Received: by 2002:a89:48b:0:b0:1f5:f2ab:c469 with SMTP id a11csp888225lqd; Wed, 24 Apr 2024 22:41:36 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCXj2UxCaQJKwFpABEMBYrhnCumS6Sz2bza/D37XRs8dDmSL8TarbvQ1qIbajgm7lsyzjRhDSBkeyPnMtB8XEZ0a0URtyTzZQbvR0cW2AQ== X-Google-Smtp-Source: AGHT+IFVFjw8N2X8HD4ySl9C+teqyv1TaEYVl6kkuEBdVgfXhZElrsPtmcSxVAbLuW9RIFfO5g/H X-Received: by 2002:a0c:fa4e:0:b0:6a0:7d8e:b1f7 with SMTP id k14-20020a0cfa4e000000b006a07d8eb1f7mr4801573qvo.0.1714023696523; Wed, 24 Apr 2024 22:41:36 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1714023696; cv=pass; d=google.com; s=arc-20160816; b=d7u9CMAcWfEK3mTy42tgzJvF96b51JAwT+yTRLgvN2XGQ4Gze/LFdkaS16kC1m2P61 l0v+WzyEEujt/i/xjAsjb6gQgiCi9XZi5cMaLIXBMA5aCJ0YGuncLOLpJmvQ/ga/fLJ2 1aXoGG5qNwRwvYnAvCcaT47CYC4y0G71PdooXjNYvBRAxpNi1RIurWxi/KPwmG4oUuuK 2G7L0y2ME53t2Td3qUeKdPmpFyiIlYQWc6o3B/wBAjg3sD/qZ1f2c2NgpRlTJPfni+sU p6LbDBPihTu+eeMvKBr+Mh66tgc2jEP2Qd5TkLv7NzWePnTpMdZs8lQohA+bc3soY8GC CCfg== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:in-reply-to:from:references:cc:to:subject :user-agent:mime-version:list-unsubscribe:list-subscribe:list-id :precedence:date:message-id:dkim-signature; bh=LiVVv+CXcN+CvM+zB+3igsIJaaE0zH8C5SDY181CcQk=; fh=mFzstAbGMttJ+q+ci6LrSQX9Ixg9Y/M/u7eGG1YYSws=; b=zj8wS5yhLkrLv4Yebc2ZGRWaDlzAQkaPNQ6IeIc9QlpLUfGeZUSxKiprB8uCDR/n8h 6LLFFKrUVQcKzvn2YRdp3RyA+dEP20bphKQuohHuuecZ7f8unqdwPjg9wwLXUC2FKadq 0EzD7e1RpD3H1z1JYatlbutMmsusgLqirevHdaSo0iV/1ZMBpq25ANdYT10kbaaRRElU caD3UACFMZXI7N5IRII7M5xVaN1a7Arva2sUNUPOF8BrCzBDjRtXMk8ydD41yzQpjFVY 0k/hdYL5hcpWk1m1ErIfQLBh27WjecobrPrnwMz1LZL7iIh81g6JHxg7pmXTF8qgxjSI 8joQ==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@bytedance.com header.s=google header.b=Z0pDTZgx; arc=pass (i=1 spf=pass spfdomain=bytedance.com dkim=pass dkdomain=bytedance.com dmarc=pass fromdomain=bytedance.com); spf=pass (google.com: domain of linux-kernel+bounces-158029-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-158029-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=bytedance.com Return-Path: Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [2604:1380:45d1:ec00::1]) by mx.google.com with ESMTPS id q15-20020a05621419ef00b006a0919634c9si4451363qvc.91.2024.04.24.22.41.36 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 24 Apr 2024 22:41:36 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-158029-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) client-ip=2604:1380:45d1:ec00::1; Authentication-Results: mx.google.com; dkim=pass header.i=@bytedance.com header.s=google header.b=Z0pDTZgx; arc=pass (i=1 spf=pass spfdomain=bytedance.com dkim=pass dkdomain=bytedance.com dmarc=pass fromdomain=bytedance.com); spf=pass (google.com: domain of linux-kernel+bounces-158029-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:45d1:ec00::1 as permitted sender) smtp.mailfrom="linux-kernel+bounces-158029-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=bytedance.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ny.mirrors.kernel.org (Postfix) with ESMTPS id 3768E1C211D1 for ; Thu, 25 Apr 2024 05:41:36 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id 6817F3C099; Thu, 25 Apr 2024 05:41:30 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=bytedance.com header.i=@bytedance.com header.b="Z0pDTZgx" Received: from mail-pf1-f169.google.com (mail-pf1-f169.google.com [209.85.210.