Received: by 2002:a25:683:0:0:0:0:0 with SMTP id 125csp1033320ybg; Wed, 10 Jun 2020 22:08:06 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyZFMe11RlFJe80cruoveqZeMAjwUopHUthHnnTTK5UAGXeCKk2oqSP+MitRyZNa0wY410T X-Received: by 2002:a17:906:d973:: with SMTP id rp19mr6195207ejb.475.1591852085871; Wed, 10 Jun 2020 22:08:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1591852085; cv=none; d=google.com; s=arc-20160816; b=fqMxrpgwL6o6efVcSMXHtzMHnKVYd2hGWzyN3bu9QZA19/eZPSGLE5tXQxh6varhXh A3jjNhOkT02iOArkFHntKa801m7+IcpGxw9yUZeiazu534Rb32Jat4ig7g3Cqvnipumq Bjmwtg9dRmjEFlyO16eaOmvomQ54tRoCtTglElHLnGLCkVwuDEz/wVPO4ro1HdV1WOwt peAeA7vF5LxmV9REZkrt1IjeC0bjzdflsV/81d5YfJ0lVn4Dk2hThU6HlP41UIS7jPxs gy3NqG9R76ltw8kC7Bv2u0Wsf9Pc3G9OgJ2aP8VN5Qn6GJEYav+5OX9U+I8wObC6mMDE 3amA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=OaIUXvBUn8SnKTOfijGCnEJifv5zx6k00FYyujhiTfo=; b=hOSVb68JVl6vGjerI+wAJHQoX2/RTdbbl5hGE1vl/mm8rJzgH60ng9UwzY1S+XabA2 iKGY64lXk5vBquTAHdaYNS3l6FpxwJ5tl1HKME3+OdGxr+12FA7HREN9mUT1HxGbjQKY e5Z7A2DzwES0gVs3/ZVGIOApqnvPLunov6eJnvZIS8w0NGycsUorp1Xw4S1+amgt34zc j5geNreE02bwuUCV+6f/+7pSZSov9xhDWgKb2aDx3dCAkpQ/06mR0lV+V2ebRMQgzb/p 0VqAA0+GEAE5GWfWBxiqvsw5fz7W9viMxtfQLWQIs5Klah/cjTNm/oC91Ft4fismzujh xxqg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id w6si1313169ejn.265.2020.06.10.22.07.42; Wed, 10 Jun 2020 22:08:05 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726316AbgFKFFy (ORCPT + 99 others); Thu, 11 Jun 2020 01:05:54 -0400 Received: from mail105.syd.optusnet.com.au ([211.29.132.249]:33257 "EHLO mail105.syd.optusnet.com.au" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725300AbgFKFFx (ORCPT ); Thu, 11 Jun 2020 01:05:53 -0400 Received: from dread.disaster.area (pa49-180-124-177.pa.nsw.optusnet.com.au [49.180.124.177]) by mail105.syd.optusnet.com.au (Postfix) with ESMTPS id 248853A4A35; Thu, 11 Jun 2020 15:05:49 +1000 (AEST) Received: from dave by dread.disaster.area with local (Exim 4.92.3) (envelope-from ) id 1jjFPQ-0003LT-A8; Thu, 11 Jun 2020 15:05:48 +1000 Date: Thu, 11 Jun 2020 15:05:48 +1000 From: Dave Chinner To: "yukuai (C)" Cc: darrick.wong@oracle.com, linux-xfs@vger.kernel.org, linux-kernel@vger.kernel.org, yi.zhang@huawei.com Subject: Re: [RFC PATCH] fix use after free in xlog_wait() Message-ID: <20200611050548.GS2040@dread.disaster.area> References: <20200611013952.2589997-1-yukuai3@huawei.com> <20200611022848.GQ2040@dread.disaster.area> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.10.1 (2018-07-13) X-Optus-CM-Score: 0 X-Optus-CM-Analysis: v=2.3 cv=W5xGqiek c=1 sm=1 tr=0 a=k3aV/LVJup6ZGWgigO6cSA==:117 a=k3aV/LVJup6ZGWgigO6cSA==:17 a=kj9zAlcOel0A:10 a=nTHF0DUjJn0A:10 a=7-415B0cAAAA:8 a=k4-4d9lsxiVGclVBZOAA:9 a=CjuIK1q_8ugA:10 a=biEYGPWJfzWAr4FL6Ov7:22 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Jun 11, 2020 at 11:01:38AM +0800, yukuai (C) wrote: > On 2020/6/11 10:28, Dave Chinner wrote > > Actually, it's a lot simpler: > > > > thread1 thread2 > > > > __xfs_trans_commit > > xfs_log_commit_cil > > xlog_wait > > schedule > > xlog_cil_push_work > > wake_up_all > > > > xlog_cil_committed > > kmem_free > > > > remove_wait_queue > > spin_lock_irqsave --> UAF > > > > It's ture in this case, however, I got another result when I > tried to reporduce it, which seems 'ctx' can be freed in a > different path: Yup, it's effectively the same thing because of the nature of the IO failures (generated at submit time) and scheduler behaviour of workqueues. THis means the IO completion that processes the error is is queued to a workqueue on the same CPU. When thread 2 finishes running (it hasn't seen an error yet) the completion work will get get scheduled ahead of thread1 (cpu bound kernel task vs unbound user task). The completion work then runs the shutdown because it saw a log IO error and because it's the commit record bio it runs the journal checkpoint completion to abort all the items attached to it and free the CIL context. Then thread 1 runs again. The only difference between the two cases is which IO of the CIL commit the request was failed on.... Cheers, Dave. -- Dave Chinner david@fromorbit.com