From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Luis Henriques <lhenriques@suse.com>,
Jeff Layton <jlayton@kernel.org>,
Ilya Dryomov <idryomov@gmail.com>,
Sasha Levin <sashal@kernel.org>,
ceph-devel@vger.kernel.org
Subject: [PATCH AUTOSEL 5.2 67/76] ceph: fix buffer free while holding i_ceph_lock in __ceph_build_xattrs_blob()
Date: Thu, 29 Aug 2019 14:13:02 -0400 [thread overview]
Message-ID: <20190829181311.7562-67-sashal@kernel.org> (raw)
In-Reply-To: <20190829181311.7562-1-sashal@kernel.org>
From: Luis Henriques <lhenriques@suse.com>
[ Upstream commit 12fe3dda7ed89c95cc0ef7abc001ad1ad3e092f8 ]
Calling ceph_buffer_put() in __ceph_build_xattrs_blob() may result in
freeing the i_xattrs.blob buffer while holding the i_ceph_lock. This can
be fixed by having this function returning the old blob buffer and have
the callers of this function freeing it when the lock is released.
The following backtrace was triggered by fstests generic/117.
BUG: sleeping function called from invalid context at mm/vmalloc.c:2283
in_atomic(): 1, irqs_disabled(): 0, pid: 649, name: fsstress
4 locks held by fsstress/649:
#0: 00000000a7478e7e (&type->s_umount_key#19){++++}, at: iterate_supers+0x77/0xf0
#1: 00000000f8de1423 (&(&ci->i_ceph_lock)->rlock){+.+.}, at: ceph_check_caps+0x7b/0xc60
#2: 00000000562f2b27 (&s->s_mutex){+.+.}, at: ceph_check_caps+0x3bd/0xc60
#3: 00000000f83ce16a (&mdsc->snap_rwsem){++++}, at: ceph_check_caps+0x3ed/0xc60
CPU: 1 PID: 649 Comm: fsstress Not tainted 5.2.0+ #439
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58-prebuilt.qemu.org 04/01/2014
Call Trace:
dump_stack+0x67/0x90
___might_sleep.cold+0x9f/0xb1
vfree+0x4b/0x60
ceph_buffer_release+0x1b/0x60
__ceph_build_xattrs_blob+0x12b/0x170
__send_cap+0x302/0x540
? __lock_acquire+0x23c/0x1e40
? __mark_caps_flushing+0x15c/0x280
? _raw_spin_unlock+0x24/0x30
ceph_check_caps+0x5f0/0xc60
ceph_flush_dirty_caps+0x7c/0x150
? __ia32_sys_fdatasync+0x20/0x20
ceph_sync_fs+0x5a/0x130
iterate_supers+0x8f/0xf0
ksys_sync+0x4f/0xb0
__ia32_sys_sync+0xa/0x10
do_syscall_64+0x50/0x1c0
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x7fc6409ab617
Signed-off-by: Luis Henriques <lhenriques@suse.com>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/ceph/caps.c | 5 ++++-
fs/ceph/snap.c | 4 +++-
fs/ceph/super.h | 2 +-
fs/ceph/xattr.c | 11 ++++++++---
4 files changed, 16 insertions(+), 6 deletions(-)
diff --git a/fs/ceph/caps.c b/fs/ceph/caps.c
index 7754d76791228..622467e47cde8 100644
--- a/fs/ceph/caps.c
+++ b/fs/ceph/caps.c
@@ -1305,6 +1305,7 @@ static int __send_cap(struct ceph_mds_client *mdsc, struct ceph_cap *cap,
{
struct ceph_inode_info *ci = cap->ci;
struct inode *inode = &ci->vfs_inode;
+ struct ceph_buffer *old_blob = NULL;
struct cap_msg_args arg;
