From: David Howells <dhowells@redhat.com>
To: David Wysochanski <dwysocha@redhat.com>
Cc: dhowells@redhat.com, linux-cachefs <linux-cachefs@redhat.com>,
linux-nfs <linux-nfs@vger.kernel.org>
Subject: [PATCH] fscache: Need to go round again after processing LRU_DISCARDING state
Date: Mon, 13 Dec 2021 15:41:08 +0000 [thread overview]
Message-ID: <599331.1639410068@warthog.procyon.org.uk> (raw)
In-Reply-To: <CALF+zOnmJ0=j8pEMikpxYgLrS10gVZiXfCjBhDz9Je0Qip7wnw@mail.gmail.com>
David Wysochanski <dwysocha@redhat.com> wrote:
> > [ 432.921382] BUG: KASAN: use-after-free in
> > fscache_unhash_cookie+0x9e/0x160 [fscache]^M
I think the patch below is the way to fix this.
David
---
fscache: Need to go round again after processing LRU_DISCARDING state
There's a race between the LRU discard and relinquishment actions. In the
state machine, fscache_cookie_state_machine(), the ACTIVE state transits to
the LRU_DISCARD state in preference to transiting to the RELINQUISHING or
WITHDRAWING states.
This should be fine, but the LRU_DISCARDING state just breaks out the
bottom of the function without going round again after transiting to the
QUIESCENT state.
However, if both LRU discard and relinquishment happen *before* the SM
runs, one of the queue events will get discarded, along with the ref that
would be associated with it. The last ref is then discarded and the cookie
is removed without completing the relinquishment process - leaving the
cookie hashed.
The fix is to make sure that the SM always goes back around after changing
the state.
Signed-off-by: David Howells <dhowells@redhat.com>
---
diff --git a/fs/fscache/cookie.c b/fs/fscache/cookie.c
index d7e825d636e2..8d0769a5ee2b 100644
--- a/fs/fscache/cookie.c
+++ b/fs/fscache/cookie.c
@@ -755,7 +755,7 @@ static void fscache_cookie_state_machine(struct fscache_cookie *cookie)
set_bit(FSCACHE_COOKIE_NO_DATA_TO_READ, &cookie->flags);
__fscache_set_cookie_state(cookie, FSCACHE_COOKIE_STATE_QUIESCENT);
wake = true;
- break;
+ goto again_locked;
case FSCACHE_COOKIE_STATE_DROPPED:
break;
next prev parent reply other threads:[~2021-12-13 15:41 UTC|newest]
Thread overview: 88+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-12-09 16:53 [PATCH v2 00/67] fscache, cachefiles: Rewrite David Howells
2021-12-09 16:53 ` [PATCH v2 01/67] fscache, cachefiles: Disable configuration David Howells
2021-12-09 16:53 ` [PATCH v2 02/67] cachefiles: Delete the cachefiles driver pending rewrite David Howells
2021-12-09 16:54 ` [PATCH v2 03/67] fscache: Remove the contents of the fscache driver, " David Howells
2021-12-09 16:54 ` [PATCH v2 04/67] netfs: Display the netfs inode number in the netfs_read tracepoint David Howells
2021-12-09 16:54 ` [PATCH v2 05/67] netfs: Pass a flag to ->prepare_write() to say if there's no alloc'd space David Howells
2021-12-09 16:54 ` [PATCH v2 06/67] fscache: Introduce new driver David Howells
2021-12-09 16:54 ` [PATCH v2 07/67] fscache: Implement a hash function David Howells
2021-12-09 17:12 ` Linus Torvalds
2021-12-09 21:57 ` David Howells
2021-12-09 22:07 ` Linus Torvalds
2021-12-10 14:35 ` David Howells
2021-12-10 14:41 ` David Howells
2021-12-10 17:33 ` Linus Torvalds
2021-12-09 16:54 ` [PATCH v2 08/67] fscache: Implement cache registration David Howells
2021-12-14 18:36 ` Jeff Layton
2021-12-09 16:55 ` [PATCH v2 09/67] fscache: Implement volume registration David Howells
