Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp665661pxu; Thu, 7 Jan 2021 15:11:08 -0800 (PST) X-Google-Smtp-Source: ABdhPJz8jPz0bSYwFd2YsCrcixtqQHjz6GSOVYlhSKyTtOVR9t5s+0R6YDD30oiSA4bBPuWCOBQ+ X-Received: by 2002:aa7:d999:: with SMTP id u25mr3214023eds.297.1610061067763; Thu, 07 Jan 2021 15:11:07 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1610061067; cv=none; d=google.com; s=arc-20160816; b=v/TW997iJX/NStFpCaPaSQwv1lwYe+/xf0DXdTNqSNG16AdqaxoVQpe/KMnormq3o/ sXm6JF6ex1wY+pqgQ5w4uEpbrPBNEfWFOi6a4Osj2wQaw4ZCHe/KlzIK1N+GbbBKl/Jo sblqveo43hHyHYNJhq4e6yb9K2zZUh6YUpX23n2pCwhl9VyGA1VpN+KmCuG2ymlS9RAY V1mhv1NiGSgPkUpX1B2axDF7cq43XyBF0MogeGx24tDHM/+zjo5u7//n1mEMcywxHq0U 0Nusn6T82xG4RUQHPRFzkpNBPazg5EFTYvBtOJ0DW8Qvp0Q4prv0R7WjopolfDlXKp/G iW4Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=3iyas93Xd3n71dYLej+fNpSNMU2nnrmKXbg8DDh2m6I=; b=M2f11ayysuWlWNta/A8ARjlcO6GN9CVZQppFzqjaDSEfrJp1NfeIGEkQYfZ15zS0Ci FILw+iNCfYSju1izT1EHkQxtozkjRexjLOAibL+DHoLRSrm9Hfgbexj60DJKW7Sfqkl9 p6tkqxPTsLnp8zcAB1l2OQbDZgYrMJijl/Gra9rpM2sA/GjSFWlnRaiN4bZQaO2stru/ hHXllqPDrlC0NbTGiQyklxifSHMAB4Izk5xMjSM68TaNIoaYG2JgpdqpGJl5pSPFi0Yi dml62e+Pc38FD5tJ8+SzgYF5ZEj+2OUM66HLW+PxLz0dcGXFcqSTzflh1qHUIX35Mz3K YbDg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=MuqTzTgO; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id i22si2978800edb.413.2021.01.07.15.10.34; Thu, 07 Jan 2021 15:11:07 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=MuqTzTgO; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728140AbhAGXJZ (ORCPT + 99 others); Thu, 7 Jan 2021 18:09:25 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53280 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725944AbhAGXJZ (ORCPT ); Thu, 7 Jan 2021 18:09:25 -0500 Received: from mail-pl1-x630.google.com (mail-pl1-x630.google.com [IPv6:2607:f8b0:4864:20::630]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0E4A4C0612F4 for ; Thu, 7 Jan 2021 15:08:44 -0800 (PST) Received: by mail-pl1-x630.google.com with SMTP id b8so4674207plx.0 for ; Thu, 07 Jan 2021 15:08:44 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to; bh=3iyas93Xd3n71dYLej+fNpSNMU2nnrmKXbg8DDh2m6I=; b=MuqTzTgO8erYRwjZdS8746g8JXjtOqAXaegqafRnww/2qDkdrh5R6PdFhNwMWvrcEV IFBCbTe8sWpUsWoc109YTf95HgR92mg8ajHAChZ0ZyTy66KRFrpQc+gALbQ5ZOvH3LFx ZWhGrhw2eZyuFi3Jq/MYGejc+KWaHIXYXLTVCC1+pa0pdAc/B+k3j506PN1zvjxUQwMe zMt9wBoV+dsMcUjvtMa5DUpF8Jpdv3L+sScJKnY0vbf9DT32d9hFcdUo+TMeu5Xc/7FD rCE3VmrTFhCZg+pRWfXztHpYviu0XfD37WGVNjOh57m6CO+5JPNO/ZWANmrI3gJT7qlC /Zog== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:references :mime-version:content-disposition:in-reply-to; bh=3iyas93Xd3n71dYLej+fNpSNMU2nnrmKXbg8DDh2m6I=; b=NrSRyEg8S2y+IJSjtMVUmp0+kwlWWlepj7/gFPOKlISpsian9P0XJRThScT4OdtN3u 77LdaD1tVzrQUjf7iUddg+90HxBz0a6+8s+rV43YNE1Xu/3bRlvHfIjS49LtC4f+0iBH aI28tkgWpL8aV/zaQHTAxZS/0yZp/t/Y5XQuNALotZoHVK5wmdyTNrqeP4j+SDemnssh 2HAADjt68JTdvErAo2yYaFdb/5MiHp4/2g26K2+kBm3wTN1xUWEeR40U+VQR0K7u5trC 8mTW0yo8aJ903bFkid1y6hJKDOudixtepJPa3gsu4qDk2a3WUyNcF88LMI9oQt1t/iS0 uRvg== X-Gm-Message-State: AOAM5305EqvIrN0vApA22QzvIT6Vblo0scBBLNLNkj3JJ9C445SFJt/X 9KmPWwq3pmLlVpMCvC92GdKlZw== X-Received: by 2002:a17:902:67:b029:dc:3cdb:6e50 with SMTP id 94-20020a1709020067b02900dc3cdb6e50mr1028679pla.61.1610060924147; Thu, 07 Jan 2021 15:08:44 -0800 (PST) Received: from google.com (139.60.82.34.bc.googleusercontent.com. [34.82.60.139]) by smtp.gmail.com with ESMTPSA id y5sm7176228pfp.45.2021.01.07.15.08.43 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 07 Jan 2021 15:08:43 -0800 (PST) Date: Thu, 7 Jan 2021 23:08:39 +0000 From: Satya Tangirala To: Bob Peterson Cc: Christoph Hellwig , Alexander Viro , linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, Jens Axboe Subject: Re: [PATCH] fs: Fix freeze_bdev()/thaw_bdev() accounting of bd_fsfreeze_sb Message-ID: References: <20201224044954.1349459-1-satyat@google.com> <20210107162000.GA2693@lst.de> <1137375419.42956970.1610036857271.JavaMail.zimbra@redhat.