Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp414671pxa; Fri, 21 Aug 2020 10:27:36 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwRGbx0yn/F/8ftqs2DZPLS7pNLSMVaGBfhyY9fKsdi69lKPhaPZBc28N0dMJz2st+jEnKy X-Received: by 2002:a50:fd8d:: with SMTP id o13mr3826657edt.313.1598030856610; Fri, 21 Aug 2020 10:27:36 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1598030856; cv=none; d=google.com; s=arc-20160816; b=xcKqVeZ9qEYNCoG6XKG8+2wxhqojdqFnqixzXmnsaPH8A+BEoE3AS5ZtQAkD/cn55S QC5LvTFT4n4As/9AFmcJ0Kx3QehxpYujFs+PoYYpmMKHy2xc2XjK+V1dxUvOJc09SUbo IUZs0kYzmeyPbxJvfc5z34cb8BA1H/Cu/Gj7vQSDkRe37qdC7NjZR8iGSo0DGVLFYGYD gFQ+pgx3qFDSiv5S4phoWa9ShehoV9pMzRrrxM+H1Xifq8YO4yxTIaya07HUckaDSD0m eEB4Dz0zoHgXzCHWbn1ZczwEYmhfc3xCinYAoWS9Zkk6eswBGZdZgBY9sqt1Xwh8+aFK 9XGw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=Jwh5vrgP2Y7M3wjzujY5/m5Y10bmHCjgk824ZdmRVWk=; b=PNmj43kB7Ju3vJCxFqCzG9Tup83TJbQHPdfuI1UJQPBqbr8dHARzNoir2ROZCBApH2 dDtt+DmbajRTmULUFGbK/44iIy3Mr3bYiP+jQ5soUJlrXTS0X7Dee+00H6J5ulJ/9VbF kSvCLdFkqhh+oBldGiczteO3FXqpQb2vfm3dVXk4MNjz6VsE+12Q8DRHlergWfrRJ5ia t5IWxWihHjc8ns8K+gPSAe1ljoQbSyT64jdhwXnGio1ataM9gwU5UidfsIoeogLU+1rE AfSUFhznyRfVKAYbOpZjmZp9yxwx55z69A6TqqBLU5U5v0eRsdPw8LpI7IhcoRkyIUh+ LUzA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=LyOYVY4J; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id c11si1819555edq.178.2020.08.21.10.27.13; Fri, 21 Aug 2020 10:27:36 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=LyOYVY4J; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729163AbgHURX7 (ORCPT + 99 others); Fri, 21 Aug 2020 13:23:59 -0400 Received: from mail.kernel.org ([198.145.29.99]:48004 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725958AbgHUQPh (ORCPT ); Fri, 21 Aug 2020 12:15:37 -0400 Received: from sasha-vm.mshome.net (c-73-47-72-35.hsd1.nh.comcast.net [73.47.72.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 07BE122B47; Fri, 21 Aug 2020 16:15:35 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1598026536; bh=AbE0XSedTcpFD59QYQtmmKbDB5Ti6rq3NKID5k4Vz1w=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=LyOYVY4JDzuoNptpugWpfK3wUqIhKKKzfffNxmQyqPg286uFdr4gmocv+wM1omDzA FHy5/cYmDopuzXMI6LzrVreYzWPzcunrgAlqHscM6cD/fYkru2ScavjsQUuU5mhhrL FANtJm6TOhG9umppac+DKTyF33om9F8fE7s8Ju/Q= From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Xiubo Li , Jeff Layton , Ilya Dryomov , Sasha Levin , ceph-devel@vger.kernel.org Subject: [PATCH AUTOSEL 5.8 57/62] ceph: fix potential mdsc use-after-free crash Date: Fri, 21 Aug 2020 12:14:18 -0400 Message-Id: <20200821161423.347071-57-sashal@kernel.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20200821161423.347071-1-sashal@kernel.org> References: <20200821161423.347071-1-sashal@kernel.org> MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Xiubo Li [ Upstream commit fa9967734227b44acb1b6918033f9122dc7825b9 ] Make sure the delayed work stopped before releasing the resources. cancel_delayed_work_sync() will only guarantee that the work finishes executing if the work is already in the ->worklist. That means after the cancel_delayed_work_sync() returns, it will leave the work requeued if it was rearmed at the end. That can lead to a use after free once the work struct is freed. Fix it by flushing the delayed work instead of trying to cancel it, and ensure that the work doesn't rearm if the mdsc is stopping. URL: https://tracker.ceph.com/issues/46293 Signed-off-by: Xiubo Li Reviewed-by: Jeff Layton Signed-off-by: Ilya Dryomov Signed-off-by: Sasha Levin --- fs/ceph/mds_client.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/fs/ceph/mds_client.c b/fs/ceph/mds_client.c index a50497142e598..d38399847064f 100644 --- a/fs/ceph/mds_client.c +++ b/fs/ceph/mds_client.c @@ -4283,6 +4283,9 @@ static void delayed_work(struct work_struct *work) dout("mdsc delayed_work\n"); + if (mdsc->stopping) + return; + mutex_lock(&mdsc->mutex); renew_interval = mdsc->mdsmap->m_session_timeout >> 2; renew_caps = time_after_eq(jiffies, HZ*renew_interval + @@ -4657,7 +4660,16 @@ void ceph_mdsc_force_umount(struct ceph_mds_client *mdsc) static void ceph_mdsc_stop(struct ceph_mds_client *mdsc) { dout("stop\n"); - cancel_delayed_work_sync(&mdsc->delayed_work); /* cancel timer */ + /* + * Make sure the delayed work stopped before releasing + * the resources. + * + * Because the cancel_delayed_work_sync() will only + * guarantee that the work finishes executing. But the + * delayed work will re-arm itself again after that. + */ + flush_delayed_work(&mdsc->delayed_work); + if (mdsc->mdsmap) ceph_mdsmap_destroy(mdsc->mdsmap); kfree(mdsc->sessions); -- 2.25.1