From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Xiubo Li <xiubli@redhat.com>, Jeff Layton <jlayton@kernel.org>,
Ilya Dryomov <idryomov@gmail.com>,
Sasha Levin <sashal@kernel.org>,
ceph-devel@vger.kernel.org
Subject: [PATCH AUTOSEL 5.8 57/62] ceph: fix potential mdsc use-after-free crash
Date: Fri, 21 Aug 2020 12:14:18 -0400 [thread overview]
Message-ID: <20200821161423.347071-57-sashal@kernel.org> (raw)
In-Reply-To: <20200821161423.347071-1-sashal@kernel.org>
From: Xiubo Li <xiubli@redhat.com>
[ Upstream commit fa9967734227b44acb1b6918033f9122dc7825b9 ]
Make sure the delayed work stopped before releasing the resources.
cancel_delayed_work_sync() will only guarantee that the work finishes
executing if the work is already in the ->worklist. That means after
the cancel_delayed_work_sync() returns, it will leave the work requeued
if it was rearmed at the end. That can lead to a use after free once the
work struct is freed.
Fix it by flushing the delayed work instead of trying to cancel it, and
ensure that the work doesn't rearm if the mdsc is stopping.
URL: https://tracker.ceph.com/issues/46293
Signed-off-by: Xiubo Li <xiubli@redhat.com>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ceph/mds_client.c | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c
index a50497142e598..d38399847064f 100644
--- a/fs/ceph/mds_client.c
+++ b/fs/ceph/mds_client.c
@@ -4283,6 +4283,9 @@ static void delayed_work(struct work_struct *work)
dout("mdsc delayed_work\n");
+ if (mdsc->stopping)
+ return;
+
mutex_lock(&mdsc->mutex);
renew_interval = mdsc->mdsmap->m_session_timeout >> 2;
renew_caps = time_after_eq(jiffies, HZ*renew_interval +
@@ -4657,7 +4660,16 @@ void ceph_mdsc_force_umount(struct ceph_mds_client *mdsc)
static void ceph_mdsc_stop(struct ceph_mds_client *mdsc)
{
dout("stop\n");
- cancel_delayed_work_sync(&mdsc->delayed_work); /* cancel timer */
+ /*
+ * Make sure the delayed work stopped before releasing
+ * the resources.
+ *
+ * Because the cancel_delayed_work_sync() will only
+ * guarantee that the work finishes executing. But the
+ * delayed work will re-arm itself again after that.
+ */
+ flush_delayed_work(&mdsc->delayed_work);
+
if (mdsc->mdsmap)
ceph_mdsmap_destroy(mdsc->mdsmap);
kfree(mdsc->sessions);
--
2.25.1
next prev parent reply other threads:[~2020-08-21 17:24 UTC|newest]
Thread overview: 67+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-21 16:13 [PATCH AUTOSEL 5.8 01/62] ALSA: hda/hdmi: Add quirk to force connectivity Sasha Levin
2020-08-21 16:13 ` [PATCH AUTOSEL 5.8 02/62] ALSA: pci: delete repeated words in comments Sasha Levin
2020-08-21 16:13 ` [PATCH AUTOSEL 5.8 03/62] ALSA: hda/realtek: Fix pin default on Intel NUC 8 Rugged Sasha Levin
2020-08-21 16:13 ` [PATCH AUTOSEL 5.8 04/62] ALSA: hda/hdmi: Use force connectivity quirk on another HP desktop Sasha Levin
2020-08-21 16:13 ` [PATCH AUTOSEL 5.8 05/62] drm/amdgpu: fix RAS memory leak in error case Sasha Levin
2020-08-21 16:13 ` [PATCH AUTOSEL 5.8 06/62] EDAC/mc: Call edac_inc_ue_error() before panic Sasha Levin
2020-08-21 16:13 ` [PATCH AUTOSEL 5.8 07/62] ASoC: img: Fix a reference count leak in img_i2s_in_set_fmt Sasha Levin
