All of lore.kernel.org
 help / color / mirror / Atom feed
From: David Wysochanski <dwysocha@redhat.com>
To: David Howells <dhowells@redhat.com>
Cc: linux-cachefs <linux-cachefs@redhat.com>,
	linux-nfs <linux-nfs@vger.kernel.org>
Subject: Re: [PATCH] fscache: Need to go round again after processing LRU_DISCARDING state
Date: Mon, 13 Dec 2021 16:05:25 -0500	[thread overview]
Message-ID: <CALF+zO=_DeOHLARqFqZ2qL04PcwBGOxTXf5UUdBNQj29yOSYvw@mail.gmail.com> (raw)
In-Reply-To: <599331.1639410068@warthog.procyon.org.uk>

On Mon, Dec 13, 2021 at 10:41 AM David Howells <dhowells@redhat.com> wrote:
>
> David Wysochanski <dwysocha@redhat.com> wrote:
>
> > > [  432.921382] BUG: KASAN: use-after-free in
> > > fscache_unhash_cookie+0x9e/0x160 [fscache]^M
>
> I think the patch below is the way to fix this.
>
> David
> ---
> fscache: Need to go round again after processing LRU_DISCARDING state
>
> There's a race between the LRU discard and relinquishment actions.  In the
> state machine, fscache_cookie_state_machine(), the ACTIVE state transits to
> the LRU_DISCARD state in preference to transiting to the RELINQUISHING or
> WITHDRAWING states.
>
> This should be fine, but the LRU_DISCARDING state just breaks out the
> bottom of the function without going round again after transiting to the
> QUIESCENT state.
>
> However, if both LRU discard and relinquishment happen *before* the SM
> runs, one of the queue events will get discarded, along with the ref that
> would be associated with it.  The last ref is then discarded and the cookie
> is removed without completing the relinquishment process - leaving the
> cookie hashed.
>
> The fix is to make sure that the SM always goes back around after changing
> the state.
>
> Signed-off-by: David Howells <dhowells@redhat.com>
> ---
>
> diff --git a/fs/fscache/cookie.c b/fs/fscache/cookie.c
> index d7e825d636e2..8d0769a5ee2b 100644
> --- a/fs/fscache/cookie.c
> +++ b/fs/fscache/cookie.c
> @@ -755,7 +755,7 @@ static void fscache_cookie_state_machine(struct fscache_cookie *cookie)
>                 set_bit(FSCACHE_COOKIE_NO_DATA_TO_READ, &cookie->flags);
>                 __fscache_set_cookie_state(cookie, FSCACHE_COOKIE_STATE_QUIESCENT);
>                 wake = true;
> -               break;
> +               goto again_locked;
>
>         case FSCACHE_COOKIE_STATE_DROPPED:
>                 break;
>

Agree and verified with xfstests generic full runs twice with NFSv3.
Prior to this patch with NFSv3 xfstest I'd regularly see the crash:
BUG: KASAN: use-after-free in __fscache_acquire_cookie+0x437
https://marc.info/?l=v9fs-developer&m=163916153103008&w=2
https://marc.info/?l=linux-nfs&m=163917893813589&w=2

Tested-by: Dave Wysochanski <dwysocha@redhat.com>


  reply	other threads:[~2021-12-13 21:06 UTC|newest]

