From patchwork Mon Jul 29 16:19:30 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: David Howells X-Patchwork-Id: 13745285 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id CF259C3DA7E for ; Mon, 29 Jul 2024 16:20:39 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id 462656B0093; Mon, 29 Jul 2024 12:20:39 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id 412686B0095; Mon, 29 Jul 2024 12:20:39 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id 2B33D6B0096; Mon, 29 Jul 2024 12:20:39 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com [216.40.44.13]) by kanga.kvack.org (Postfix) with ESMTP id 0862F6B0093 for ; Mon, 29 Jul 2024 12:20:39 -0400 (EDT) Received: from smtpin24.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay10.hostedemail.com (Postfix) with ESMTP id 9D82DC04BC for ; Mon, 29 Jul 2024 16:20:38 +0000 (UTC) X-FDA: 82393303356.24.25B0D7C Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by imf21.hostedemail.com (Postfix) with ESMTP id E10641C002D for ; Mon, 29 Jul 2024 16:20:35 +0000 (UTC) Authentication-Results: imf21.hostedemail.com; dkim=pass header.d=redhat.com header.s=mimecast20190719 header.b=KYXGtSj6; spf=pass (imf21.hostedemail.com: domain of dhowells@redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=dhowells@redhat.com; dmarc=pass (policy=none) header.from=redhat.com ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1722270009; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references:dkim-signature; bh=BPjOG63ucqIecfQUcEvOk2uVbkRV7p0tyL6NVisM1C4=; b=ELwaeIri4FnjwvC3k3j9EQD7uxgVgVfIn2x3Evpl+oqAxJ6Eptv7dnL9L/M0rE1dKwQ2lJ Ow4ef9wcNc50KVefiveNPSmdY/yP6z54JS7SWev/Vw51Ie8ieS/LXhBY7naH+mzVXXGzck JB+8vR3xDEV+afp6PobpWq6XJiV9rP0= ARC-Authentication-Results: i=1; imf21.hostedemail.com; dkim=pass header.d=redhat.com header.s=mimecast20190719 header.b=KYXGtSj6; spf=pass (imf21.hostedemail.com: domain of dhowells@redhat.com designates 170.10.129.124 as permitted sender) smtp.mailfrom=dhowells@redhat.com; dmarc=pass (policy=none) header.from=redhat.com ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1722270009; a=rsa-sha256; cv=none; b=roklGMXAvTjNmpCQHt9OYoCwiOJo5OfgArPItd3dz8bt9yhSlyU9NOPDHs1Q+K5+ifIYDE +hroywBtfjJNqV95rf3HtRpJFPg5wwxf+WGGy0eHc5conzHec4wSXG9rBQvOzTr7ShDizl +skAwzBk0jN7Z+clD7QJbu+3TNAjZjo= DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1722270035; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=BPjOG63ucqIecfQUcEvOk2uVbkRV7p0tyL6NVisM1C4=; b=KYXGtSj66kAckNKjQ5TjKGOI0VbZ2byFl/2nTEkf/yw5/9+zgrcRratcT3pdhbsR5ZW18b Fdbqqz7xziCu9muGMZPXuerqP/6QLv4ta+ryk+FjH5qUK5HPungZmzwTm1Dmupcnnm7TMD 