leandrof/linux
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
37fd167824
linux/fs/xfs
History
Dave Chinner 37fd167824 xfs: fix use-after-free race in xfs_buf_rele 
When looking at a 4.18 based KASAN use after free report, I noticed
that racing xfs_buf_rele() may race on dropping the last reference
to the buffer and taking the buffer lock. This was the symptom
displayed by the KASAN report, but the actual issue that was
reported had already been fixed in 4.19-rc1 by commit e339dd8d8b
("xfs: use sync buffer I/O for sync delwri queue submission").

Despite this, I think there is still an issue with xfs_buf_rele()
in this code:

        release = atomic_dec_and_lock(&bp->b_hold, &pag->pag_buf_lock);
        spin_lock(&bp->b_lock);
        if (!release) {
.....

If two threads race on the b_lock after both dropping a reference
and one getting dropping the last reference so release = true, we
end up with:

CPU 0				CPU 1
atomic_dec_and_lock()
				atomic_dec_and_lock()
				spin_lock(&bp->b_lock)
spin_lock(&bp->b_lock)
<spins>
				<release = true bp->b_lru_ref = 0>
				<remove from lists>
				freebuf = true
				spin_unlock(&bp->b_lock)
				xfs_buf_free(bp)
<gets lock, reading and writing freed memory>
<accesses freed memory>
spin_unlock(&bp->b_lock) <reads/writes freed memory>

IOWs, we can't safely take bp->b_lock after dropping the hold
reference because the buffer may go away at any time after we
drop that reference. However, this can be fixed simply by taking the
bp->b_lock before we drop the reference.

It is safe to nest the pag_buf_lock inside bp->b_lock as the
pag_buf_lock is only used to serialise against lookup in
xfs_buf_find() and no other locks are held over or under the
pag_buf_lock there. Make this clear by documenting the buffer lock
orders at the top of the file.