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1137375419.42956970.1610036857271.JavaMail.zimbra@redhat.com> Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Jan 07, 2021 at 11:27:37AM -0500, Bob Peterson wrote: > ----- Original Message ----- > > Can someone pick this up? Maybe through Jens' block tree as that is > > where my commit this is fixing up came from. > Christoph and Al, > > Here is my version: > > Bob Peterson > > fs: fix freeze count problem in freeze_bdev > > Before this patch, if you tried to freeze a device (function freeze_bdev) > while it was being unmounted, it would get NULL back from get_active_super > and correctly bypass the freeze calls. Unfortunately, it forgot to decrement > its bd_fsfreeze_count. Subsequent calls to device thaw (thaw_bdev) would > see the non-zero bd_fsfreeze_count and assume the bd_fsfreeze_sb value was > still valid. That's not a safe assumption and resulted in use-after-free, > which often caused fatal kernel errors like: "unable to handle page fault > for address." > > This patch adds the necessary decrement of bd_fsfreeze_count for that > error path. It also adds code to set the bd_fsfreeze_sb to NULL when the > last reference is reached in thaw_bdev. > > Reviewed-by: Bob Peterson > --- > fs/block_dev.c | 5 ++++- > 1 file changed, 4 insertions(+), 1 deletion(-) > > diff --git a/fs/block_dev.c b/fs/block_dev.c > index 9e56ee1f2652..c6daf7d12546 100644 > --- a/fs/block_dev.c > +++ b/fs/block_dev.c > @@ -555,8 +555,10 @@ int freeze_bdev(struct block_device *bdev) > goto done; > > sb = get_active_super(bdev); > - if (!sb) > + if (!sb) { > + bdev->bd_fsfreeze_count--; > goto sync; > + } > if (sb->s_op->freeze_super) > error = sb->s_op->freeze_super(sb); > else > @@ -600,6 +602,7 @@ int thaw_bdev(struct block_device *bdev) > if (!sb) > goto out; > > + bdev->bd_fsfreeze_sb = NULL; This causes bdev->bd_fsfreeze_sb to be set to NULL even if the call to thaw_super right after this line fail. So if a caller tries to call thaw_bdev() again after receiving such an error, that next call won't even try to call thaw_super(). Is that what we want here? (I don't know much about this code, but from a cursory glance I think this difference is visible to emergency_thaw_bdev() in fs/buffer.c) In my version of the patch, I set bdev->bd_fsfreeze_sb to NULL only *after* we check that the call to thaw_super() succeeded to avoid this. > if (sb->s_op->thaw_super) > error = sb->s_op->thaw_super(sb); > else > In another mail, you mentioned > I wrote this patch to fix the freeze/thaw device problem before I saw > the patch "fs: Fix freeze_bdev()/thaw_bdev() accounting of bd_fsfreeze_sb" > from Satya Tangirala. That one, however, does not fix the bd_freeze_count > problem and this patch does. Thanks a lot for investigating the bug and the patch I sent :) Was there actually an issue with that patch I sent? As you said, the bug is very reproduceable on master with generic/085. But with my patch, I don't see any issues even after having run the test many, many times (admittedly, I tested it on f2fs and ext4 rather than gfs2, but I don't think that should cause much differences). Did you have a test case that actually causes a failure with my patch? The only two differences between the patch I sent and this patch are 1) The point at which the bd_fsfreeze_bd is set to NULL in thaw_bdev(), as I mentioned above already. 2) Whether or not to decrement bd_fsfreeze_count when we get a NULL from get_active_super() in freeze_bdev() - I don't do this in my patch. I think setting bd_fsfreeze_sb to NULL in thaw_bdev (in either the place your patch does it or my patch does it) is enough to fix the bug w.r.t the use-after-free. Fwiw, I do think it should be set to NULL after we check for all the errors though. I think the second difference (decrementing bd_fsfreeze_count when get_active_super() returns NULL) doesn't change anything w.r.t the use-after-free. It does however, change the behaviour of the function slightly, and it might be caller visible (because from a cursory glance, it looks like we're reading the bd_fsfreeze_count from some other places like fs/super.c). Even before 040f04bd2e82, the code wouldn't decrement bd_fsfreeze_count when get_active_super() returned NULL - so is this change in behaviour intentional? And if so, maybe it should go in a separate patch?