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id F00E43BBEA for ; Thu, 25 Apr 2024 05:41:27 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.169 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714023689; cv=none; b=sLKK7yGhS7dCBWwpRWOHnpr/+HIxA0fVBUggnOYCGNmXg2m9BgfZA6RQNl6JjIc2kLHH4527m0WTOpMok8FIIKmMyye0UKhQRW9Sf+ZYislMW9kWrY62LVKM5dLvi/Uij82oHzSxljymRPWfpr0oLEXijpWiDDRNVThTKHQbiHw= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714023689; c=relaxed/simple; bh=EJTC3wowI1j2u2TKzcLePfke7haCbSp9UOfnO38aLsw=; h=Message-ID:Date:MIME-Version:Subject:To:Cc:References:From: In-Reply-To:Content-Type; b=Nr15xLxMrpFXf+UYgNpUipC0YM8ePnve5/pertBm7TI2Yw8w6fyJABpFUUKwcJdLEiCuO0/VmswnyDx5TYN3Rezk1Emws6QHnFFpPZcaOEvZGTlSUIqVVHOdLb4PHUpbpedlH/1OSd0h9bxwMXnSHQWyLUtMZcNV0/S/MtZOooY= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=bytedance.com; spf=pass smtp.mailfrom=bytedance.com; dkim=pass (2048-bit key) header.d=bytedance.com header.i=@bytedance.com header.b=Z0pDTZgx; arc=none smtp.client-ip=209.85.210.169 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=quarantine dis=none) header.from=bytedance.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=bytedance.com Received: by mail-pf1-f169.google.com with SMTP id d2e1a72fcca58-6ecff9df447so638644b3a.1 for ; Wed, 24 Apr 2024 22:41:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=bytedance.com; s=google; t=1714023687; x=1714628487; darn=vger.kernel.org; h=content-transfer-encoding:in-reply-to:from:references:cc:to:subject :user-agent:mime-version:date:message-id:from:to:cc:subject:date :message-id:reply-to; bh=LiVVv+CXcN+CvM+zB+3igsIJaaE0zH8C5SDY181CcQk=; b=Z0pDTZgxcfwcesXia1wJRS9dt9hJ40n7xfQfhvhIvateALKUbfdTJpwZV2HRcQtO4q 4+QnDt/wYZEjcw2CToBQ6pXYEhQQ8QhCR/T+W6h+jV08oiysmY8tjPBiXYhrLTrml69r cjh68P9+NuBDtifHELS9ofoANW0QvBvSEDMK9RH1iI3LrsDiMHYbwnZI4uuSf/tdMbmC bn2V39ZMkwQa2kBhv4eNeM2IobLGyOSKCNa1vYsLA/BxBu2fZ6lIvEef9usvCJbyQ0Oy yHQq+0PUEnptnT/m3/AMLzHZoAX/fAN+x14/acGlnArhiGX65Sj3h8vHA9fMmMMJ2Nyv l44w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1714023687; x=1714628487; h=content-transfer-encoding:in-reply-to:from:references:cc:to:subject :user-agent:mime-version:date:message-id:x-gm-message-state:from:to :cc:subject:date:message-id:reply-to; bh=LiVVv+CXcN+CvM+zB+3igsIJaaE0zH8C5SDY181CcQk=; b=IYcCbGHCZqxkR/9mHTAzHT2y6eYuXTkOdVEbm7rpkb/6lk4XG8VhjsPDlAE3LZqOFc nQPs5p2SY4v5fk/ob9n50/IbmGKbdHkTyNm+zROvcdc7JJb7WSpwClebzjC2iON+JGcC xVnBBJD0FbgjWTlCRX6pTi9beTULDcTHw8k2x0LrVRevePao24xYMUj6RM6+ly5IMaPL 0oeSX+zvUFXbOYyx1pNNUyKsmQhuyY2geIhyceH1r4ry8DzLhf+6GI0AnMeypHaVBksF ogGb52sW93s1wIYF/MzCZbKHhMDf1M7IG5OJz91Ss5pjhKV9OSgInI1ZJ6ZPUMVvFBca GTgA== X-Forwarded-Encrypted: i=1; AJvYcCWu+zmi9pv9zvqvXMUJGT3Chd1NOLW6Lr+1eLv0zTCg47gQJ/aNs+mg3m27jIIrsXaIBVW1dUVByv8XuM/JRnc4tUkWVKve+NBYrWCt X-Gm-Message-State: AOJu0Ywxijq0MvmmloRcxU3dn1jGuhDTmDQ7vC0Qz71ldNrNXk0L62VD /rRoyud6zEJ/ea+0KXEn+R+9qXHZrAvYDlJO1Nk81HuoYEgpBjunodaDyWuWoP7X+7vYgha2IL3 