2020-08-21 16:13 ` [PATCH AUTOSEL 5.8 08/62] ASoC: img-parallel-out: Fix a reference count leak Sasha Levin
2020-08-21 16:13 ` [PATCH AUTOSEL 5.8 09/62] ASoC: tegra: Fix reference count leaks Sasha Levin
2020-08-21 16:13 ` [PATCH AUTOSEL 5.8 10/62] mfd: intel-lpss: Add Intel Emmitsburg PCH PCI IDs Sasha Levin
2020-08-21 16:13 ` [PATCH AUTOSEL 5.8 11/62] arm64: dts: qcom: msm8916: Pull down PDM GPIOs during sleep Sasha Levin
2020-08-21 16:13 ` [PATCH AUTOSEL 5.8 12/62] powerpc/xive: Ignore kmemleak false positives Sasha Levin
2020-08-21 16:13 ` [PATCH AUTOSEL 5.8 13/62] media: pci: ttpci: av7110: fix possible buffer overflow caused by bad DMA value in debiirq() Sasha Levin
2020-08-21 16:13 ` [PATCH AUTOSEL 5.8 14/62] gcc-plugins/stackleak: Don't instrument itself Sasha Levin
2020-08-21 16:13 ` [PATCH AUTOSEL 5.8 15/62] blktrace: ensure our debugfs dir exists Sasha Levin
2020-08-21 16:13 ` [PATCH AUTOSEL 5.8 16/62] staging: rts5208: fix memleaks on error handling paths in probe Sasha Levin
2020-08-21 16:13 ` [PATCH AUTOSEL 5.8 17/62] scsi: target: tcmu: Fix crash on ARM during cmd completion Sasha Levin
2020-08-21 16:13 ` [PATCH AUTOSEL 5.8 18/62] mfd: intel-lpss: Add Intel Tiger Lake PCH-H PCI IDs Sasha Levin
2020-08-21 16:13 ` [PATCH AUTOSEL 5.8 19/62] iommu/iova: Don't BUG on invalid PFNs Sasha Levin
2020-08-21 16:13 ` [PATCH AUTOSEL 5.8 20/62] platform/chrome: cros_ec_sensorhub: Fix EC timestamp overflow Sasha Levin
2020-08-21 16:13 ` [PATCH AUTOSEL 5.8 21/62] drm/amdkfd: Fix reference count leaks Sasha Levin
2020-08-21 16:13 ` [PATCH AUTOSEL 5.8 22/62] drm/radeon: fix multiple reference count leak Sasha Levin
2020-08-21 16:13 ` [PATCH AUTOSEL 5.8 23/62] drm/amdgpu: fix ref count leak in amdgpu_driver_open_kms Sasha Levin
2020-08-21 16:13 ` [PATCH AUTOSEL 5.8 24/62] drm/amd/display: fix ref count leak in amdgpu_drm_ioctl Sasha Levin
2020-08-21 16:13 ` [PATCH AUTOSEL 5.8 25/62] drm/amdgpu: fix ref count leak in amdgpu_display_crtc_set_config Sasha Levin
2020-08-21 16:13 ` [PATCH AUTOSEL 5.8 26/62] drm/amdgpu/display: fix ref count leak when pm_runtime_get_sync fails Sasha Levin
2020-08-21 16:13 ` [PATCH AUTOSEL 5.8 27/62] drm/amdgpu/fence: " Sasha Levin
2020-08-21 16:13 ` [PATCH AUTOSEL 5.8 28/62] drm/amdkfd: " Sasha Levin
2020-08-21 16:13 ` [PATCH AUTOSEL 5.8 29/62] drm/amdgpu/pm: " Sasha Levin
2020-08-21 16:13 ` [PATCH AUTOSEL 5.8 30/62] scsi: lpfc: Fix shost refcount mismatch when deleting vport Sasha Levin
2020-08-21 16:13 ` [PATCH AUTOSEL 5.8 31/62] xfs: Don't allow logging of XFS_ISTALE inodes Sasha Levin
2020-08-21 16:13 ` [PATCH AUTOSEL 5.8 32/62] scsi: target: Fix xcopy sess release leak Sasha Levin
2020-08-21 16:13 ` [PATCH AUTOSEL 5.8 33/62] selftests/powerpc: Purge extra count_pmc() calls of ebb selftests Sasha Levin
2020-08-21 16:13 ` [PATCH AUTOSEL 5.8 34/62] f2fs: remove write attribute of main_blkaddr sysfs node Sasha Levin
2020-08-21 16:13 ` [PATCH AUTOSEL 5.8 35/62] f2fs: fix error path in do_recover_data() Sasha Levin
2020-08-21 16:13 ` [PATCH AUTOSEL 5.8 36/62] MIPS: KVM: Limit Trap-and-Emulate to MIPS32R2 only Sasha Levin
2020-08-21 16:13 ` [PATCH AUTOSEL 5.8 37/62] omapfb: fix multiple reference count leaks due to pm_runtime_get_sync Sasha Levin