int held, revoking;
int wake = 0;
@@ -1369,7 +1370,7 @@ static int __send_cap(struct ceph_mds_client *mdsc, struct ceph_cap *cap,
ci->i_requested_max_size = arg.max_size;
if (flushing & CEPH_CAP_XATTR_EXCL) {
- __ceph_build_xattrs_blob(ci);
+ old_blob = __ceph_build_xattrs_blob(ci);
arg.xattr_version = ci->i_xattrs.version;
arg.xattr_buf = ci->i_xattrs.blob;
} else {
@@ -1404,6 +1405,8 @@ static int __send_cap(struct ceph_mds_client *mdsc, struct ceph_cap *cap,
spin_unlock(&ci->i_ceph_lock);
+ ceph_buffer_put(old_blob);
+
ret = send_cap_msg(&arg);
if (ret < 0) {
dout("error sending cap msg, must requeue %p\n", inode);
diff --git a/fs/ceph/snap.c b/fs/ceph/snap.c
index 72c6c022f02bd..213bc1475e91f 100644
--- a/fs/ceph/snap.c
+++ b/fs/ceph/snap.c
@@ -464,6 +464,7 @@ void ceph_queue_cap_snap(struct ceph_inode_info *ci)
struct inode *inode = &ci->vfs_inode;
struct ceph_cap_snap *capsnap;
struct ceph_snap_context *old_snapc, *new_snapc;
+ struct ceph_buffer *old_blob = NULL;
int used, dirty;
capsnap = kzalloc(sizeof(*capsnap), GFP_NOFS);
@@ -540,7 +541,7 @@ void ceph_queue_cap_snap(struct ceph_inode_info *ci)
capsnap->gid = inode->i_gid;
if (dirty & CEPH_CAP_XATTR_EXCL) {
- __ceph_build_xattrs_blob(ci);
+ old_blob = __ceph_build_xattrs_blob(ci);
capsnap->xattr_blob =
ceph_buffer_get(ci->i_xattrs.blob);
capsnap->xattr_version = ci->i_xattrs.version;
@@ -583,6 +584,7 @@ void ceph_queue_cap_snap(struct ceph_inode_info *ci)
}
spin_unlock(&ci->i_ceph_lock);
+ ceph_buffer_put(old_blob);
kfree(capsnap);
ceph_put_snap_context(old_snapc);
}
diff --git a/fs/ceph/super.h b/fs/ceph/super.h
index 1d313d0536f9d..38b42d7594b67 100644
--- a/fs/ceph/super.h
+++ b/fs/ceph/super.h
@@ -924,7 +924,7 @@ extern int ceph_getattr(const struct path *path, struct kstat *stat,
int __ceph_setxattr(struct inode *, const char *, const void *, size_t, int);
ssize_t __ceph_getxattr(struct inode *, const char *, void *, size_t);
extern ssize_t ceph_listxattr(struct dentry *, char *, size_t);
-extern void __ceph_build_xattrs_blob(struct ceph_inode_info *ci);
+extern struct ceph_buffer *__ceph_build_xattrs_blob(struct ceph_inode_info *ci);
extern void __ceph_destroy_xattrs(struct ceph_inode_info *ci);
extern void __init ceph_xattr_init(void);
extern void ceph_xattr_exit(void);
diff --git a/fs/ceph/xattr.c b/fs/ceph/xattr.c
index 8382299fc2d84..9772db01720b9 100644
--- a/fs/ceph/xattr.c
+++ b/fs/ceph/xattr.c
@@ -752,12 +752,15 @@ static int __get_required_blob_size(struct ceph_inode_info *ci, int name_size,
/*
* If there are dirty xattrs, reencode xattrs into the prealloc_blob
- * and swap into place.
+ * and swap into place. It returns the old i_xattrs.blob (or NULL) so
+ * that it can be freed by the caller as the i_ceph_lock is likely to be
+ * held.
