Received: by 2002:ac0:a5a6:0:0:0:0:0 with SMTP id m35-v6csp1823450imm; Mon, 3 Sep 2018 10:21:35 -0700 (PDT) X-Google-Smtp-Source: ANB0VdaCOl1z8UW2WEH2cucIfSDTUS8/+Cm1JFL/0CZYK5+NOGZj9G1BG7y6wGt0z6laR+4Y1vai X-Received: by 2002:a62:56d9:: with SMTP id h86-v6mr6914009pfj.229.1535995295504; Mon, 03 Sep 2018 10:21:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1535995295; cv=none; d=google.com; s=arc-20160816; b=Ajy18Vv3micAx1WR6845knD+uAGBMzLsMkLTe5IpkQElYzhBHI55AaIz4aYq1iEn03 LwEYFEoAUB1Z5PdzZ+DQyo/1T1rZk2Ab3lhsxOTxeDz4LWcYRIEcCtinbddE9JVY5Ooz y+tzGOKjvy3crUFY6z0engyvio/KGaAocyGXlJd67wBWfpMn3xZfJt4n5Gqd+TQBvUG1 ZChs4DskuK2jyDnPr7monA6vfGs7ICP1X63MzoBp+FnB9xfowyCdNoa2UXXoV/0I1cB/ 1EVieip9zWFayTox1CpB0lPH7BtqTJo9RxUWwhXN7MOuVcI0b3SnP+Bua7ZlfFjRwIPr DkPQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=ooASE96r5dFJHs35bGB9bUN0l1QAvACoJUAglWZkABc=; b=rRji7YApjTtltJYO4g4j3IF4BwbJ5duCfzn0Lq1iaubnQ1XB9evNYlXSEum6rT7hAW Rm077Fjvtvw8qf0hgywUfN5vjNOJ4Y0fWFNOPzRSL+SKbM+Z0arKDCc8392q/C9RsD0J PcOqpiUxQMbiVz2JtGPEifDCAGptUyGG/revyxZlaX0sZkEUhev6ByNH+Yg+Wy3K2UdL 8DbPoHvcJsWI4SqGUilEMLvWYMrDlCvdRzYIlM2haPV0EUSpXqMiqwKt93r8o2/x+BX9 U1UiMVBdFVfMORhY5J0CoWOVlcBFpEtdxj7CsxdhaDSFA5rElDTaK89ZL2a+NVa68rwk bnGA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d4-v6si20964630pfc.219.2018.09.03.10.21.20; Mon, 03 Sep 2018 10:21:35 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730251AbeICVjB (ORCPT + 99 others); Mon, 3 Sep 2018 17:39:01 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:42934 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728154AbeICVjA (ORCPT ); Mon, 3 Sep 2018 17:39:00 -0400 Received: from localhost (ip-213-127-74-90.ip.prioritytelecom.net [213.127.74.90]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 8D637D09; Mon, 3 Sep 2018 17:17:55 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Lei Xue , Vegard Nossum , Anthony DeRobertis , NeilBrown , Daniel Axtens , Kiran Kumar Modukuri , David Howells , Sasha Levin Subject: [PATCH 4.14 052/165] cachefiles: Fix refcounting bug in backing-file read monitoring Date: Mon, 3 Sep 2018 18:55:38 +0200 Message-Id: <20180903165657.751807823@linuxfoundation.org> X-Mailer: git-send-email 2.18.0 In-Reply-To: <20180903165655.003605184@linuxfoundation.org> References: <20180903165655.003605184@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.14-stable review patch. If anyone has any objections, please let me know. ------------------ From: Kiran Kumar Modukuri [ Upstream commit 934140ab028713a61de8bca58c05332416d037d1 ] cachefiles_read_waiter() has the right to access a 'monitor' object by virtue of being called under the waitqueue lock for one of the pages in its purview. However, it has no ref on that monitor object or on the associated operation. What it is allowed to do is to move the monitor object to the operation's to_do list, but once it drops the work_lock, it's actually no longer permitted to access that object. However, it is trying to enqueue the retrieval operation for processing - but it can only do this via a pointer in the monitor object, something it shouldn't be doing. If it doesn't enqueue the operation, the operation may not get processed. If the order is flipped so that the enqueue is first, then it's possible for the work processor to look at the to_do list before the monitor is enqueued upon it. Fix this by getting a ref on the operation so that we can trust that it will still be there once we've added the monitor to the to_do list and dropped the work_lock. The op can then be enqueued after the lock is dropped. The bug can manifest in one of a couple of ways. The first manifestation looks like: FS-Cache: FS-Cache: Assertion failed FS-Cache: 6 == 5 is false ------------[ cut here ]------------ kernel BUG at fs/fscache/operation.c:494! RIP: 0010:fscache_put_operation+0x1e3/0x1f0 ... fscache_op_work_func+0x26/0x50 process_one_work+0x131/0x290 worker_thread+0x45/0x360 kthread+0xf8/0x130 ? create_worker+0x190/0x190 ? kthread_cancel_work_sync+0x10/0x10 ret_from_fork+0x1f/0x30 This is due to the operation being in the DEAD state (6) rather than INITIALISED, COMPLETE or CANCELLED (5) because it's already passed through fscache_put_operation(). The bug can also manifest like the following: kernel BUG at fs/fscache/operation.c:69! ... [exception RIP: fscache_enqueue_operation+246] ... #7 [ffff883fff083c10] fscache_enqueue_operation at ffffffffa0b793c6 #8 [ffff883fff083c28] cachefiles_read_waiter at ffffffffa0b15a48 #9 [ffff883fff083c48] __wake_up_common at ffffffff810af028 I'm not entirely certain as to which is line 69 in Lei's kernel, so I'm not entirely clear which assertion failed. Fixes: 9ae326a69004 ("CacheFiles: A cache that backs onto a mounted filesystem") Reported-by: Lei Xue Reported-by: Vegard Nossum Reported-by: Anthony DeRobertis Reported-by: NeilBrown Reported-by: Daniel Axtens Reported-by: Kiran Kumar Modukuri Signed-off-by: David Howells Reviewed-by: Daniel Axtens Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- fs/cachefiles/rdwr.c | 17 ++++++++++++----- 1 file changed, 12 insertions(+), 5 deletions(-) --- a/fs/cachefiles/rdwr.c +++ b/fs/cachefiles/rdwr.c @@ -27,6 +27,7 @@ static int cachefiles_read_waiter(wait_q struct cachefiles_one_read *monitor = container_of(wait, struct cachefiles_one_read, monitor); struct cachefiles_object *object; + struct fscache_retrieval *op = monitor->op; struct wait_bit_key *key = _key; struct page *page = wait->private; @@ -51,16 +52,22 @@ static int cachefiles_read_waiter(wait_q list_del(&wait->entry); /* move onto the action list and queue for FS-Cache thread pool */ - ASSERT(monitor->op); + ASSERT(op); - object = container_of(monitor->op->op.object, - struct cachefiles_object, fscache); + /* We need to temporarily bump the usage count as we don't own a ref + * here otherwise cachefiles_read_copier() may free the op between the + * monitor being enqueued on the op->to_do list and the op getting + * enqueued on the work queue. + */ + fscache_get_retrieval(op); + object = container_of(op->op.object, struct cachefiles_object, fscache); spin_lock(&object->work_lock); - list_add_tail(&monitor->op_link, &monitor->op->to_do); + list_add_tail(&monitor->op_link, &op->to_do); spin_unlock(&object->work_lock); - fscache_enqueue_retrieval(monitor->op); + fscache_enqueue_retrieval(op); + fscache_put_retrieval(op); return 0; }