2021-12-09 17:32 ` Linus Torvalds
2021-12-14 18:52 ` Jeff Layton
2021-12-14 19:57 ` David Howells
2021-12-09 16:55 ` [PATCH v2 10/67] fscache: Implement cookie registration David Howells
2021-12-09 17:21 ` Linus Torvalds
2021-12-09 16:55 ` [PATCH v2 11/67] fscache: Implement cache-level access helpers David Howells
2021-12-09 16:55 ` [PATCH v2 12/67] fscache: Implement volume-level " David Howells
2021-12-09 16:55 ` [PATCH v2 13/67] fscache: Implement cookie-level " David Howells
2021-12-09 16:56 ` [PATCH v2 14/67] fscache: Implement functions add/remove a cache David Howells
2021-12-09 16:56 ` [PATCH v2 15/67] fscache: Provide and use cache methods to lookup/create/free a volume David Howells
2021-12-09 16:56 ` [PATCH v2 16/67] fscache: Add a function for a cache backend to note an I/O error David Howells
2021-12-09 16:57 ` [PATCH v2 17/67] fscache: Implement simple cookie state machine David Howells
2021-12-09 16:57 ` [PATCH v2 18/67] fscache: Implement cookie user counting and resource pinning David Howells
2021-12-09 16:58 ` [PATCH v2 19/67] fscache: Implement cookie invalidation David Howells
2021-12-09 16:58 ` [PATCH v2 20/67] fscache: Provide a means to begin an operation David Howells
2021-12-09 16:58 ` [PATCH v2 21/67] fscache: Count data storage objects in a cache David Howells
2021-12-09 16:58 ` [PATCH v2 22/67] fscache: Provide read/write stat counters for the cache David Howells
2021-12-09 16:58 ` [PATCH v2 23/67] fscache: Provide a function to let the netfs update its coherency data David Howells
2021-12-09 16:59 ` [PATCH v2 24/67] netfs: Pass more information on how to deal with a hole in the cache David Howells
2021-12-09 16:59 ` [PATCH v2 25/67] fscache: Implement raw I/O interface David Howells
2021-12-09 16:59 ` [PATCH v2 26/67] fscache: Implement higher-level write " David Howells
2021-12-09 16:59 ` [PATCH v2 27/67] vfs, fscache: Implement pinning of cache usage for writeback David Howells
2021-12-09 17:00 ` [PATCH v2 28/67] fscache: Provide a function to note the release of a page David Howells
2021-12-09 17:00 ` [PATCH v2 29/67] fscache: Provide a function to resize a cookie David Howells
2021-12-09 17:00 ` [PATCH v2 30/67] cachefiles: Introduce rewritten driver David Howells
2021-12-09 17:00 ` [PATCH v2 31/67] cachefiles: Define structs David Howells
2021-12-09 17:00 ` [PATCH v2 32/67] cachefiles: Add some error injection support David Howells
2021-12-09 17:01 ` [PATCH v2 33/67] cachefiles: Add a couple of tracepoints for logging errors David Howells
2021-12-09 17:01 ` [PATCH v2 34/67] cachefiles: Add cache error reporting macro David Howells
2021-12-09 17:01 ` [PATCH v2 35/67] cachefiles: Add security derivation David Howells
2021-12-09 17:01 ` [PATCH v2 36/67] cachefiles: Register a miscdev and parse commands over it David Howells
2021-12-09 17:01 ` [PATCH v2 37/67] cachefiles: Provide a function to check how much space there is David Howells
2021-12-09 17:01 ` [PATCH v2 38/67] vfs, cachefiles: Mark a backing file in use with an inode flag David Howells
2021-12-09 17:02 ` [PATCH v2 39/67] cachefiles: Implement a function to get/create a directory in the cache David Howells
2021-12-09 17:02 ` [PATCH v2 40/67] cachefiles: Implement cache registration and withdrawal David Howells
2021-12-09 17:02 ` [PATCH v2 41/67] cachefiles: Implement volume support David Howells