Signed-off-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Brian Foster <bfoster@redhat.com>
Reviewed-by: Carlos Maiolino <cmaiolino@redhat.com
Signed-off-by: Dave Chinner <david@fromorbit.com>
2018-10-18 17:21:29 +11:00
..
libxfs xfs: Add attibute remove and helper functions 2018-10-18 17:21:23 +11:00
scrub xfs: fix buffer state management in xrep_findroot_block 2018-10-18 17:20:35 +11:00
Kconfig xfs: implement the metadata repair ioctl flag 2018-05-15 18:12:50 -07:00
kmem.c xfs: convert to SPDX license tags 2018-06-06 14:17:53 -07:00
kmem.h xfs: convert to SPDX license tags 2018-06-06 14:17:53 -07:00
Makefile xfs: move the repair extent list into its own file 2018-07-29 22:37:09 -07:00
mrlock.h xfs: convert to SPDX license tags 2018-06-06 14:17:53 -07:00
xfs_acl.c xfs: convert to SPDX license tags 2018-06-06 14:17:53 -07:00
xfs_acl.h xfs: convert to SPDX license tags 2018-06-06 14:17:53 -07:00
xfs_aops.c xfs: remove XFS_IO_INVALID 2018-10-18 17:17:50 +11:00
xfs_aops.h xfs: remove XFS_IO_INVALID 2018-10-18 17:17:50 +11:00
xfs_attr_inactive.c xfs: remove all boilerplate defer init/finish code 2018-07-26 10:15:15 -07:00
xfs_attr_list.c xfs: substitute spaces with tabs 2018-08-02 23:05:14 -07:00
xfs_bmap_item.c xfs: pass transaction to xfs_defer_add() 2018-08-02 23:05:14 -07:00
xfs_bmap_item.h xfs: use transaction for intent recovery instead of raw dfops 2018-08-02 23:05:13 -07:00
xfs_bmap_util.c xfs: remove the unused trimmed argument from xfs_reflink_trim_around_shared 2018-10-18 17:19:48 +11:00
xfs_bmap_util.h xfs: convert to SPDX license tags 2018-06-06 14:17:53 -07:00
xfs_buf_item.c xfs: refactor xfs_buf_log_item reference count handling 2018-09-29 13:45:26 +10:00
xfs_buf_item.h xfs: refactor xfs_buf_log_item reference count handling 2018-09-29 13:45:26 +10:00
xfs_buf.c xfs: fix use-after-free race in xfs_buf_rele 2018-10-18 17:21:29 +11:00
xfs_buf.h xfs: always assign buffer verifiers when one is provided 2018-10-18 17:20:30 +11:00
xfs_dir2_readdir.c xfs: convert to SPDX license tags 2018-06-06 14:17:53 -07:00
xfs_discard.c xfs: trivial xfs_btree_del_cursor cleanups 2018-07-23 09:08:00 -07:00
xfs_discard.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
xfs_dquot_item.c xfs: convert to SPDX license tags 2018-06-06 14:17:53 -07:00
xfs_dquot_item.h xfs: convert to SPDX license tags 2018-06-06 14:17:53 -07:00
xfs_dquot.c xfs: remove dead error handling code in xfs_dquot_disk_alloc() 2018-08-07 10:57:13 -07:00
xfs_dquot.h xfs: convert to SPDX license tags 2018-06-06 14:17:53 -07:00
xfs_error.c xfs: force summary counter recalc at next mount 2018-07-23 09:08:01 -07:00
xfs_error.h xfs: convert to SPDX license tags 2018-06-06 14:17:53 -07:00
xfs_export.c xfs: clean up IRELE/iput callsites 2018-07-26 10:15:16 -07:00
xfs_export.h xfs: convert to SPDX license tags 2018-06-06 14:17:53 -07:00
xfs_extent_busy.c xfs: convert to SPDX license tags 2018-06-06 14:17:53 -07:00
xfs_extent_busy.h xfs: convert to SPDX license tags 2018-06-06 14:17:53 -07:00
xfs_extfree_item.c xfs: convert to SPDX license tags 2018-06-06 14:17:53 -07:00
xfs_extfree_item.h xfs: convert to SPDX license tags 2018-06-06 14:17:53 -07:00
xfs_file.c overlayfs update for 4.19 2018-08-21 18:19:09 -07:00
xfs_filestream.c xfs: replace dop_low with transaction flag 2018-08-02 23:05:13 -07:00
xfs_filestream.h xfs: convert to SPDX license tags 2018-06-06 14:17:53 -07:00
xfs_fsmap.c xfs: trivial xfs_btree_del_cursor cleanups 2018-07-23 09:08:00 -07:00
xfs_fsmap.h xfs: convert to SPDX license tags 2018-06-06 14:17:53 -07:00
xfs_fsops.c xfs: issue log message on user force shutdown 2018-10-18 17:20:39 +11:00
xfs_fsops.h xfs: convert to SPDX license tags 2018-06-06 14:17:53 -07:00
xfs_globals.c xfs: convert to SPDX license tags 2018-06-06 14:17:53 -07:00
xfs_icache.c xfs: introduce a new xfs_inode_has_cow_data helper 2018-07-30 07:57:48 -07:00
xfs_icache.h xfs: convert to SPDX license tags 2018-06-06 14:17:53 -07:00
xfs_icreate_item.c xfs: convert to SPDX license tags 2018-06-06 14:17:53 -07:00
xfs_icreate_item.h xfs: convert to SPDX license tags 2018-06-06 14:17:53 -07:00
xfs_inode_item.c xfs: remove if_real_bytes 2018-07-30 07:57:48 -07:00
xfs_inode_item.h xfs: convert to SPDX license tags 2018-06-06 14:17:53 -07:00
xfs_inode.c xfs: remove last of unnecessary xfs_defer_cancel() callers 2018-09-29 13:41:58 +10:00
xfs_inode.h xfs: fold dfops into the transaction 2018-08-02 23:05:14 -07:00
xfs_ioctl32.c xfs: convert to SPDX license tags 2018-06-06 14:17:53 -07:00
xfs_ioctl32.h xfs: convert to SPDX license tags 2018-06-06 14:17:53 -07:00
xfs_ioctl.c xfs: remove suport for filesystems without unwritten extent flag 2018-10-18 17:18:58 +11:00
xfs_ioctl.h xfs: convert to SPDX license tags 2018-06-06 14:17:53 -07:00
xfs_iomap.c xfs: remove the unused trimmed argument from xfs_reflink_trim_around_shared 2018-10-18 17:19:48 +11:00