Thread overview: 88+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-12-09 16:53 [PATCH v2 00/67] fscache, cachefiles: Rewrite David Howells
2021-12-09 16:53 ` [PATCH v2 01/67] fscache, cachefiles: Disable configuration David Howells
2021-12-09 16:53 ` [PATCH v2 02/67] cachefiles: Delete the cachefiles driver pending rewrite David Howells
2021-12-09 16:54 ` [PATCH v2 03/67] fscache: Remove the contents of the fscache driver, " David Howells
2021-12-09 16:54 ` [PATCH v2 04/67] netfs: Display the netfs inode number in the netfs_read tracepoint David Howells
2021-12-09 16:54 ` [PATCH v2 05/67] netfs: Pass a flag to ->prepare_write() to say if there's no alloc'd space David Howells
2021-12-09 16:54 ` [PATCH v2 06/67] fscache: Introduce new driver David Howells
2021-12-09 16:54 ` [PATCH v2 07/67] fscache: Implement a hash function David Howells
2021-12-09 17:12   ` Linus Torvalds
2021-12-09 21:57   ` David Howells
2021-12-09 22:07     ` Linus Torvalds
2021-12-10 14:35     ` David Howells
2021-12-10 14:41     ` David Howells
2021-12-10 17:33       ` Linus Torvalds
2021-12-09 16:54 ` [PATCH v2 08/67] fscache: Implement cache registration David Howells
2021-12-14 18:36   ` Jeff Layton
2021-12-09 16:55 ` [PATCH v2 09/67] fscache: Implement volume registration David Howells
2021-12-09 17:32   ` Linus Torvalds
2021-12-14 18:52   ` Jeff Layton
2021-12-14 19:57   ` David Howells
2021-12-09 16:55 ` [PATCH v2 10/67] fscache: Implement cookie registration David Howells
2021-12-09 17:21   ` Linus Torvalds
2021-12-09 16:55 ` [PATCH v2 11/67] fscache: Implement cache-level access helpers David Howells
2021-12-09 16:55 ` [PATCH v2 12/67] fscache: Implement volume-level " David Howells
2021-12-09 16:55 ` [PATCH v2 13/67] fscache: Implement cookie-level " David Howells
2021-12-09 16:56 ` [PATCH v2 14/67] fscache: Implement functions add/remove a cache David Howells
2021-12-09 16:56 ` [PATCH v2 15/67] fscache: Provide and use cache methods to lookup/create/free a volume David Howells
2021-12-09 16:56 ` [PATCH v2 16/67] fscache: Add a function for a cache backend to note an I/O error David Howells
2021-12-09 16:57 ` [PATCH v2 17/67] fscache: Implement simple cookie state machine David Howells
2021-12-09 16:57 ` [PATCH v2 18/67] fscache: Implement cookie user counting and resource pinning David Howells
2021-12-09 16:58 ` [PATCH v2 19/67] fscache: Implement cookie invalidation David Howells
2021-12-09 16:58 ` [PATCH v2 20/67] fscache: Provide a means to begin an operation David Howells
2021-12-09 16:58 ` [PATCH v2 21/67] fscache: Count data storage objects in a cache David Howells
2021-12-09 16:58 ` [PATCH v2 22/67] fscache: Provide read/write stat counters for the cache David Howells
2021-12-09 16:58 ` [PATCH v2 23/67] fscache: Provide a function to let the netfs update its coherency data David Howells
2021-12-09 16:59 ` [PATCH v2 24/67] netfs: Pass more information on how to deal with a hole in the cache David Howells
2021-12-09 16:59 ` [PATCH v2 25/67] fscache: Implement raw I/O interface David Howells
2021-12-09 16:59 ` [PATCH v2 26/67] fscache: Implement higher-level write " David Howells
2021-12-09 16:59 ` [PATCH v2 27/67] vfs, fscache: Implement pinning of cache usage for writeback David Howells
2021-12-09 17:00 ` [PATCH v2 28/67] fscache: Provide a function to note the release of a page David Howells
2021-12-09 17:00 ` [PATCH v2 29/67] fscache: Provide a function to resize a cookie David Howells
2021-12-09 17:00 ` [PATCH v2 30/67] cachefiles: Introduce rewritten driver David Howells
2021-12-09 17:00 ` [PATCH v2 31/67] cachefiles: Define structs David Howells
2021-12-09 17:00 ` [PATCH v2 32/67] cachefiles: Add some error injection support David Howells
2021-12-09 17:01 ` [PATCH v2 33/67] cachefiles: Add a couple of tracepoints for logging errors David Howells
2021-12-09 17:01 ` [PATCH v2 34/67] cachefiles: Add cache error reporting macro David Howells
2021-12-09 17:01 ` [PATCH v2 35/67] cachefiles: Add security derivation David Howells
2021-12-09 17:01 ` [PATCH v2 36/67] cachefiles: Register a miscdev and parse commands over it David Howells