2021-12-09 17:03 ` [PATCH v2 42/67] cachefiles: Add tracepoints for calls to the VFS David Howells
2021-12-09 17:03 ` [PATCH v2 43/67] cachefiles: Implement object lifecycle funcs David Howells
2021-12-09 17:03 ` [PATCH v2 44/67] cachefiles: Implement key to filename encoding David Howells
2021-12-09 17:03 ` [PATCH v2 45/67] cachefiles: Implement metadata/coherency data storage in xattrs David Howells
2021-12-09 17:03 ` [PATCH v2 46/67] cachefiles: Mark a backing file in use with an inode flag David Howells
2021-12-09 17:04 ` [PATCH v2 47/67] cachefiles: Implement culling daemon commands David Howells
2021-12-09 17:04 ` [PATCH v2 48/67] cachefiles: Implement backing file wrangling David Howells
2021-12-09 17:05 ` [PATCH v2 49/67] cachefiles: Implement begin and end I/O operation David Howells
2021-12-09 17:05 ` [PATCH v2 50/67] cachefiles: Implement cookie resize for truncate David Howells
2021-12-09 17:05 ` [PATCH v2 51/67] cachefiles: Implement the I/O routines David Howells
2021-12-09 17:06 ` [PATCH v2 52/67] cachefiles: Allow cachefiles to actually function David Howells
2021-12-09 17:06 ` [PATCH v2 53/67] fscache, cachefiles: Display stats of no-space events David Howells
2021-12-09 17:06 ` [PATCH v2 54/67] fscache, cachefiles: Display stat of culling events David Howells
2021-12-09 17:07 ` [PATCH v2 55/67] afs: Handle len being extending over page end in write_begin/write_end David Howells
2021-12-09 17:08 ` [PATCH v2 56/67] afs: Fix afs_write_end() to handle len > page size David Howells
2021-12-09 17:08 ` [PATCH v2 57/67] afs: Convert afs to use the new fscache API David Howells
2021-12-09 17:08 ` [PATCH v2 58/67] afs: Copy local writes to the cache when writing to the server David Howells
2021-12-09 17:08 ` [PATCH v2 59/67] afs: Skip truncation on the server of data we haven't written yet David Howells
2021-12-09 17:09 ` [PATCH v2 60/67] 9p: Use fscache indexing rewrite and reenable caching David Howells
2021-12-09 17:09 ` [PATCH v2 61/67] 9p: Copy local writes to the cache when writing to the server David Howells
2021-12-09 17:09 ` [PATCH v2 62/67] nfs: Convert to new fscache volume/cookie API David Howells
2021-12-11 13:22 ` David Wysochanski
2021-12-11 13:37 ` David Howells
2021-12-09 17:10 ` [PATCH v2 63/67] nfs: Implement cache I/O by accessing the cache directly David Howells
2021-12-09 17:10 ` [PATCH v2 64/67] cifs: Support fscache indexing rewrite (untested) David Howells
2021-12-09 17:10 ` [PATCH v2 65/67] ceph: conversion to new fscache API David Howells
2021-12-09 17:10 ` [PATCH v2 66/67] ceph: add fscache writeback support David Howells
2021-12-09 17:11 ` [PATCH v2 67/67] fscache: Rewrite documentation David Howells
2021-12-10 18:38 ` [PATCH v2 00/67] fscache, cachefiles: Rewrite David Wysochanski
2021-12-11 13:44 ` David Wysochanski
2021-12-13 15:41 ` David Howells [this message]
2021-12-13 21:05 ` [PATCH] fscache: Need to go round again after processing LRU_DISCARDING state David Wysochanski
2021-12-13 16:22 ` David Howells
2021-12-13 20:03 ` David Howells
2021-12-13 22:39 ` David Howells
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=599331.1639410068@warthog.procyon.org.uk \
--to=dhowells@redhat.com \
--cc=dwysocha@redhat.com \
--cc=linux-cachefs@redhat.com \
--cc=linux-nfs@vger.kernel.org \
--subject='Re: [PATCH] fscache: Need to go round again after processing LRU_DISCARDING state' \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.