xfs_iomap.h xfs: avoid COW fork extent lookups in writeback if the fork didn't change 2018-07-31 13:18:09 -07:00
xfs_iops.c xfs: don't crash the vfs on a garbage inline symlink 2018-09-29 13:40:40 +10:00
xfs_iops.h xfs: convert to SPDX license tags 2018-06-06 14:17:53 -07:00
xfs_itable.c xfs: clean up IRELE/iput callsites 2018-07-26 10:15:16 -07:00
xfs_itable.h xfs: convert to SPDX license tags 2018-06-06 14:17:53 -07:00
xfs_linux.h xfs: replace do_mod with native operations 2018-06-08 10:07:52 -07:00
xfs_log_cil.c xfs: convert to SPDX license tags 2018-06-06 14:17:53 -07:00
xfs_log_priv.h xfs: convert to SPDX license tags 2018-06-06 14:17:53 -07:00
xfs_log_recover.c xfs: remove invalid log recovery first/last cycle check 2018-09-29 13:50:41 +10:00
xfs_log.c xfs: fix a comment in xfs_log_reserve 2018-08-03 08:17:54 -07:00
xfs_log.h xfs: refactor log recovery check 2018-08-01 07:40:48 -07:00
xfs_message.c xfs: convert to SPDX license tags 2018-06-06 14:17:53 -07:00
xfs_message.h License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
xfs_mount.c xfs: recalculate summary counters at mount time if icount is bad 2018-08-13 07:58:27 -07:00
xfs_mount.h xfs: remove deprecated barrier/nobarrier mount 2018-07-26 10:15:17 -07:00
xfs_mru_cache.c xfs: convert to SPDX license tags 2018-06-06 14:17:53 -07:00
xfs_mru_cache.h xfs: convert to SPDX license tags 2018-06-06 14:17:53 -07:00
xfs_ondisk.h xfs: convert to SPDX license tags 2018-06-06 14:17:53 -07:00
xfs_pnfs.c xfs: prepare xfs_break_layouts() for another layout type 2018-05-22 07:19:08 -07:00
xfs_pnfs.h xfs: prepare xfs_break_layouts() for another layout type 2018-05-22 07:19:08 -07:00
xfs_qm_bhv.c xfs: convert to SPDX license tags 2018-06-06 14:17:53 -07:00
xfs_qm_syscalls.c xfs: clean up IRELE/iput callsites 2018-07-26 10:15:16 -07:00
xfs_qm.c xfs: clean up IRELE/iput callsites 2018-07-26 10:15:16 -07:00
xfs_qm.h xfs: convert to SPDX license tags 2018-06-06 14:17:53 -07:00
xfs_quota.h xfs: convert to SPDX license tags 2018-06-06 14:17:53 -07:00
xfs_quotaops.c xfs: clean up IRELE/iput callsites 2018-07-26 10:15:16 -07:00
xfs_refcount_item.c xfs: pass transaction to xfs_defer_add() 2018-08-02 23:05:14 -07:00
xfs_refcount_item.h xfs: use transaction for intent recovery instead of raw dfops 2018-08-02 23:05:13 -07:00
xfs_reflink.c xfs: fix fork selection in xfs_find_trim_cow_extent 2018-10-18 17:19:58 +11:00
xfs_reflink.h xfs: remove the unused trimmed argument from xfs_reflink_trim_around_shared 2018-10-18 17:19:48 +11:00
xfs_rmap_item.c xfs: convert to SPDX license tags 2018-06-06 14:17:53 -07:00
xfs_rmap_item.h xfs: convert to SPDX license tags 2018-06-06 14:17:53 -07:00
xfs_rtalloc.c xfs: clean up IRELE/iput callsites 2018-07-26 10:15:16 -07:00
xfs_rtalloc.h xfs: convert to SPDX license tags 2018-06-06 14:17:53 -07:00
xfs_stats.c Changes since last update: 2018-06-12 15:49:00 -07:00
xfs_stats.h xfs: convert to SPDX license tags 2018-06-06 14:17:53 -07:00
xfs_super.c xfs: add a define for statfs magic to uapi 2018-10-18 17:20:19 +11:00
xfs_super.h xfs: convert to SPDX license tags 2018-06-06 14:17:53 -07:00
xfs_symlink.c xfs: automatic dfops inode relogging 2018-08-02 23:05:14 -07:00
xfs_symlink.h xfs: convert to SPDX license tags 2018-06-06 14:17:53 -07:00
xfs_sysctl.c xfs: convert to SPDX license tags 2018-06-06 14:17:53 -07:00
xfs_sysctl.h xfs: convert to SPDX license tags 2018-06-06 14:17:53 -07:00
xfs_sysfs.c xfs: convert to SPDX license tags 2018-06-06 14:17:53 -07:00
xfs_sysfs.h xfs: convert to SPDX license tags 2018-06-06 14:17:53 -07:00
xfs_trace.c xfs: convert to SPDX license tags 2018-06-06 14:17:53 -07:00
xfs_trace.h xfs: don't unlock invalidated buf on aborted tx commit 2018-09-29 13:44:40 +10:00
xfs_trans_ail.c xfs: convert to SPDX license tags 2018-06-06 14:17:53 -07:00
xfs_trans_bmap.c xfs: drop dop param from xfs_defer_op_type ->finish_item() callback 2018-08-02 23:05:14 -07:00
xfs_trans_buf.c xfs: fix buffer state management in xrep_findroot_block 2018-10-18 17:20:35 +11:00
xfs_trans_dquot.c xfs: convert to SPDX license tags 2018-06-06 14:17:53 -07:00
xfs_trans_extfree.c xfs: drop dop param from xfs_defer_op_type ->finish_item() callback 2018-08-02 23:05:14 -07:00
xfs_trans_inode.c vfs/y2038: inode timestamps conversion to timespec64 2018-06-15 07:31:07 +09:00
xfs_trans_priv.h xfs: convert to SPDX license tags 2018-06-06 14:17:53 -07:00
xfs_trans_refcount.c xfs: drop dop param from xfs_defer_op_type ->finish_item() callback 2018-08-02 23:05:14 -07:00
xfs_trans_rmap.c xfs: drop dop param from xfs_defer_op_type ->finish_item() callback 2018-08-02 23:05:14 -07:00
xfs_trans.c xfs: avoid lockdep false positives in xfs_trans_alloc 2018-09-29 13:46:21 +10:00
xfs_trans.h xfs: fix buffer state management in xrep_findroot_block 2018-10-18 17:20:35 +11:00
xfs_xattr.c xfs: convert to SPDX license tags 2018-06-06 14:17:53 -07:00
xfs.h xfs: remove b_last_holder & associated macros 2018-08-12 08:37:31 -07:00