* [PATCH 1/2] f2fs: wait on atomic writes to count F2FS_CP_WB_DATA
@ 2019-01-04 4:20 Jaegeuk Kim
2019-01-04 4:20 ` [PATCH 2/2] f2fs: don't access node/meta inode mapping after iput Jaegeuk Kim
2019-01-04 9:31 ` [f2fs-dev] [PATCH 1/2] f2fs: wait on atomic writes to count F2FS_CP_WB_DATA Chao Yu
0 siblings, 2 replies; 5+ messages in thread
From: Jaegeuk Kim @ 2019-01-04 4:20 UTC (permalink / raw)
To: linux-kernel, linux-f2fs-devel; +Cc: Jaegeuk Kim, stable
Otherwise, we can get wrong counts incurring checkpoint hang.
IO_W (CP: -24, Data: 24, Flush: ( 0 0 1), Discard: ( 0 0))
Cc: <stable@vger.kernel.org>
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
---
fs/f2fs/file.c | 12 +++++++-----
1 file changed, 7 insertions(+), 5 deletions(-)
diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c
index bba56b39dcc5..ae2b45e75847 100644
--- a/fs/f2fs/file.c
+++ b/fs/f2fs/file.c
@@ -1750,10 +1750,12 @@ static int f2fs_ioc_start_atomic_write(struct file *filp)
down_write(&F2FS_I(inode)->i_gc_rwsem[WRITE]);
- if (!get_dirty_pages(inode))
- goto skip_flush;
-
- f2fs_msg(F2FS_I_SB(inode)->sb, KERN_WARNING,
+ /*
+ * Should wait end_io to count F2FS_WB_CP_DATA correctly by
+ * f2fs_is_atomic_file.
+ */
+ if (get_dirty_pages(inode))
+ f2fs_msg(F2FS_I_SB(inode)->sb, KERN_WARNING,
"Unexpected flush for atomic writes: ino=%lu, npages=%u",
inode->i_ino, get_dirty_pages(inode));
ret = filemap_write_and_wait_range(inode->i_mapping, 0, LLONG_MAX);
@@ -1761,7 +1763,7 @@ static int f2fs_ioc_start_atomic_write(struct file *filp)
up_write(&F2FS_I(inode)->i_gc_rwsem[WRITE]);
goto out;
}
-skip_flush:
+
set_inode_flag(inode, FI_ATOMIC_FILE);
clear_inode_flag(inode, FI_ATOMIC_REVOKE_REQUEST);
up_write(&F2FS_I(inode)->i_gc_rwsem[WRITE]);
--
2.19.0.605.g01d371f741-goog
^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH 2/2] f2fs: don't access node/meta inode mapping after iput
2019-01-04 4:20 [PATCH 1/2] f2fs: wait on atomic writes to count F2FS_CP_WB_DATA Jaegeuk Kim
@ 2019-01-04 4:20 ` Jaegeuk Kim
2019-01-04 9:32 ` [f2fs-dev] " Chao Yu
2019-01-04 9:31 ` [f2fs-dev] [PATCH 1/2] f2fs: wait on atomic writes to count F2FS_CP_WB_DATA Chao Yu
1 sibling, 1 reply; 5+ messages in thread
From: Jaegeuk Kim @ 2019-01-04 4:20 UTC (permalink / raw)
To: linux-kernel, linux-f2fs-devel; +Cc: Jaegeuk Kim
This fixes wrong access of address spaces of node and meta inodes after iput.