2021-12-09 17:01 ` [PATCH v2 37/67] cachefiles: Provide a function to check how much space there is David Howells
2021-12-09 17:01 ` [PATCH v2 38/67] vfs, cachefiles: Mark a backing file in use with an inode flag David Howells
2021-12-09 17:02 ` [PATCH v2 39/67] cachefiles: Implement a function to get/create a directory in the cache David Howells
2021-12-09 17:02 ` [PATCH v2 40/67] cachefiles: Implement cache registration and withdrawal David Howells
2021-12-09 17:02 ` [PATCH v2 41/67] cachefiles: Implement volume support David Howells
2021-12-09 17:03 ` [PATCH v2 42/67] cachefiles: Add tracepoints for calls to the VFS David Howells
2021-12-09 17:03 ` [PATCH v2 43/67] cachefiles: Implement object lifecycle funcs David Howells
2021-12-09 17:03 ` [PATCH v2 44/67] cachefiles: Implement key to filename encoding David Howells
2021-12-09 17:03 ` [PATCH v2 45/67] cachefiles: Implement metadata/coherency data storage in xattrs David Howells
2021-12-09 17:03 ` [PATCH v2 46/67] cachefiles: Mark a backing file in use with an inode flag David Howells
2021-12-09 17:04 ` [PATCH v2 47/67] cachefiles: Implement culling daemon commands David Howells
2021-12-09 17:04 ` [PATCH v2 48/67] cachefiles: Implement backing file wrangling David Howells
2021-12-09 17:05 ` [PATCH v2 49/67] cachefiles: Implement begin and end I/O operation David Howells
2021-12-09 17:05 ` [PATCH v2 50/67] cachefiles: Implement cookie resize for truncate David Howells
2021-12-09 17:05 ` [PATCH v2 51/67] cachefiles: Implement the I/O routines David Howells
2021-12-09 17:06 ` [PATCH v2 52/67] cachefiles: Allow cachefiles to actually function David Howells
2021-12-09 17:06 ` [PATCH v2 53/67] fscache, cachefiles: Display stats of no-space events David Howells
2021-12-09 17:06 ` [PATCH v2 54/67] fscache, cachefiles: Display stat of culling events David Howells
2021-12-09 17:07 ` [PATCH v2 55/67] afs: Handle len being extending over page end in write_begin/write_end David Howells
2021-12-09 17:08 ` [PATCH v2 56/67] afs: Fix afs_write_end() to handle len > page size David Howells
2021-12-09 17:08 ` [PATCH v2 57/67] afs: Convert afs to use the new fscache API David Howells
2021-12-09 17:08 ` [PATCH v2 58/67] afs: Copy local writes to the cache when writing to the server David Howells
2021-12-09 17:08 ` [PATCH v2 59/67] afs: Skip truncation on the server of data we haven't written yet David Howells
2021-12-09 17:09 ` [PATCH v2 60/67] 9p: Use fscache indexing rewrite and reenable caching David Howells
2021-12-09 17:09 ` [PATCH v2 61/67] 9p: Copy local writes to the cache when writing to the server David Howells
2021-12-09 17:09 ` [PATCH v2 62/67] nfs: Convert to new fscache volume/cookie API David Howells
2021-12-11 13:22   ` David Wysochanski
2021-12-11 13:37   ` David Howells
2021-12-09 17:10 ` [PATCH v2 63/67] nfs: Implement cache I/O by accessing the cache directly David Howells
2021-12-09 17:10 ` [PATCH v2 64/67] cifs: Support fscache indexing rewrite (untested) David Howells
2021-12-09 17:10 ` [PATCH v2 65/67] ceph: conversion to new fscache API David Howells
2021-12-09 17:10 ` [PATCH v2 66/67] ceph: add fscache writeback support David Howells
2021-12-09 17:11 ` [PATCH v2 67/67] fscache: Rewrite documentation David Howells
2021-12-10 18:38 ` [PATCH v2 00/67] fscache, cachefiles: Rewrite David Wysochanski
2021-12-11 13:44   ` David Wysochanski
2021-12-13 15:41   ` [PATCH] fscache: Need to go round again after processing LRU_DISCARDING state David Howells
2021-12-13 21:05     ` David Wysochanski [this message]
2021-12-13 16:22   ` David Howells
2021-12-13 20:03   ` David Howells
2021-12-13 22:39   ` David Howells

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to='CALF+zO=_DeOHLARqFqZ2qL04PcwBGOxTXf5UUdBNQj29yOSYvw@mail.gmail.com' \
    --to=dwysocha@redhat.com \
    --cc=dhowells@redhat.com \
    --cc=linux-cachefs@redhat.com \
    --cc=linux-nfs@vger.kernel.org \
    --subject='Re: [PATCH] fscache: Need to go round again after processing LRU_DISCARDING state' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.