Received: by 2002:a05:6a10:9848:0:0:0:0 with SMTP id x8csp1383624pxf; Fri, 26 Mar 2021 06:58:28 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyN6MTTl686JL6qF+oViT0MOxQtA0WCMnKw/L1g7x9DwEHTSEEZPT900b87QVQGbNYhpaDx X-Received: by 2002:a17:907:1b06:: with SMTP id mp6mr4976557ejc.292.1616767107979; Fri, 26 Mar 2021 06:58:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1616767107; cv=none; d=google.com; s=arc-20160816; b=Pct8BvC4SQVxN+iuRVau3HZkmNYrhIrYEYtCEk+MDc9O/w8NIp3A4X8cvpc0PuPOQk ulI0LkP8WqX2SZQCE/J4F+9Bh/brf8ZnMYFdDrZX2uPXvE8qT3n8UjcOMk+dhuM/dY3f 3eIaXrBY5Gxm+cWlLJN7BvU/5vDgqWV5ZiE2fLvT3P4DQxqVcv3EKlqzwfDkIWyYcv4X /6p961irrMFMqfATDihA0M6Qfo1FqzZvP5em3EZA/iOiho2BoQOnNk/nF8nfD/0gyK+s JCm5gMQx+HGv78tH6W0jZHfRGoUTsV5WEV8I+VTyS+lO3WFIDiZ+gwjY7noDvx3ocnOu PvxA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=fgkRHTLB2RIjhymsCMk3FFFFwwm/Vud7zXblB4BzXuo=; b=Xy3Thi2UtY4TI1VzrybI5kseYBtWtp2V0EX6/DcYgxVx29f+6GIN8RzdwfCJ7RNGai gqi/MS8kkIErvHSlMZ2KG9Bpo4YvYCH0Z8X+9iWdbAKkrTdvpVM10tccYCgMHcUCOxg2 tXm1C/ygLRiz2vLQNcyfEC3CGvopYeSp4yUuo97LEVlgaNkO1sc95yT9X9e5rI8meR1/ ZXsxib0QHT3Ze19j5/EekCyk2wm6c7dN/G8fd8JrOl9oxz2OeeVIlWG4oE/YQC9bPOw+ aABp8F1UdDyML//bZZnIoSi49EqnfkgmZ3dTr/GEAkSrCjRIDPY2t1ZKEqtkX4ecGD6f k1gQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=nHBx1s7k; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id s17si7107069edx.88.2021.03.26.06.58.03; Fri, 26 Mar 2021 06:58:27 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=nHBx1s7k; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230043AbhCZN5J (ORCPT + 99 others); Fri, 26 Mar 2021 09:57:09 -0400 Received: from mail.kernel.org ([198.145.29.99]:42004 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229945AbhCZN4d (ORCPT ); Fri, 26 Mar 2021 09:56:33 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 4380B619A0; Fri, 26 Mar 2021 13:56:32 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1616766992; bh=O7IRWgd00UHT0VyHJxToyfBcxmszCLnq1Pe7Rl41vIM=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=nHBx1s7kmQhhBdrxT2Z/StHNZaSpQs15JgcY3TEZa9jr0JBap0+i+ekF9XWvPHU5q nVaQDuxy0f31kCs8QT/kxdhz1LWCJ/hfhZndhBocLqIGCRbEUkj8nMDOZpPx4w54Eq UGwx4xomCwc5VeSGTK8+jgMiPOE7cGiAJ3IadIGM= Date: Fri, 26 Mar 2021 14:56:30 +0100 From: Greg KH To: Anirudh Rayabharam Cc: shaggy@kernel.org, jfs-discussion@lists.sourceforge.net, linux-kernel@vger.kernel.org, linux-kernel-mentees@lists.linuxfoundation.org, syzbot+5d2008bd1f1b722ba94e@syzkaller.appspotmail.com, Hillf Danton Subject: Re: [PATCH resend] jfs: fix use-after-free in lbmIODone Message-ID: References: <20210322161147.5593-1-mail@anirudhrb.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20210322161147.5593-1-mail@anirudhrb.com> Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Mar 22, 2021 at 09:41:47PM +0530, Anirudh Rayabharam wrote: > Fix use-after-free by waiting for ongoing IO to complete before freeing > lbufs in lbmLogShutdown. Add a counter in struct jfs_log to keep track > of the number of in-flight IO operations and a wait queue to wait on for > the IO operations to complete. > > Reported-by: syzbot+5d2008bd1f1b722ba94e@syzkaller.appspotmail.com > Suggested-by: Hillf Danton > Signed-off-by: Anirudh Rayabharam > --- > fs/jfs/jfs_logmgr.c | 17 ++++++++++++++--- > fs/jfs/jfs_logmgr.h | 2 ++ > 2 files changed, 16 insertions(+), 3 deletions(-) > > diff --git a/fs/jfs/jfs_logmgr.c b/fs/jfs/jfs_logmgr.c > index 9330eff210e0..82d20c4687aa 100644 > --- a/fs/jfs/jfs_logmgr.c > +++ b/fs/jfs/jfs_logmgr.c > @@ -1815,6 +1815,8 @@ static int lbmLogInit(struct jfs_log * log) > */ > init_waitqueue_head(&log->free_wait); > > + init_waitqueue_head(&log->io_waitq); > + > log->lbuf_free = NULL; > > for (i = 0; i < LOGPAGES;) { > @@ -1864,6 +1866,7 @@ static void lbmLogShutdown(struct jfs_log * log) > struct lbuf *lbuf; > > jfs_info("lbmLogShutdown: log:0x%p", log); > + wait_event(log->io_waitq, !atomic_read(&log->io_inflight)); > > lbuf = log->lbuf_free; > while (lbuf) { > @@ -1990,6 +1993,8 @@ static int lbmRead(struct jfs_log * log, int pn, struct lbuf ** bpp) > bio->bi_end_io = lbmIODone; > bio->bi_private = bp; > bio->bi_opf = REQ_OP_READ; > + > + atomic_inc(&log->io_inflight); > /*check if journaling to disk has been disabled*/ > if (log->no_integrity) { > bio->bi_iter.bi_size = 0; > @@ -2135,6 +2140,7 @@ static void lbmStartIO(struct lbuf * bp) > bio->bi_private = bp; > bio->bi_opf = REQ_OP_WRITE | REQ_SYNC; > > + atomic_inc(&log->io_inflight); Why use an atomic for this? The value can change after you test for it, as there's no lock involved. Do you really need to keep track of all of these "inflight"? That feels very "heavy" to me. jfs developers, any ideas? thanks, greg k-h