Fixes: 60aa4d5536ab ("f2fs: fix use-after-free issue when accessing sbi->stat_info")
Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
---
fs/f2fs/debug.c | 19 ++++++++++++-------
fs/f2fs/super.c | 5 +++++
2 files changed, 17 insertions(+), 7 deletions(-)
diff --git a/fs/f2fs/debug.c b/fs/f2fs/debug.c
index ebcc121920ba..503fde8349e6 100644
--- a/fs/f2fs/debug.c
+++ b/fs/f2fs/debug.c
@@ -96,8 +96,10 @@ static void update_general_status(struct f2fs_sb_info *sbi)
si->free_secs = free_sections(sbi);
si->prefree_count = prefree_segments(sbi);
si->dirty_count = dirty_segments(sbi);
- si->node_pages = NODE_MAPPING(sbi)->nrpages;
- si->meta_pages = META_MAPPING(sbi)->nrpages;
+ if (sbi->node_inode)
+ si->node_pages = NODE_MAPPING(sbi)->nrpages;
+ if (sbi->meta_inode)
+ si->meta_pages = META_MAPPING(sbi)->nrpages;
si->nats = NM_I(sbi)->nat_cnt;
si->dirty_nats = NM_I(sbi)->dirty_nat_cnt;
si->sits = MAIN_SEGS(sbi);
@@ -175,7 +177,6 @@ static void update_sit_info(struct f2fs_sb_info *sbi)
static void update_mem_info(struct f2fs_sb_info *sbi)
{
struct f2fs_stat_info *si = F2FS_STAT(sbi);
- unsigned npages;
int i;
if (si->base_mem)
@@ -258,10 +259,14 @@ static void update_mem_info(struct f2fs_sb_info *sbi)
sizeof(struct extent_node);
si->page_mem = 0;
- npages = NODE_MAPPING(sbi)->nrpages;
- si->page_mem += (unsigned long long)npages << PAGE_SHIFT;
- npages = META_MAPPING(sbi)->nrpages;
- si->page_mem += (unsigned long long)npages << PAGE_SHIFT;
+ if (sbi->node_inode) {
+ unsigned npages = NODE_MAPPING(sbi)->nrpages;
+ si->page_mem += (unsigned long long)npages << PAGE_SHIFT;
+ }
+ if (sbi->meta_inode) {
+ unsigned npages = META_MAPPING(sbi)->nrpages;
+ si->page_mem += (unsigned long long)npages << PAGE_SHIFT;
+ }
}
static int stat_show(struct seq_file *s, void *v)
diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c
index c46a1d4318d4..14f033e1ab42 100644
--- a/fs/f2fs/super.c
+++ b/fs/f2fs/super.c
@@ -1075,7 +1075,10 @@ static void f2fs_put_super(struct super_block *sb)
f2fs_bug_on(sbi, sbi->fsync_node_num);
iput(sbi->node_inode);
+ sbi->node_inode = NULL;
+
iput(sbi->meta_inode);
+ sbi->meta_inode = NULL;
/*
* iput() can update stat information, if f2fs_write_checkpoint()
@@ -3410,6 +3413,7 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent)
f2fs_release_ino_entry(sbi, true);
truncate_inode_pages_final(NODE_MAPPING(sbi));
iput(sbi->node_inode);
+ sbi->node_inode = NULL;
free_stats:
f2fs_destroy_stats(sbi);
free_nm:
@@ -3422,6 +3426,7 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent)
free_meta_inode:
make_bad_inode(sbi->meta_inode);
iput(sbi->meta_inode);
+ sbi->meta_inode = NULL;
free_io_dummy:
mempool_destroy(sbi->write_io_dummy);
free_percpu:
--
2.19.0.605.g01d371f741-goog
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [f2fs-dev] [PATCH 1/2] f2fs: wait on atomic writes to count F2FS_CP_WB_DATA
2019-01-04 4:20 [PATCH 1/2] f2fs: wait on atomic writes to count F2FS_CP_WB_DATA Jaegeuk Kim
2019-01-04 4:20 ` [PATCH 2/2] f2fs: don't access node/meta inode mapping after iput Jaegeuk Kim
@ 2019-01-04 9:31 ` Chao Yu
2019-01-04 20:36 ` Jaegeuk Kim
1 sibling, 1 reply; 5+ messages in thread
From: Chao Yu @ 2019-01-04 9:31 UTC (permalink / raw)
To: Jaegeuk Kim, linux-kernel, linux-f2fs-devel; +Cc: stable
On 2019/1/4 12:20, Jaegeuk Kim wrote:
> Otherwise, we can get wrong counts incurring checkpoint hang.
>
> IO_W (CP: -24, Data: 24, Flush: ( 0 0 1), Discard: ( 0 0))
>
> Cc: <stable@vger.kernel.org>
> Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Good catch! ;)
I can understand this condition, but for other new developer who reads this
commit, it will be a little hard to understand situation here.