4 X-Received: by 2002:a05:6a00:1492:b0:6ed:1c7:8c5d with SMTP id v18-20020a056a00149200b006ed01c78c5dmr5655256pfu.12.1714023687307; Wed, 24 Apr 2024 22:41:27 -0700 (PDT) Received: from [10.3.132.118] ([61.213.176.14]) by smtp.gmail.com with ESMTPSA id a5-20020aa78e85000000b006e554afa254sm12333974pfr.38.2024.04.24.22.41.23 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 24 Apr 2024 22:41:26 -0700 (PDT) Message-ID: <8572a732-ca12-48d7-817c-d8218d536c0c@bytedance.com> Date: Thu, 25 Apr 2024 13:41:20 +0800 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Subject: Re: [PATCH 3/5] cachefiles: flush ondemand_object_worker during clean object To: libaokun@huaweicloud.com, netfs@lists.linux.dev Cc: dhowells@redhat.com, jlayton@kernel.org, jefflexu@linux.alibaba.com, linux-cachefs@redhat.com, linux-erofs@lists.ozlabs.org, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, Hou Tao , Baokun Li , zhujia.zj@bytedance.com References: <20240424033409.2735257-1-libaokun@huaweicloud.com> <20240424033409.2735257-4-libaokun@huaweicloud.com> From: Jia Zhu In-Reply-To: <20240424033409.2735257-4-libaokun@huaweicloud.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit Thanks for catching this. How about adding a Fixes tag. Reviewed-by: Jia Zhu 在 2024/4/24 11:34, libaokun@huaweicloud.com 写道: > From: Hou Tao > > When queuing ondemand_object_worker() to re-open the object, > cachefiles_object is not pinned. The cachefiles_object may be freed when > the pending read request is completed intentionally and the related > erofs is umounted. If ondemand_object_worker() runs after the object is > freed, it will incur use-after-free problem as shown below. > > process A processs B process C process D > > cachefiles_ondemand_send_req() > // send a read req X > // wait for its completion > > // close ondemand fd > cachefiles_ondemand_fd_release() > // set object as CLOSE > > cachefiles_ondemand_daemon_read() > // set object as REOPENING > queue_work(fscache_wq, &info->ondemand_work) > > // close /dev/cachefiles > cachefiles_daemon_release > cachefiles_flush_reqs > complete(&req->done) > > // read req X is completed > // umount the erofs fs > cachefiles_put_object() > // object will be freed > cachefiles_ondemand_deinit_obj_info() > kmem_cache_free(object) > // both info and object are freed > ondemand_object_worker() > > When dropping an object, it is no longer necessary to reopen the object, > so use cancel_work_sync() to cancel or wait for ondemand_object_worker() > to complete. > > Signed-off-by: Hou Tao > Signed-off-by: Baokun Li > --- > fs/cachefiles/ondemand.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/fs/cachefiles/ondemand.c b/fs/cachefiles/ondemand.c > index d24bff43499b..f6440b3e7368 100644 > --- a/fs/cachefiles/ondemand.c > +++ b/fs/cachefiles/ondemand.c > @@ -589,6 +589,9 @@ void cachefiles_ondemand_clean_object(struct cachefiles_object *object) > } > } > xa_unlock(&cache->reqs); > + > + /* Wait for ondemand_object_worker() to finish to avoid UAF. */ > + cancel_work_sync(&object->ondemand->ondemand_work); > } > > int cachefiles_ondemand_init_obj_info(struct cachefiles_object *object,