*/
-void __ceph_build_xattrs_blob(struct ceph_inode_info *ci)
+struct ceph_buffer *__ceph_build_xattrs_blob(struct ceph_inode_info *ci)
{
struct rb_node *p;
struct ceph_inode_xattr *xattr = NULL;
+ struct ceph_buffer *old_blob = NULL;
void *dest;
dout("__build_xattrs_blob %p\n", &ci->vfs_inode);
@@ -788,12 +791,14 @@ void __ceph_build_xattrs_blob(struct ceph_inode_info *ci)
dest - ci->i_xattrs.prealloc_blob->vec.iov_base;
if (ci->i_xattrs.blob)
- ceph_buffer_put(ci->i_xattrs.blob);
+ old_blob = ci->i_xattrs.blob;
ci->i_xattrs.blob = ci->i_xattrs.prealloc_blob;
ci->i_xattrs.prealloc_blob = NULL;
ci->i_xattrs.dirty = false;
ci->i_xattrs.version++;
}
+
+ return old_blob;
}
static inline int __get_request_mask(struct inode *in) {
--
2.20.1
next prev parent reply other threads:[~2019-08-29 18:27 UTC|newest]
Thread overview: 82+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-08-29 18:11 [PATCH AUTOSEL 5.2 01/76] batman-adv: Fix netlink dumping of all mcast_flags buckets Sasha Levin
2019-08-29 18:11 ` [PATCH AUTOSEL 5.2 02/76] libbpf: fix erroneous multi-closing of BTF FD Sasha Levin
2019-08-29 18:11 ` [PATCH AUTOSEL 5.2 03/76] libbpf: set BTF FD for prog only when there is supported .BTF.ext data Sasha Levin
2019-08-29 18:11 ` [PATCH AUTOSEL 5.2 04/76] netfilter: nf_flow_table: fix offload for flows that are subject to xfrm Sasha Levin
2019-08-29 18:12 ` [PATCH AUTOSEL 5.2 05/76] net/mlx5e: Fix error flow of CQE recovery on tx reporter Sasha Levin
2019-08-29 18:12 ` [PATCH AUTOSEL 5.2 06/76] clk: samsung: Change signature of exynos5_subcmus_init() function Sasha Levin
2019-08-29 18:12 ` [PATCH AUTOSEL 5.2 07/76] clk: samsung: exynos5800: Move MAU subsystem clocks to MAU sub-CMU Sasha Levin
2019-08-29 18:12 ` [PATCH AUTOSEL 5.2 08/76] clk: samsung: exynos542x: Move MSCL subsystem clocks to its sub-CMU Sasha Levin
2019-08-29 18:12 ` [PATCH AUTOSEL 5.2 09/76] net: tundra: tsi108: use spin_lock_irqsave instead of spin_lock_irq in IRQ context Sasha Levin
2019-08-29 18:12 ` [PATCH AUTOSEL 5.2 10/76] netfilter: nf_tables: use-after-free in failing rule with bound set Sasha Levin
2019-08-29 18:12 ` [PATCH AUTOSEL 5.2 11/76] netfilter: nf_flow_table: conntrack picks up expired flows Sasha Levin
2019-08-29 18:12 ` [PATCH AUTOSEL 5.2 12/76] netfilter: nf_flow_table: teardown flow timeout race Sasha Levin
2019-08-29 18:12 ` [PATCH AUTOSEL 5.2 13/76] rxrpc: Fix local endpoint refcounting Sasha Levin
2019-08-29 18:12 ` [PATCH AUTOSEL 5.2 14/76] tools: bpftool: fix error message (prog -> object) Sasha Levin
2019-08-29 18:12 ` [PATCH AUTOSEL 5.2 15/76] ixgbe: fix possible deadlock in ixgbe_service_task() Sasha Levin
2019-08-29 18:12 ` [PATCH AUTOSEL 5.2 16/76] hv_netvsc: Fix a warning of suspicious RCU usage Sasha Levin
2019-08-29 18:12 ` [PATCH AUTOSEL 5.2 17/76] net: tc35815: Explicitly check NET_IP_ALIGN is not zero in tc35815_rx Sasha Levin
2019-08-29 18:12 ` [PATCH AUTOSEL 5.2 18/76] Bluetooth: btqca: Add a short delay before downloading the NVM Sasha Levin
2019-08-29 18:12 ` [PATCH AUTOSEL 5.2 19/76] Bluetooth: hci_qca: Send VS pre shutdown command Sasha Levin
2019-08-29 18:12 ` [PATCH AUTOSEL 5.2 20/76] Bluetooth: hidp: Let hidp_send_message return number of queued bytes Sasha Levin
