Received: by 2002:a05:6902:102b:0:0:0:0 with SMTP id x11csp1131656ybt; Tue, 7 Jul 2020 08:27:38 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxjAArv7U+ScYmBJ6hSgfmF66FjKnT+3PxVYBj0hNFZOKeKMmNP8VXTptvSGm7D6zHZFVuB X-Received: by 2002:aa7:d04a:: with SMTP id n10mr63665927edo.132.1594135658598; Tue, 07 Jul 2020 08:27:38 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1594135658; cv=none; d=google.com; s=arc-20160816; b=EtJPa8XMR1Xzgi5bvpBX3Bu0PwTx2QbXcvwOct3T5ICLGHHzY94GvnKyKDnUb6qzhR 2CIdcYfjWaAw84ceSi9M/KLC9tTFAc/pyhWYoirXvTDawjGntGje9kUnta56bSfITOwS MvARm69PYiDgHLYbzXGa4sGTs3KJSph5xSScDHK0bGh/vnNo7MQ14GnTg0ltGBdmNvf+ 3oEziQtPfo6antUH5UoTunFTqFBUSK4B9S/AzA6RiLtU4hFGE/KctXOgyqSVidTYiHEx Fkrbzh7bQTtTB2hXXhTdb+XikJXYKIq0LJeTSgmf7d1t+asOXlKXp03AYxF4QlrwfNsD XMvg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=F/eikuXBjNDg/gs2Vjdr7w+k0splYgwZ8nbSUl6q2gk=; b=BY7TWISIryW/9iBkOImRirsduNJg52t0XH+WAkr/ky8478UErwu3xygzFkrSZXYIvr /3IpC0ne2mJocsROHneypMqvxNfc73o6P1KHoRr5DdLm53zvr3AjSysyMOhqTvftJnka tYDu3Wp0VC/GxG5cgn+Mvowi8TvIwl1cBciajOL4hDLeZd0sTnqmnj8TteY5L6ABTeQt lYv9Szg2pQDMLVdsEYuV0SBkvtvsGy8iVwSB2H9TQsI8Tig8gbaukgil97Rm0fJeCQCh 4xDogX+GbCuQdSrUqnlmwvFbdRcoFOzwHgW1vBLq/j4ZfHp3kPXZviLJ7Nz6X8Rx91c4 879Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=Thl9i5M2; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id j8si14834644edt.383.2020.07.07.08.27.15; Tue, 07 Jul 2020 08:27:38 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=Thl9i5M2; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729637AbgGGP0Z (ORCPT + 99 others); Tue, 7 Jul 2020 11:26:25 -0400 Received: from mail.kernel.org ([198.145.29.99]:40496 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728717AbgGGP0R (ORCPT ); Tue, 7 Jul 2020 11:26:17 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id C48232065D; Tue, 7 Jul 2020 15:26:15 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1594135576; bh=cJWeeKKPGUJksknMROnR55vt55tUDqvpZ5yiYzzjj1k=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Thl9i5M2a5SLivjl3VM1wb9AjI7wGbzvE2ORoXabHq+PVF6Xs7qbT5zB08nBD7Q98 326vAWOAT/ZvjT+i1brk6FPa9CpdTnoE4z9oy6+XC05JmHNm2G/f/+CDa+VtB6++nP IB2HRf0aBWkN1g4LzLMA4AYx1i/dEWOd/T6llWWs= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Yu Kuai , Dave Chinner , "Darrick J. Wong" , Christoph Hellwig , Sasha Levin Subject: [PATCH 5.7 055/112] xfs: fix use-after-free on CIL context on shutdown Date: Tue, 7 Jul 2020 17:17:00 +0200 Message-Id: <20200707145803.616756482@linuxfoundation.org> X-Mailer: git-send-email 2.27.0 In-Reply-To: <20200707145800.925304888@linuxfoundation.org> References: <20200707145800.925304888@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Dave Chinner [ Upstream commit c7f87f3984cfa1e6d32806a715f35c5947ad9c09 ] xlog_wait() on the CIL context can reference a freed context if the waiter doesn't get scheduled before the CIL context is freed. This can happen when a task is on the hard throttle and the CIL push aborts due to a shutdown. This was detected by generic/019: thread 1 thread 2 __xfs_trans_commit xfs_log_commit_cil xlog_wait schedule xlog_cil_push_work wake_up_all xlog_cil_committed kmem_free remove_wait_queue spin_lock_irqsave --> UAF