2020-08-21 16:13 ` [PATCH AUTOSEL 5.8 38/62] PCI: Fix pci_create_slot() reference count leak Sasha Levin
2020-08-21 16:14 ` [PATCH AUTOSEL 5.8 39/62] ARM: dts: ls1021a: output PPS signal on FIPER2 Sasha Levin
2020-08-21 16:14 ` [PATCH AUTOSEL 5.8 40/62] rtlwifi: rtl8192cu: Prevent leaking urb Sasha Levin
2020-08-21 16:14 ` [PATCH AUTOSEL 5.8 41/62] mips/vdso: Fix resource leaks in genvdso.c Sasha Levin
2020-08-21 16:14 ` [PATCH AUTOSEL 5.8 42/62] ALSA: hda: Add support for Loongson 7A1000 controller Sasha Levin
2020-08-21 16:14 ` [PATCH AUTOSEL 5.8 43/62] gpu: host1x: Put gather's BO on pinning error Sasha Levin
2020-08-21 16:14 ` [PATCH AUTOSEL 5.8 44/62] cec-api: prevent leaking memory through hole in structure Sasha Levin
2020-08-21 16:14 ` [PATCH AUTOSEL 5.8 45/62] ASoC: Intel: sof_sdw_rt711: remove properties in card remove Sasha Levin
2020-08-21 16:14 ` [PATCH AUTOSEL 5.8 46/62] HID: quirks: add NOGET quirk for Logitech GROUP Sasha Levin
2020-08-21 16:14 ` [PATCH AUTOSEL 5.8 47/62] f2fs: fix use-after-free issue Sasha Levin
2020-08-21 16:14 ` [PATCH AUTOSEL 5.8 48/62] drm/nouveau/drm/noveau: fix reference count leak in nouveau_fbcon_open Sasha Levin
2020-08-21 16:14 ` [PATCH AUTOSEL 5.8 49/62] drm/nouveau: fix reference count leak in nv50_disp_atomic_commit Sasha Levin
2020-08-21 16:14 ` [PATCH AUTOSEL 5.8 50/62] drm/nouveau: Fix reference count leak in nouveau_connector_detect Sasha Levin
2020-08-21 16:14 ` [PATCH AUTOSEL 5.8 51/62] locking/lockdep: Fix overflow in presentation of average lock-time Sasha Levin
2020-08-21 16:14 ` [PATCH AUTOSEL 5.8 52/62] btrfs: file: reserve qgroup space after the hole punch range is locked Sasha Levin
2020-08-21 16:14 ` [PATCH AUTOSEL 5.8 53/62] btrfs: make btrfs_qgroup_check_reserved_leak take btrfs_inode Sasha Levin
2020-08-21 16:14 ` [PATCH AUTOSEL 5.8 54/62] scsi: iscsi: Do not put host in iscsi_set_flashnode_param() Sasha Levin
2020-08-21 16:14 ` [PATCH AUTOSEL 5.8 55/62] RDMA/efa: Add EFA 0xefa1 PCI ID Sasha Levin
2020-08-21 19:40 ` Jason Gunthorpe
2020-08-21 19:53 ` Sasha Levin
2020-08-21 20:19 ` Jason Gunthorpe
2020-08-21 20:34 ` Sasha Levin
2020-08-23 6:43 ` Gal Pressman
2020-08-21 16:14 ` [PATCH AUTOSEL 5.8 56/62] netfilter: nf_tables: report EEXIST on overlaps Sasha Levin
2020-08-21 16:14 ` Sasha Levin [this message]
2020-08-21 16:14 ` [PATCH AUTOSEL 5.8 58/62] ceph: do not access the kiocb after aio requests Sasha Levin
2020-08-21 16:14 ` [PATCH AUTOSEL 5.8 59/62] scsi: fcoe: Memory leak fix in fcoe_sysfs_fcf_del() Sasha Levin
2020-08-21 16:14 ` [PATCH AUTOSEL 5.8 60/62] i2c: i801: Add support for Intel Tiger Lake PCH-H Sasha Levin
2020-08-21 16:14 ` [PATCH AUTOSEL 5.8 61/62] EDAC/ie31200: Fallback if host bridge device is already initialized Sasha Levin
2020-08-21 16:14 ` [PATCH AUTOSEL 5.8 62/62] hugetlbfs: prevent filesystem stacking of hugetlbfs Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200821161423.347071-57-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=ceph-devel@vger.kernel.org \
--cc=idryomov@gmail.com \
--cc=jlayton@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=xiubli@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).