linux-nfs.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Cristian Marussi <cristian.marussi@arm.com>
To: Punit Agrawal <punit.agrawal@arm.com>
Cc: Linux NFS Mailing List <linux-nfs@vger.kernel.org>,
	trond.myklebust@hammerspace.com, anna.schumaker@netapp.com,
	anna.schumaker@netapp.com
Subject: Re: [aarch64] refcount_t: use-after-free in NFS with 64k pages
Date: Fri, 19 Oct 2018 16:35:04 +0100	[thread overview]
Message-ID: <abf58cfc-a575-cb36-47a1-b1135f080362@arm.com> (raw)
In-Reply-To: <87va5yvubk.fsf@e105922-lin.cambridge.arm.com>

Hi Punit

On 19/10/18 16:18, Punit Agrawal wrote:
> Hi Cristian,
> 
[...]
> 
> The stacktrace suggests it's the same issue that I'd reported earlier -
> 
>      https://lkml.org/lkml/2018/6/29/209
> 
> though without the analysis below.
> 
> [...]
> 
>> diff --git a/fs/nfs/pagelist.c b/fs/nfs/pagelist.c
>> index bb5476a6d264..171813f9a291 100644
>> --- a/fs/nfs/pagelist.c
>> +++ b/fs/nfs/pagelist.c
>> @@ -432,6 +432,15 @@ void nfs_free_request(struct nfs_page *req)
>>
>>   void nfs_release_request(struct nfs_page *req)
>>   {
>> +       /* WORKAROUND */
>> +       if ((kref_read(&req->wb_kref) == 1) &&
>> +           (req->wb_list.prev != &req->wb_list ||
>> +            req->wb_list.next != &req->wb_list)) {
> 
> Are the last two conditions just checking that wb_list is not empty?

yes ... I basically check if the nfs_page element is still linked 
somewhere just before putting the kref to zero (which will result in a 
final nfs_page_free() on an nfs_page which is instead still used).

I checked both here instead of using list_empty() because list_empty 
just check next pointer (READ_ONCE(head->next) == head;) and I was 
overly paranoid while investigating this initially since I didn't know 
really if it was some race on the list handling itself...

Since nfs_list_remove_request() wrapper func issue a list_del_init(),
once the item is unlinked wb_list list_head should point to itself...if 
it is not ... it still could be accessed after being freed...and it 
happens in fact...while does NOT happen in all the cases in which the
refcount is properly accounted...(I have a ton of Ftracing :D)


Thanks

Cristian

  reply	other threads:[~2018-10-19 23:41 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2018-10-19 14:48 [aarch64] refcount_t: use-after-free in NFS with 64k pages Cristian Marussi
2018-10-19 15:18 ` Punit Agrawal
2018-10-19 15:35   ` Cristian Marussi [this message]
2019-02-05 11:53     ` Benjamin Coddington
2019-02-05 12:10       ` Cristian Marussi
2019-02-05 12:14         ` Benjamin Coddington
2019-02-05 12:37           ` Cristian Marussi
2019-02-05 12:50             ` Cristian Marussi

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=abf58cfc-a575-cb36-47a1-b1135f080362@arm.com \
    --to=cristian.marussi@arm.com \
    --cc=anna.schumaker@netapp.com \
    --cc=linux-nfs@vger.kernel.org \
    --cc=punit.agrawal@arm.com \
    --cc=trond.myklebust@hammerspace.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).