Fix it by moving the wait queue to the CIL rather than keeping it in in the CIL context that gets freed on push completion. Because the wait queue is now independent of the CIL context and we might have multiple contexts in flight at once, only wake the waiters on the push throttle when the context we are pushing is over the hard throttle size threshold. Fixes: 0e7ab7efe7745 ("xfs: Throttle commits on delayed background CIL push") Reported-by: Yu Kuai Signed-off-by: Dave Chinner Reviewed-by: Darrick J. Wong Signed-off-by: Darrick J. Wong Reviewed-by: Christoph Hellwig Signed-off-by: Sasha Levin --- fs/xfs/xfs_log_cil.c | 10 +++++----- fs/xfs/xfs_log_priv.h | 2 +- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/fs/xfs/xfs_log_cil.c b/fs/xfs/xfs_log_cil.c index b43f0e8f43f2e..9ed90368ab311 100644 --- a/fs/xfs/xfs_log_cil.c +++ b/fs/xfs/xfs_log_cil.c @@ -671,7 +671,8 @@ xlog_cil_push_work( /* * Wake up any background push waiters now this context is being pushed. */ - wake_up_all(&ctx->push_wait); + if (ctx->space_used >= XLOG_CIL_BLOCKING_SPACE_LIMIT(log)) + wake_up_all(&cil->xc_push_wait); /* * Check if we've anything to push. If there is nothing, then we don't @@ -743,13 +744,12 @@ xlog_cil_push_work( /* * initialise the new context and attach it to the CIL. Then attach - * the current context to the CIL committing lsit so it can be found + * the current context to the CIL committing list so it can be found * during log forces to extract the commit lsn of the sequence that * needs to be forced. */ INIT_LIST_HEAD(&new_ctx->committing); INIT_LIST_HEAD(&new_ctx->busy_extents); - init_waitqueue_head(&new_ctx->push_wait); new_ctx->sequence = ctx->sequence + 1; new_ctx->cil = cil; cil->xc_ctx = new_ctx; @@ -937,7 +937,7 @@ xlog_cil_push_background( if (cil->xc_ctx->space_used >= XLOG_CIL_BLOCKING_SPACE_LIMIT(log)) { trace_xfs_log_cil_wait(log, cil->xc_ctx->ticket); ASSERT(cil->xc_ctx->space_used < log->l_logsize); - xlog_wait(&cil->xc_ctx->push_wait, &cil->xc_push_lock); + xlog_wait(&cil->xc_push_wait, &cil->xc_push_lock); return; } @@ -1216,12 +1216,12 @@ xlog_cil_init( INIT_LIST_HEAD(&cil->xc_committing); spin_lock_init(&cil->xc_cil_lock); spin_lock_init(&cil->xc_push_lock); + init_waitqueue_head(&cil->xc_push_wait); init_rwsem(&cil->xc_ctx_lock); init_waitqueue_head(&cil->xc_commit_wait); INIT_LIST_HEAD(&ctx->committing); INIT_LIST_HEAD(&ctx->busy_extents); - init_waitqueue_head(&ctx->push_wait); ctx->sequence = 1; ctx->cil = cil; cil->xc_ctx = ctx; diff --git a/fs/xfs/xfs_log_priv.h b/fs/xfs/xfs_log_priv.h index ec22c7a3867f1..75a62870b63af 100644 --- a/fs/xfs/xfs_log_priv.h +++ b/fs/xfs/xfs_log_priv.h @@ -240,7 +240,6 @@ struct xfs_cil_ctx { struct xfs_log_vec *lv_chain; /* logvecs being pushed */ struct list_head iclog_entry; struct list_head committing; /* ctx committing list */ - wait_queue_head_t push_wait; /* background push throttle */ struct work_struct discard_endio_work; }; @@ -274,6 +273,7 @@ struct xfs_cil { wait_queue_head_t xc_commit_wait; xfs_lsn_t xc_current_sequence; struct work_struct xc_push_work; + wait_queue_head_t xc_push_wait; /* background push throttle */ } ____cacheline_aligned_in_smp; /* -- 2.25.1