3Ge1Y1KnSnOWU9U4jAenwKujDYNiMEE= Received: from mx-prod-mc-02.mail-002.prod.us-west-2.aws.redhat.com (ec2-54-186-198-63.us-west-2.compute.amazonaws.com [54.186.198.63]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-561-pbazTEYXMY-3m3K78NsRKg-1; Mon, 29 Jul 2024 12:20:26 -0400 X-MC-Unique: pbazTEYXMY-3m3K78NsRKg-1 Received: from mx-prod-int-04.mail-002.prod.us-west-2.aws.redhat.com (mx-prod-int-04.mail-002.prod.us-west-2.aws.redhat.com [10.30.177.40]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by mx-prod-mc-02.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTPS id 407551955D4C; Mon, 29 Jul 2024 16:20:22 +0000 (UTC) Received: from warthog.procyon.org.uk.com (unknown [10.42.28.216]) by mx-prod-int-04.mail-002.prod.us-west-2.aws.redhat.com (Postfix) with ESMTP id 9A2B5195605F; Mon, 29 Jul 2024 16:20:14 +0000 (UTC) From: David Howells To: Christian Brauner , Steve French , Matthew Wilcox Cc: David Howells , Jeff Layton , Gao Xiang , Dominique Martinet , Marc Dionne , Paulo Alcantara , Shyam Prasad N , Tom Talpey , Eric Van Hensbergen , Ilya Dryomov , netfs@lists.linux.dev, linux-afs@lists.infradead.org, linux-cifs@vger.kernel.org, linux-nfs@vger.kernel.org, ceph-devel@vger.kernel.org, v9fs@lists.linux.dev, linux-erofs@lists.ozlabs.org, linux-fsdevel@vger.kernel.org, linux-mm@kvack.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Max Kellermann , stable@vger.kernel.org Subject: [PATCH 01/24] fs/netfs/fscache_cookie: add missing "n_accesses" check Date: Mon, 29 Jul 2024 17:19:30 +0100 Message-ID: <20240729162002.3436763-2-dhowells@redhat.com> In-Reply-To: <20240729162002.3436763-1-dhowells@redhat.com> References: <20240729162002.3436763-1-dhowells@redhat.com> MIME-Version: 1.0 X-Scanned-By: MIMEDefang 3.0 on 10.30.177.40 X-Rspamd-Server: rspam03 X-Rspam-User: X-Rspamd-Queue-Id: E10641C002D X-Stat-Signature: 9mof3sau9185jw89k1goe6yyjx4h4rhd X-HE-Tag: 1722270035-825173 X-HE-Meta: U2FsdGVkX1/dPsfWAEM1nHknUIxTM4Ky0EdzPjA46rThsB+9NMDVwevwshOSaNh6fkuT2Kq3QhketR9ZGwjz2Fabe7RWXptPevm1g6T4ESPfjcBA3X1rhvIpZ48Z+rARY8y9UmkGm0TBeWv10YWHV18fmStwUa3wG4mCh3Rn7Hjq7jXMIdCnGKb4VdtubECb4eLqfphFARgbgEjOJdSRb/9xSdrHGwlYIj663mbZt0FDdIIAV4xQW0b0KEffkIPZ47siNDNlAQson3RRnz2ApxS0LILaL4eKFIqNnKVfFvHUGIG+pCbCc1kiKwuWvhSDCI0etkGB3O49AavwTsxv3Fff3pBxbQOt1KYehhKUrAGjJ60vfwxEqqsk/2ZvWtaAFBpGHKvQIrgPUBc7AnVSyttGXJT8PFO8ltP/2f4+/W27/zqMgzrGUmGKz6Mp5remWcXL8toGxGYFmwWLhKc5cPTie0BHkhPFYl9Ut/bpwFnHlZGHA9eqF9OuM8Ur1x3+2O5qbJhySjpzIqKQuMQiSoi5gP98I8DDNErihWtT2gvz2HDWhhjLNDEf7z93v4Olx0OqLDzYgFaTx43iNzKBea7shdSJj3rLebgPh1Y0zm5wMlU2PC+Y1KVOLRd4Ivd143iMfiehg2schqmbtICzX8eMvnIMdW9D1Owc1+jNPwtrhlMPp/EOss/4n/Djcd6b0bIb+ncHYUTF36zLVEnXd6LMTsLVWmPMqqXT1jM7ppyrT2MP43Z1OlirHl+iNzIz/E9e46kQUNV1MafyO/k+N80bZx2kiPxC+gb4rx7vvFMd10HKuCoW4wc0QIcB9n/0UmvzfbiPffy3n36nNwzZtvowqjYxinE4cLq9bjJWBUztNFZWiir4hWzObudLinkgKUO+9A6wqx0tkGzxzZEejnJ9YueqUD7DnL8yv35Bpf22wItDKD3CLEXntMbiE6NbLHb6EgivjuZ7dzakFOU