From: Dongliang Mu <mudongliangabcd@gmail.com>
To: Jeff Layton <jlayton@kernel.org>
Cc: David Howells <dhowells@redhat.com>,
linux-cachefs@redhat.com,
linux-kernel <linux-kernel@vger.kernel.org>
Subject: Re: [PATCH] fscache: fix GPF in fscache_free_cookie
Date: Thu, 28 Oct 2021 10:20:07 +0800 [thread overview]
Message-ID: <CAD-N9QV=Nd+T3wa6xyq6WOP7Mex7s4_sCFnvAM8FU+_dOFHgqQ@mail.gmail.com> (raw)
In-Reply-To: <a2f738d08d14417a693c6f0d7f97faff448595ab.camel@kernel.org>
On Wed, Oct 27, 2021 at 11:16 PM Jeff Layton <jlayton@kernel.org> wrote:
>
> On Wed, 2021-10-27 at 23:07 +0800, Dongliang Mu wrote:
> > If fscache_alloc_cookie encounters memory allocation failure, it will
> > go to nomem label and invoke fscache_free_cookie. However,
> > fscache_alloc_cookie assumes current cookie is already linked into
> > fscache_cookies and directly calls list_del. This assumption does not
> > hold since list_add is not called in the above scenario. As a result, it
> > will lead to Null Pointer Dereference. The stack trace is in the
> > following.
> >
> > Call Trace:
> > __list_del_entry include/linux/list.h:132 [inline]
> > list_del include/linux/list.h:146 [inline]
> > fscache_free_cookie fs/fscache/cookie.c:71 [inline]
> > fscache_free_cookie+0x3f/0x100 fs/fscache/cookie.c:66
> > fscache_alloc_cookie+0x2e2/0x300 fs/fscache/cookie.c:195
> > __fscache_acquire_cookie fs/fscache/cookie.c:296 [inline]
> > __fscache_acquire_cookie+0x132/0x380 fs/fscache/cookie.c:257
> > fscache_acquire_cookie include/linux/fscache.h:334 [inline]
> > v9fs_cache_session_get_cookie+0x74/0x120 fs/9p/cache.c:60
> > v9fs_session_init+0x724/0xa90 fs/9p/v9fs.c:471
> > v9fs_mount+0x56/0x450 fs/9p/vfs_super.c:126
> > legacy_get_tree+0x2b/0x90 fs/fs_context.c:610
> > vfs_get_tree+0x28/0x100 fs/super.c:1498
> > do_new_mount fs/namespace.c:2988 [inline]
> > path_mount+0xb92/0xfe0 fs/namespace.c:3318
> > do_mount+0xa1/0xc0 fs/namespace.c:3331
> > __do_sys_mount fs/namespace.c:3539 [inline]
> > __se_sys_mount fs/namespace.c:3516 [inline]
> > __x64_sys_mount+0xf4/0x160 fs/namespace.c:3516
> >
> > Fix this by moving the list_add_tail before goto statements.
> >
> > Fixes: 884a76881fc5 ("fscache: Procfile to display cookies")
> > Signed-off-by: Dongliang Mu <mudongliangabcd@gmail.com>
> > ---
> > fs/fscache/cookie.c | 8 +++++---
> > 1 file changed, 5 insertions(+), 3 deletions(-)
> >
> > diff --git a/fs/fscache/cookie.c b/fs/fscache/cookie.c
> > index cd42be646ed3..d101e212db74 100644
> > --- a/fs/fscache/cookie.c
> > +++ b/fs/fscache/cookie.c
> > @@ -150,6 +150,11 @@ struct fscache_cookie *fscache_alloc_cookie(
> > if (!cookie)
> > return NULL;
> >
> > + /* move list_add_tail before any error handling code */
> > + write_lock(&fscache_cookies_lock);
> > + list_add_tail(&cookie->proc_link, &fscache_cookies);
> > + write_unlock(&fscache_cookies_lock);
> > +
> > cookie->key_len = index_key_len;
> > cookie->aux_len = aux_data_len;
> >
> > @@ -186,9 +191,6 @@ struct fscache_cookie *fscache_alloc_cookie(
> > * told it may not wait */
> > INIT_RADIX_TREE(&cookie->stores, GFP_NOFS & ~__GFP_DIRECT_RECLAIM);
> >
> > - write_lock(&fscache_cookies_lock);
> > - list_add_tail(&cookie->proc_link, &fscache_cookies);
> > - write_unlock(&fscache_cookies_lock);
> > return cookie;
> >
> > nomem:
>
> Nice catch!
>
> Reviewed-by: Jeff Layton <jlayton@kernel.org>
Hi Jeff,
fscache_free_cookie also has an issue in cookie->backing_objects, but
it does not affect the execution. The reason is in the following:
At first, I observed that the cookie->backing_objects in
fscache_alloc_cookie is not initialized with INIT_HLIST_HEAD when an
error occurs. It may lead to some issues in the fscache_free_cookie,
e.g., WARN_ON.
Actually, it does not due to the zero initialization of
kmem_cache_zalloc before. cookie->backing_objects is already with two
null pointers. It does not need INIT_HLIST_HEAD.
And in the fscache_free_cookie, it actually does not trigger
WARN_ON(!hlist_empty()).
So I wonder if we need to explicitly move INIT_HLIST_HEAD before any
error handling code.
>
next prev parent reply other threads:[~2021-10-28 2:20 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-10-27 15:07 [PATCH] fscache: fix GPF in fscache_free_cookie Dongliang Mu
2021-10-27 15:16 ` Jeff Layton
2021-10-28 2:20 ` Dongliang Mu [this message]
2021-10-28 10:39 ` Jeff Layton
2021-10-28 12:06 ` Dongliang Mu
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAD-N9QV=Nd+T3wa6xyq6WOP7Mex7s4_sCFnvAM8FU+_dOFHgqQ@mail.gmail.com' \
--to=mudongliangabcd@gmail.com \
--cc=dhowells@redhat.com \
--cc=jlayton@kernel.org \
--cc=linux-cachefs@redhat.com \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.