2019-08-29 18:12 ` [PATCH AUTOSEL 5.2 21/76] s390/qeth: serialize cmd reply with concurrent timeout Sasha Levin
2019-08-29 18:12 ` [PATCH AUTOSEL 5.2 22/76] ibmveth: Convert multicast list size for little-endian system Sasha Levin
2019-08-29 18:12 ` [PATCH AUTOSEL 5.2 23/76] gpio: Fix build error of function redefinition Sasha Levin
2019-08-29 18:12 ` [PATCH AUTOSEL 5.2 24/76] netfilter: nft_flow_offload: skip tcp rst and fin packets Sasha Levin
2019-08-29 18:12 ` [PATCH AUTOSEL 5.2 25/76] rxrpc: Fix local endpoint replacement Sasha Levin
2019-08-29 18:12 ` [PATCH AUTOSEL 5.2 26/76] rxrpc: Fix read-after-free in rxrpc_queue_local() Sasha Levin
2019-08-29 18:12 ` [PATCH AUTOSEL 5.2 27/76] drm/mediatek: use correct device to import PRIME buffers Sasha Levin
2019-08-29 18:12 ` [PATCH AUTOSEL 5.2 28/76] drm/mediatek: set DMA max segment size Sasha Levin
2019-08-29 18:12 ` [PATCH AUTOSEL 5.2 29/76] scsi: qla2xxx: Fix gnl.l memory leak on adapter init failure Sasha Levin
2019-08-29 18:12 ` [PATCH AUTOSEL 5.2 30/76] scsi: target: tcmu: avoid use-after-free after command timeout Sasha Levin
2019-08-29 18:12 ` [PATCH AUTOSEL 5.2 31/76] cxgb4: fix a memory leak bug Sasha Levin
2019-08-29 18:12 ` [PATCH AUTOSEL 5.2 32/76] selftests: kvm: do not try running the VM in vmx_set_nested_state_test Sasha Levin
2019-08-29 18:12 ` [PATCH AUTOSEL 5.2 33/76] selftests: kvm: provide common function to enable eVMCS Sasha Levin
2019-08-29 18:12 ` [PATCH AUTOSEL 5.2 34/76] selftests: kvm: fix vmx_set_nested_state_test Sasha Levin
2019-08-29 18:12 ` [PATCH AUTOSEL 5.2 35/76] liquidio: add cleanup in octeon_setup_iq() Sasha Levin
2019-08-29 18:12 ` [PATCH AUTOSEL 5.2 36/76] net: myri10ge: fix memory leaks Sasha Levin
2019-08-29 18:12 ` [PATCH AUTOSEL 5.2 37/76] clk: Fix falling back to legacy parent string matching Sasha Levin
2019-08-29 18:12 ` [PATCH AUTOSEL 5.2 38/76] clk: Fix potential NULL dereference in clk_fetch_parent_index() Sasha Levin
2019-08-29 18:12 ` [PATCH AUTOSEL 5.2 39/76] lan78xx: Fix memory leaks Sasha Levin
2019-08-29 18:12 ` [PATCH AUTOSEL 5.2 40/76] vfs: fix page locking deadlocks when deduping files Sasha Levin
2019-08-29 18:12 ` [PATCH AUTOSEL 5.2 41/76] cx82310_eth: fix a memory leak bug Sasha Levin
2019-08-29 18:12 ` [PATCH AUTOSEL 5.2 42/76] net: kalmia: fix memory leaks Sasha Levin
2019-08-29 18:12 ` [PATCH AUTOSEL 5.2 43/76] ibmvnic: Unmap DMA address of TX descriptor buffers after use Sasha Levin
2019-08-29 18:12 ` [PATCH AUTOSEL 5.2 44/76] net: cavium: fix driver name Sasha Levin
2019-08-29 18:12 ` [PATCH AUTOSEL 5.2 45/76] wimax/i2400m: fix a memory leak bug Sasha Levin
2019-08-29 18:12 ` [PATCH AUTOSEL 5.2 46/76] ravb: Fix use-after-free ravb_tstamp_skb Sasha Levin
2019-08-29 18:12 ` [PATCH AUTOSEL 5.2 47/76] sched/core: Schedule new worker even if PI-blocked Sasha Levin
2019-08-29 18:12 ` [PATCH AUTOSEL 5.2 48/76] kprobes: Fix potential deadlock in kprobe_optimizer() Sasha Levin
2019-08-29 18:12 ` [PATCH AUTOSEL 5.2 49/76] HID: intel-ish-hid: ipc: add EHL device id Sasha Levin
2019-08-29 18:12 ` [PATCH AUTOSEL 5.2 50/76] HID: cp2112: prevent sleeping function called from invalid context Sasha Levin
