Received: by 2002:a05:6902:102b:0:0:0:0 with SMTP id x11csp2088569ybt;
        Mon, 15 Jun 2020 18:20:33 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJwncl+lDl26vDxpzliGyMwbHG8PNP+BTk+wWBTDnjDorZVLmIAv5GoIhHACHTNdyymQghG+
X-Received: by 2002:a17:906:28da:: with SMTP id p26mr467182ejd.551.1592270433391;
        Mon, 15 Jun 2020 18:20:33 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1592270433; cv=none;
        d=google.com; s=arc-20160816;
        b=Urkv2yX2In8l9pjqwzVu4BGZVhJXaTnxfQ5TBR9sVt3hh6Q0KZWzsCTuwAuqGm54uu
         2wMevPXmiqo61EmLfELSRkWeIzhWvylIMlrJActVe64VOeARE2bEUuUoYK34CnTXpNTB
         bCYs4WwoPo90UbZ6/ZI0NulmfA3YsIcbnjbDSirTYP2iANJ+R9Qf6w5jCnz4Wt541e5f
         xyCYOJk+wi9uDk4G+LFcSYVq3pdfXwxYxQlBstBF4QJfluib1NKMvuEnTfY0B0PEF8nE
         ckIr+vp2H42xidz0m++orOsSO6B1FDEQawzNjv50hUWEA7P/KWAIlC69QDQxmFuRZDXH
         31lg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:in-reply-to
         :mime-version:user-agent:date:message-id:from:references:cc:to
         :subject;
        bh=Y+SC+WSUxgq7wod+tgBiTa5V3GxaNaMHXKAfwejyZTw=;
        b=u3x9vKftfXF4o8Huwvf9H17qZc3ohmTo64INPKpAZCdSZpJ2HoSy5Po7+FFjHDrT7G
         0gOEb5zrupAq4ZIwH44QX0SqFDrcIM8wKb/5uBikl+RCAGCvm1iCXnmJ8huyty6zpbMa
         Yfg82Iy8iS/L41ERZXOgx7AOZ7JXFn1iDl+5P54ion9Z1WM6yZmrq/GKvxKQl8l7zS2N
         q7pVqkzhqaWV8L3NmOCPXw5dw51cHBod4IsfXFkxVkdqj9ZlU5mPvDs/XNPTNg9JchKU
         cbxL3LWPmjbQuUwQEAcs49iWzrhV6jOm9uALdK7CAexGD1hcrc6PQHq7xxmteKlCMdyc
         5V6Q==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id v17si13277511ejk.506.2020.06.15.18.20.11;
        Mon, 15 Jun 2020 18:20:33 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726718AbgFPBQW (ORCPT <rfc822;israelpgz17@gmail.com>
        + 99 others); Mon, 15 Jun 2020 21:16:22 -0400
Received: from szxga06-in.huawei.com ([45.249.212.32]:34716 "EHLO huawei.com"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S1726492AbgFPBQV (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 15 Jun 2020 21:16:21 -0400
Received: from DGGEMS401-HUB.china.huawei.com (unknown [172.30.72.60])
        by Forcepoint Email with ESMTP id 0FEEB6D1F326FCDB99DB;
        Tue, 16 Jun 2020 09:16:18 +0800 (CST)
Received: from [127.0.0.1] (10.166.215.204) by DGGEMS401-HUB.china.huawei.com
 (10.3.19.201) with Microsoft SMTP Server id 14.3.487.0; Tue, 16 Jun 2020
 09:16:10 +0800
Subject: Re: [PATCH] xfs: fix use-after-free on CIL context on shutdown
To:     Dave Chinner <david@fromorbit.com>
CC:     <darrick.wong@oracle.com>, <linux-xfs@vger.kernel.org>,
        <linux-kernel@vger.kernel.org>, <yi.zhang@huawei.com>
References: <20200611013952.2589997-1-yukuai3@huawei.com>
 <20200611022848.GQ2040@dread.disaster.area>
 <20200611024503.GR2040@dread.disaster.area>
From:   "yukuai (C)" <yukuai3@huawei.com>
Message-ID: <9d13cb34-5625-ed84-71f5-ad48204589a1@huawei.com>
Date:   Tue, 16 Jun 2020 09:16:09 +0800
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101
 Thunderbird/60.8.0
MIME-Version: 1.0
In-Reply-To: <20200611024503.GR2040@dread.disaster.area>
Content-Type: text/plain; charset="gbk"; format=flowed
Content-Transfer-Encoding: 7bit
X-Originating-IP: [10.166.215.204]
X-CFilter-Loop: Reflected
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On 2020/6/11 10:45, Dave Chinner wrote:
> 
> From: Dave Chinner <dchinner@redhat.com>
> 
> xlog_wait() on the CIL context can reference a freed context if the
> waiter doesn't get scheduled before the CIL context is freed. This
> can happen when a task is on the hard throttle and the CIL push
> aborts due to a shutdown. This was detected by generic/019:
> 
> thread 1			thread 2
> 
> __xfs_trans_commit
>   xfs_log_commit_cil
>    <CIL size over hard throttle limit>
>    xlog_wait
>     schedule
> 				xlog_cil_push_work
> 				wake_up_all
> 				<shutdown aborts commit>
> 				xlog_cil_committed
> 				kmem_free
> 
>     remove_wait_queue
>      spin_lock_irqsave --> UAF
> 
> Fix it by moving the wait queue to the CIL rather than keeping it in
> in the CIL context that gets freed on push completion. Because the
> wait queue is now independent of the CIL context and we might have
> multiple contexts in flight at once, only wake the waiters on the
> push throttle when the context we are pushing is over the hard
> throttle size threshold.

Hi, Dave,

How do you think about the following fix:

1. use autoremove_wake_func(), and remove remove_wait_queue() to
avoid UAF.
2. add finish_wait().

@@ -576,12 +576,13 @@ xlog_wait(
                 __releases(lock)
  {
         DECLARE_WAITQUEUE(wait, current);
+       wait.func = autoremove_wake_function;

         add_wait_queue_exclusive(wq, &wait);
         __set_current_state(TASK_UNINTERRUPTIBLE);
         spin_unlock(lock);
         schedule();
-       remove_wait_queue(wq, &wait);
+       finish_wait(wq, &wait);
  }

Best regards!
Yu Kuai