Received: by 2002:a05:6a10:17d3:0:0:0:0 with SMTP id hz19csp125549pxb; Fri, 16 Apr 2021 01:07:59 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzHFJ7yGEhoeQuSEyWDklu+Nx9FtSPNu98/nxPvldYOMWkba5fwtg00M5y1HMgXosmi+7cT X-Received: by 2002:a63:d309:: with SMTP id b9mr6927763pgg.96.1618560479020; Fri, 16 Apr 2021 01:07:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1618560479; cv=none; d=google.com; s=arc-20160816; b=AI5OX5jGoPxw7fu3YyuWGJCjxm8OpAD3JVhffUxEvD9DN70VsR5Rm/+jBJOT5zomGQ BbWPBPQedk0yt+qAQs3gGj0jBasdP10MbDdkEGAeS1tbFdLG0AQHbOoUX4YU0zkjMDNq 7IL5qH8ijlvgbtD/EEBN96W8t6XmFwzoxBJQb4E3THqpEEOt1HzCRK+qWrgSqiIJk2Wa J9ch9f2cnJWYz+JqvWcwsS2Al4GU0KsCQ1AwQVIAwBwfcgTmaO3K0+NmOVNIgA726q+Q 1qDOxvgq43TuM8rZllQOhgrhaTBV9ElKYWit5AiQHi3A5gTsM7ZOhDNGB7g4ebwT3fUe 2e9g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:from:references :cc:to:subject; bh=P5kkgddOFKJPHrtaWeC/u59eYVh2xNTnHdPx6Qaabss=; b=GeuSscPx6nyep8l299dAtMiAp9TYOgU5poHZdB3rBkrQJn/DzD1fpwPm4JWk1FP6Vx hsDB3QOVs3cYoz2e6aBdlGVDUO1Z0RWdk0ZA3gh+Q6XW3cYVjP8kAytwBE3ZC8N6jnP2 c9DypSFDetYG4qe9yY6QLgQXoGcvGBF2bQluLu3Hm5CrvQ8Y/WPXZZ/vnJvJzvi5YELu nO//wU8VFEEa0o29lSILHJrdvaly+JyEzOPBo7hsAC4xeX9Jg+4yPjP4F/gYUMXkTBxi XfS36ktBWhvJ7Ce+QqJbh9CmU3W30KMaGCn1YVPTCZlRJeD/cjmFGsnxKktBKWqqGywe Hluw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=huawei.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id f185si5719040pfb.190.2021.04.16.01.07.43; Fri, 16 Apr 2021 01:07:59 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-ext4-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-ext4-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=huawei.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239429AbhDPIBW (ORCPT + 99 others); Fri, 16 Apr 2021 04:01:22 -0400 Received: from szxga05-in.huawei.com ([45.249.212.191]:16468 "EHLO szxga05-in.huawei.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S237986AbhDPIBV (ORCPT ); Fri, 16 Apr 2021 04:01:21 -0400 Received: from DGGEMS411-HUB.china.huawei.com (unknown [172.30.72.60]) by szxga05-in.huawei.com (SkyGuard) with ESMTP id 4FM7rF5mHJzwS9k; Fri, 16 Apr 2021 15:58:37 +0800 (CST) Received: from [10.174.176.202] (10.174.176.202) by DGGEMS411-HUB.china.huawei.com (10.3.19.211) with Microsoft SMTP Server id 14.3.498.0; Fri, 16 Apr 2021 16:00:48 +0800 Subject: Re: [RFC PATCH v2 7/7] ext4: fix race between blkdev_releasepage() and ext4_put_super() To: Christoph Hellwig CC: , , , , , References: <20210414134737.2366971-1-yi.zhang@huawei.com> <20210414134737.2366971-8-yi.zhang@huawei.com> <20210415145235.GD2069063@infradead.org> From: Zhang Yi Message-ID: Date: Fri, 16 Apr 2021 16:00:48 +0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:78.0) Gecko/20100101 Thunderbird/78.3.1 MIME-Version: 1.0 In-Reply-To: <20210415145235.GD2069063@infradead.org> Content-Type: text/plain; charset="utf-8" Content-Language: en-US Content-Transfer-Encoding: 7bit X-Originating-IP: [10.174.176.202] X-CFilter-Loop: Reflected Precedence: bulk List-ID: X-Mailing-List: linux-ext4@vger.kernel.org Hi, Christoph On 2021/4/15 22:52, Christoph Hellwig wrote: > On Wed, Apr 14, 2021 at 09:47:37PM +0800, Zhang Yi wrote: >> There still exist a use after free issue when accessing the journal >> structure and ext4_sb_info structure on freeing bdev buffers in >> bdev_try_to_free_page(). The problem is bdev_try_to_free_page() could be >> raced by ext4_put_super(), it dose freeing sb->s_fs_info and >> sbi->s_journal while release page progress are still accessing them. >> So it could end up trigger use-after-free or NULL pointer dereference. > > I think the right fix is to not even call into ->bdev_try_to_free_page > unless the superblock is active. > . > Thanks for your suggestions. Now, we use already use "if (bdev->bd_super)" to prevent call into ->bdev_try_to_free_page unless the super is alive, and the problem is bd_super becomes NULL concurrently after this check. So, IIUC, I think it's the same to switch to check the superblock is active or not. The acvive flag also could becomes inactive (raced by umount) after we call into bdev_try_to_free_page(). In order to close this race, One solution is introduce a lock to synchronize the active state between kill_block_super() and blkdev_releasepage(), but the releasing page process have to try to acquire this lock in blkdev_releasepage() for each page, and the umount process still need to wait until the page release if some one invoke into ->bdev_try_to_free_page(). I think this solution may affect performace and is not a good way. Think about it in depth, use percpu refcount seems have the smallest performance effect on blkdev_releasepage(). If you don't like the refcount, maybe we could add synchronize_rcu_expedited() in ext4_put_super(), it also could prevent this race. Any suggestions? Thanks, Yi.