2019-08-29 18:12 ` [PATCH AUTOSEL 5.2 51/76] x86/boot/compressed/64: Fix boot on machines with broken E820 table Sasha Levin
2019-08-29 22:17 ` Kirill A. Shutemov
2019-08-30 12:06 ` Sasha Levin
2019-08-30 13:25 ` Kirill A. Shutemov
2019-08-29 18:12 ` [PATCH AUTOSEL 5.2 52/76] scsi: lpfc: Mitigate high memory pre-allocation by SCSI-MQ Sasha Levin
2019-08-29 18:12 ` [PATCH AUTOSEL 5.2 53/76] Input: hyperv-keyboard: Use in-place iterator API in the channel callback Sasha Levin
2019-08-29 18:12 ` [PATCH AUTOSEL 5.2 54/76] Tools: hv: kvp: eliminate 'may be used uninitialized' warning Sasha Levin
2019-08-29 18:12 ` [PATCH AUTOSEL 5.2 55/76] io_uring: fix potential hang with polled IO Sasha Levin
2019-08-29 18:12 ` [PATCH AUTOSEL 5.2 56/76] nvme-multipath: fix possible I/O hang when paths are updated Sasha Levin
2019-08-29 18:12 ` [PATCH AUTOSEL 5.2 57/76] nvme: Fix cntlid validation when not using NVMEoF Sasha Levin
2019-08-29 18:12 ` [PATCH AUTOSEL 5.2 58/76] io_uring: don't enter poll loop if we have CQEs pending Sasha Levin
2019-08-29 18:12 ` [PATCH AUTOSEL 5.2 59/76] RDMA/cma: fix null-ptr-deref Read in cma_cleanup Sasha Levin
2019-08-29 18:12 ` [PATCH AUTOSEL 5.2 60/76] IB/mlx4: Fix memory leaks Sasha Levin
2019-08-29 18:12 ` [PATCH AUTOSEL 5.2 61/76] infiniband: hfi1: fix a memory leak bug Sasha Levin
2019-08-29 18:12 ` [PATCH AUTOSEL 5.2 62/76] infiniband: hfi1: fix memory leaks Sasha Levin
2019-08-29 18:12 ` [PATCH AUTOSEL 5.2 63/76] selftests: kvm: fix state save/load on processors without XSAVE Sasha Levin
2019-08-29 18:12 ` [PATCH AUTOSEL 5.2 64/76] selftests/kvm: make platform_info_test pass on AMD Sasha Levin
2019-08-29 18:13 ` [PATCH AUTOSEL 5.2 65/76] drm/amdgpu: prevent memory leaks in AMDGPU_CS ioctl Sasha Levin
2019-08-29 18:13 ` [PATCH AUTOSEL 5.2 66/76] ceph: fix buffer free while holding i_ceph_lock in __ceph_setxattr() Sasha Levin
2019-08-29 20:51 ` Ilya Dryomov
2019-08-29 21:16 ` Sasha Levin
2019-08-30 8:31 ` Ilya Dryomov
2019-08-29 18:13 ` Sasha Levin [this message]
2019-08-29 18:13 ` [PATCH AUTOSEL 5.2 68/76] ceph: fix buffer free while holding i_ceph_lock in fill_inode() Sasha Levin
2019-08-29 18:13 ` [PATCH AUTOSEL 5.2 69/76] KVM: arm/arm64: Only skip MMIO insn once Sasha Levin
2019-08-29 18:13 ` [PATCH AUTOSEL 5.2 70/76] afs: Fix leak in afs_lookup_cell_rcu() Sasha Levin
2019-08-29 18:13 ` [PATCH AUTOSEL 5.2 71/76] afs: Fix possible oops in afs_lookup trace event Sasha Levin
2019-08-29 18:13 ` [PATCH AUTOSEL 5.2 72/76] afs: use correct afs_call_type in yfs_fs_store_opaque_acl2 Sasha Levin
2019-08-29 18:13 ` [PATCH AUTOSEL 5.2 73/76] RDMA/bnxt_re: Fix stack-out-of-bounds in bnxt_qplib_rcfw_send_message Sasha Levin
2019-08-29 18:13 ` [PATCH AUTOSEL 5.2 74/76] io_uring: add need_resched() check in inner poll loop Sasha Levin
2019-08-29 18:13 ` [PATCH AUTOSEL 5.2 75/76] gpio: Fix irqchip initialization order Sasha Levin
2019-08-29 18:13 ` [PATCH AUTOSEL 5.2 76/76] KVM: arm/arm64: VGIC: Properly initialise private IRQ affinity Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190829181311.7562-67-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=ceph-devel@vger.kernel.org \
--cc=idryomov@gmail.com \
--cc=jlayton@kernel.org \
--cc=lhenriques@suse.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).