How about explaining a little more about problem here, maybe:
Thread A Thread B
- f2fs_write_data_pages
- __write_data_page
- f2fs_submit_page_write
- inc_page_count(F2FS_WB_DATA)
type is F2FS_WB_DATA due to file is non-atomic one
- f2fs_ioc_start_atomic_write
- set_inode_flag(FI_ATOMIC_FILE)
- f2fs_write_end_io
- dec_page_count(F2FS_WB_CP_DATA)
type is F2FS_WB_DATA due to file becomes
atomic one
Reviewed-by: Chao Yu <yuchao0@huawei.com>
Thanks,
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [f2fs-dev] [PATCH 2/2] f2fs: don't access node/meta inode mapping after iput
2019-01-04 4:20 ` [PATCH 2/2] f2fs: don't access node/meta inode mapping after iput Jaegeuk Kim
@ 2019-01-04 9:32 ` Chao Yu
0 siblings, 0 replies; 5+ messages in thread
From: Chao Yu @ 2019-01-04 9:32 UTC (permalink / raw)
To: Jaegeuk Kim, linux-kernel, linux-f2fs-devel
On 2019/1/4 12:20, Jaegeuk Kim wrote:
> This fixes wrong access of address spaces of node and meta inodes after iput.
>
> Fixes: 60aa4d5536ab ("f2fs: fix use-after-free issue when accessing sbi->stat_info")
> Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
Reviewed-by: Chao Yu <yuchao0@huawei.com>
Thanks,
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [f2fs-dev] [PATCH 1/2] f2fs: wait on atomic writes to count F2FS_CP_WB_DATA
2019-01-04 9:31 ` [f2fs-dev] [PATCH 1/2] f2fs: wait on atomic writes to count F2FS_CP_WB_DATA Chao Yu
@ 2019-01-04 20:36 ` Jaegeuk Kim
0 siblings, 0 replies; 5+ messages in thread
From: Jaegeuk Kim @ 2019-01-04 20:36 UTC (permalink / raw)
To: Chao Yu; +Cc: linux-kernel, linux-f2fs-devel, stable
On 01/04, Chao Yu wrote:
> On 2019/1/4 12:20, Jaegeuk Kim wrote:
> > Otherwise, we can get wrong counts incurring checkpoint hang.
> >
> > IO_W (CP: -24, Data: 24, Flush: ( 0 0 1), Discard: ( 0 0))
> >
> > Cc: <stable@vger.kernel.org>
> > Signed-off-by: Jaegeuk Kim <jaegeuk@kernel.org>
>
> Good catch! ;)
>
> I can understand this condition, but for other new developer who reads this
> commit, it will be a little hard to understand situation here.
>
> How about explaining a little more about problem here, maybe:
>
> Thread A Thread B
> - f2fs_write_data_pages
> - __write_data_page
> - f2fs_submit_page_write
> - inc_page_count(F2FS_WB_DATA)
> type is F2FS_WB_DATA due to file is non-atomic one
> - f2fs_ioc_start_atomic_write
> - set_inode_flag(FI_ATOMIC_FILE)
> - f2fs_write_end_io
> - dec_page_count(F2FS_WB_CP_DATA)
> type is F2FS_WB_DATA due to file becomes
> atomic one
>
> Reviewed-by: Chao Yu <yuchao0@huawei.com>
Thanks, added the comment. :P
>
> Thanks,
>
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2019-01-04 20:36 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-01-04 4:20 [PATCH 1/2] f2fs: wait on atomic writes to count F2FS_CP_WB_DATA Jaegeuk Kim
2019-01-04 4:20 ` [PATCH 2/2] f2fs: don't access node/meta inode mapping after iput Jaegeuk Kim
2019-01-04 9:32 ` [f2fs-dev] " Chao Yu
2019-01-04 9:31 ` [f2fs-dev] [PATCH 1/2] f2fs: wait on atomic writes to count F2FS_CP_WB_DATA Chao Yu
2019-01-04 20:36 ` Jaegeuk Kim
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).