Received: by 2002:ac0:e34a:0:0:0:0:0 with SMTP id g10csp484944imn; Wed, 27 Jul 2022 11:30:30 -0700 (PDT) X-Google-Smtp-Source: AGRyM1sCfN1ohli6J86oyZGCCVXM6RYaANY2gq75ly+qhGOYEmyuz6ml9LV2dAiZggJQY0Rzl0BE X-Received: by 2002:a17:907:67b0:b0:72b:7792:5e0a with SMTP id qu48-20020a17090767b000b0072b77925e0amr18764644ejc.400.1658946629966; Wed, 27 Jul 2022 11:30:29 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1658946629; cv=none; d=google.com; s=arc-20160816; b=yml4EBPjh4tiRVpyqTX5OD96Q9YHMUWEg/dHrwYIK2JH8k9fvZ42z+/0W1bhy40uNZ fzG0e3sqHFrI+rMs7VdW2GnqrwB20yWirfQ+Qhb5kXrd3GsQ6yqsnpwXqcwhPpU+Kofi D4vD1YeOFwzKXgzIgF9BksgMOOcosM9ySKniQXs+PFxLr9d0Uw2vh0H+FrljKdr3cwlP jJduxNyfb1sA/cmTK1J8+qhnAwUoKRGBWlwCxctE83DKj6hdo1AI92nLz4iDJHk3B2Rn 5GQkry+5R9cs+AwcdvI8FgSQZKx7fZHUD9z81ExZP31guGxvhnoMtU1eLJWqtcDcRYpq BCHg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=feYdH67OKTeuii+Hp2E5r6ZM8sDDykFBK4HfE4GUPWU=; b=xI+Aru2bUHbEzj2c+C0Nh4oxYkhaeNrlwptvyRNt678PEQoXUI4R7xtGpOBpbCrUiO Def+dl+89SbEUkathzfu+5acObiqi72+pAOuwGmP7p5ifpnikI1cuUKxmpm8X1H0PSwX JZPsJ5+GaAJZE2J5e6WpRotWy3eqqUW6CgWUT8zzWV1Bc6yKLfl5e0BsgNoWYFUCwErS 8S3ZyBAuWzlW+GpbzR5Cb1qr17+h6Eokee5qI1UuCu1BiQXdRAjUbhUltlhDLt8fvp9u 7dNECpUPHtUxa+aSDEHkI+VO/px2V9uvLoBDes8sX64arSUvl6ACUHC05e77S0QZXtZ3 VMng== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=s2Z3PHOM; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id sd1-20020a1709076e0100b00726a3abf022si4317575ejc.781.2022.07.27.11.30.04; Wed, 27 Jul 2022 11:30:29 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=s2Z3PHOM; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238831AbiG0RBa (ORCPT + 99 others); Wed, 27 Jul 2022 13:01:30 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55644 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236197AbiG0Q75 (ORCPT ); Wed, 27 Jul 2022 12:59:57 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [IPv6:2604:1380:4641:c500::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D4C6A6A9D7; Wed, 27 Jul 2022 09:37:47 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 77962601CD; Wed, 27 Jul 2022 16:37:45 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 7E7F3C433C1; Wed, 27 Jul 2022 16:37:44 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1658939864; bh=I5DTKrP2Y6N/lxCCIGd2q5PUInTDb42tcimBsKjacpE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=s2Z3PHOMuzJ+T41boi6pZsQxD+xd7Ny2VNqnBzuVccHl31+90h1LuVFLBYfmHmfrr hqbi/vHjFjUxcyrJDE3GUbWYPoc1AKp/iuBtcgBAaIBDC0Yv160N1cv+T8F94cfN1Q SnvFzcWxnWP0+eEz4YOfOlgvUw9UfiX9T7XnzYmI= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Brian Foster , Dave Chinner , "Darrick J. Wong" , Leah Rumancik Subject: [PATCH 5.15 025/201] xfs: fix perag reference leak on iteration race with growfs Date: Wed, 27 Jul 2022 18:08:49 +0200 Message-Id: <20220727161027.934257844@linuxfoundation.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220727161026.977588183@linuxfoundation.org> References: <20220727161026.977588183@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-7.7 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Brian Foster [ Upstream commit 892a666fafa19ab04b5e948f6c92f98f1dafb489 ] The for_each_perag*() set of macros are hacky in that some (i.e. those based on sb_agcount) rely on the assumption that perag iteration terminates naturally with a NULL perag at the specified end_agno. Others allow for the final AG to have a valid perag and require the calling function to clean up any potential leftover xfs_perag reference on termination of the loop. Aside from providing a subtly inconsistent interface, the former variant is racy with growfs because growfs can create discoverable post-eofs perags before the final superblock update that completes the grow operation and increases sb_agcount. This leads to the following assert failure (reproduced by xfs/104) in the perag free path during unmount: XFS: Assertion failed: atomic_read(&pag->pag_ref) == 0, file: fs/xfs/libxfs/xfs_ag.c, line: 195 This occurs because one of the many for_each_perag() loops in the code that is expected to terminate with a NULL pag (and thus has no post-loop xfs_perag_put() check) raced with a growfs and found a non-NULL post-EOFS perag, but terminated naturally based on the end_agno check without releasing the post-EOFS perag. Rework the iteration logic to lift the agno check from the main for loop conditional to the iteration helper function. The for loop now purely terminates on a NULL pag and xfs_perag_next() avoids taking a reference to any perag beyond end_agno in the first place. Fixes: f250eedcf762 ("xfs: make for_each_perag... a first class citizen") Signed-off-by: Brian Foster Reviewed-by: Dave Chinner Reviewed-by: Darrick J. Wong Signed-off-by: Darrick J. Wong Signed-off-by: Leah Rumancik Acked-by: Darrick J. Wong Signed-off-by: Greg Kroah-Hartman --- fs/xfs/libxfs/xfs_ag.h | 16 ++++++---------- 1 file changed, 6 insertions(+), 10 deletions(-) --- a/fs/xfs/libxfs/xfs_ag.h +++ b/fs/xfs/libxfs/xfs_ag.h @@ -116,30 +116,26 @@ void xfs_perag_put(struct xfs_perag *pag /* * Perag iteration APIs - * - * XXX: for_each_perag_range() usage really needs an iterator to clean up when - * we terminate at end_agno because we may have taken a reference to the perag - * beyond end_agno. Right now callers have to be careful to catch and clean that - * up themselves. This is not necessary for the callers of for_each_perag() and - * for_each_perag_from() because they terminate at sb_agcount where there are - * no perag structures in tree beyond end_agno. */ static inline struct xfs_perag * xfs_perag_next( struct xfs_perag *pag, - xfs_agnumber_t *agno) + xfs_agnumber_t *agno, + xfs_agnumber_t end_agno) { struct xfs_mount *mp = pag->pag_mount; *agno = pag->pag_agno + 1; xfs_perag_put(pag); + if (*agno > end_agno) + return NULL; return xfs_perag_get(mp, *agno); } #define for_each_perag_range(mp, agno, end_agno, pag) \ for ((pag) = xfs_perag_get((mp), (agno)); \ - (pag) != NULL && (agno) <= (end_agno); \ - (pag) = xfs_perag_next((pag), &(agno))) + (pag) != NULL; \ + (pag) = xfs_perag_next((pag), &(agno), (end_agno))) #define for_each_perag_from(mp, agno, pag) \ for_each_perag_range((mp), (agno), (mp)->m_sb.sb_agcount - 1, (pag))