAD(&ctx->committing);
INIT_LIST_HEAD(&ctx->busy_extents);
- init_waitqueue_head(&ctx->push_wait);
ctx->sequence = 1;
ctx->cil = cil;
cil->xc_ctx = ctx;
diff --git a/fs/xfs/xfs_log_priv.h b/fs/xfs/xfs_log_priv.h
index f231b7dfaeab..3a5d7fb09c43 100644
--- a/fs/xfs/xfs_log_priv.h
+++ b/fs/xfs/xfs_log_priv.h
@@ -247,7 +247,6 @@ struct xfs_cil_ctx {
struct xfs_log_vec *lv_chain; /* logvecs being pushed */
struct list_head iclog_entry;
struct list_head committing; /* ctx committing list */
- wait_queue_head_t push_wait; /* background push throttle */
struct work_struct discard_endio_work;
};
@@ -281,6 +280,7 @@ struct xfs_cil {
wait_queue_head_t xc_commit_wait;
xfs_lsn_t xc_current_sequence;
struct work_struct xc_push_work;
+ wait_queue_head_t xc_push_wait; /* background push throttle */
} ____cacheline_aligned_in_smp;
/*
--
2.35.1
next prev parent reply other threads:[~2022-10-24 4:56 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-24 4:52 [PATCH 5.4 CANDIDATE 00/26] xfs stable candidate patches for 5.4.y (from v5.7) Chandan Babu R
2022-10-24 4:52 ` [PATCH 5.4 CANDIDATE 01/26] xfs: open code insert range extent split helper Chandan Babu R
2022-10-24 4:52 ` [PATCH 5.4 CANDIDATE 02/26] xfs: rework insert range into an atomic operation Chandan Babu R
2022-10-24 4:52 ` [PATCH 5.4 CANDIDATE 03/26] xfs: rework collapse " Chandan Babu R
2022-10-24 4:52 ` [PATCH 5.4 CANDIDATE 04/26] xfs: add a function to deal with corrupt buffers post-verifiers Chandan Babu R
2022-10-24 4:52 ` [PATCH 5.4 CANDIDATE 05/26] xfs: xfs_buf_corruption_error should take __this_address Chandan Babu R
2022-10-24 4:52 ` [PATCH 5.4 CANDIDATE 06/26] xfs: fix buffer corruption reporting when xfs_dir3_free_header_check fails Chandan Babu R
2022-10-24 4:52 ` [PATCH 5.4 CANDIDATE 07/26] xfs: check owner of dir3 data blocks Chandan Babu R
2022-10-24 4:52 ` [PATCH 5.4 CANDIDATE 08/26] xfs: check owner of dir3 blocks Chandan Babu R
2022-10-24 4:52 ` [PATCH 5.4 CANDIDATE 09/26] xfs: Use scnprintf() for avoiding potential buffer overflow Chandan Babu R
2022-10-24 4:52 ` [PATCH 5.4 CANDIDATE 10/26] xfs: remove the xfs_disk_dquot_t and xfs_dquot_t Chandan Babu R
2022-10-24 4:52 ` [PATCH 5.4 CANDIDATE 11/26] xfs: remove the xfs_dq_logitem_t typedef Chandan Babu R
2022-10-24 4:53 ` [PATCH 5.4 CANDIDATE 12/26] xfs: remove the xfs_qoff_logitem_t typedef Chandan Babu R
2022-10-24 4:53 ` [PATCH 5.4 CANDIDATE 13/26] xfs: Replace function declaration by actual definition Chandan Babu R
2022-10-24 4:53 ` [PATCH 5.4 CANDIDATE 14/26] xfs: factor out quotaoff intent AIL removal and memory free Chandan Babu R
2022-10-24 4:53 ` [PATCH 5.4 CANDIDATE 15/26] xfs: fix unmount hang and memory leak on shutdown during quotaoff Chandan Babu R
2022-10-24 4:53 ` [PATCH 5.4 CANDIDATE 16/26] xfs: preserve default grace interval during quotacheck Chandan Babu R
2022-10-24 4:53 ` [PATCH 5.4 CANDIDATE 17/26] xfs: Lower CIL flush limit for large logs Chandan Babu R
2022-10-24 4:53 ` [PATCH 5.4 CANDIDATE 18/26] xfs: Throttle commits on delayed background CIL push Chandan Babu R
2022-10-24 4:53 ` [PATCH 5.4 CANDIDATE 19/26] xfs: factor common AIL item deletion code Chandan Babu R
2022-10-24 4:53 ` [PATCH 5.4 CANDIDATE 20/26] xfs: tail updates only need to occur when LSN changes Chandan Babu R
2022-10-24 4:53 ` [PATCH 5.4 CANDIDATE 21/26] xfs: don't write a corrupt unmount record to force summary counter recalc Chandan Babu R
2022-10-24 4:53 ` [PATCH 5.4 CANDIDATE 22/26] xfs: trylock underlying buffer on dquot flush Chandan Babu R
2022-10-24 4:53 ` [PATCH 5.4 CANDIDATE 23/26] xfs: factor out a new xfs_log_force_inode helper Chandan Babu R
2022-10-24 4:53 ` [PATCH 5.4 CANDIDATE 24/26] xfs: reflink should force the log out if mounted with wsync Chandan Babu R
2022-10-24 4:53 ` [PATCH 5.4 CANDIDATE 25/26] xfs: move inode flush to the sync workqueue Chandan Babu R
2022-10-24 4:53 ` Chandan Babu R [this message]
2022-10-24 21:43 ` [PATCH 5.4 CANDIDATE 00/26] xfs stable candidate patches for 5.4.y (from v5.7) Darrick J. Wong
2022-10-25 5:44 ` Chandan Babu R
2022-10-25 16:47 ` Darrick J. Wong
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20221024045314.110453-27-chandan.babu@oracle.com \
--to=chandan.babu@oracle.com \
--cc=amir73il@gmail.com \
--cc=djwong@kernel.org \
--cc=leah.rumancik@gmail.com \
--cc=linux-xfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.