mebacl8d 3m74oWueRoCO/L8cytNeOzfKkpn0ZCuEPN/eNzmWuiQHZjVFmwQJ34rESePR8xvAr21NU+TgZj6fBnjSaQojAyi8Aj+Mlxwe9OvHFknP5Ub0M+X71fn2rG3PF/f0xjcygOttK5ep7PKQVzY51EIHF2uLya8hOG2yKAiT7sasjIc5GFMG00qp6Qy9nYxwQ6oXPBIN3u2zeW146TLX/pn7XCSz4wzG2vukfcl36mDMZuTP0V6RKxArNmnc0MswWkHLKB5+XFcfeuxPeEdVRd8uiqfpAid2pAoRR8k2rVQyKLqoUd5EVNFnrlu8idO8VeQkVNixrw33Mca+XTvswpPdx/bMbO4cuh4+lcElbj3eUEJmQ2A5gjNPs0DDjGu9TqvDOp8jgwiyFDGVDVKcVWLc6Oorb8YJ2XFKt0l+ygsJ+Y20avp08wKFEaZ+lP7CxkrxbMym12peyx/WfenReIXD6DjRstA== X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: List-Subscribe: List-Unsubscribe: From: Max Kellermann This fixes a NULL pointer dereference bug due to a data race which looks like this: BUG: kernel NULL pointer dereference, address: 0000000000000008 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) - not-present page PGD 0 P4D 0 Oops: 0000 [#1] SMP PTI CPU: 33 PID: 16573 Comm: kworker/u97:799 Not tainted 6.8.7-cm4all1-hp+ #43 Hardware name: HP ProLiant DL380 Gen9/ProLiant DL380 Gen9, BIOS P89 10/17/2018 Workqueue: events_unbound netfs_rreq_write_to_cache_work RIP: 0010:cachefiles_prepare_write+0x30/0xa0 Code: 57 41 56 45 89 ce 41 55 49 89 cd 41 54 49 89 d4 55 53 48 89 fb 48 83 ec 08 48 8b 47 08 48 83 7f 10 00 48 89 34 24 48 8b 68 20 <48> 8b 45 08 4c 8b 38 74 45 49 8b 7f 50 e8 4e a9 b0 ff 48 8b 73 10 RSP: 0018:ffffb4e78113bde0 EFLAGS: 00010286 RAX: ffff976126be6d10 RBX: ffff97615cdb8438 RCX: 0000000000020000 RDX: ffff97605e6c4c68 RSI: ffff97605e6c4c60 RDI: ffff97615cdb8438 RBP: 0000000000000000 R08: 0000000000278333 R09: 0000000000000001 R10: ffff97605e6c4600 R11: 0000000000000001 R12: ffff97605e6c4c68 R13: 0000000000020000 R14: 0000000000000001 R15: ffff976064fe2c00 FS: 0000000000000000(0000) GS:ffff9776dfd40000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000008 CR3: 000000005942c002 CR4: 00000000001706f0 Call Trace: ? __die+0x1f/0x70 ? page_fault_oops+0x15d/0x440 ? search_module_extables+0xe/0x40 ? fixup_exception+0x22/0x2f0 ? exc_page_fault+0x5f/0x100 ? asm_exc_page_fault+0x22/0x30 ? cachefiles_prepare_write+0x30/0xa0 netfs_rreq_write_to_cache_work+0x135/0x2e0 process_one_work+0x137/0x2c0 worker_thread+0x2e9/0x400 ? __pfx_worker_thread+0x10/0x10 kthread+0xcc/0x100 ? __pfx_kthread+0x10/0x10 ret_from_fork+0x30/0x50 ? __pfx_kthread+0x10/0x10 ret_from_fork_asm+0x1b/0x30 Modules linked in: CR2: 0000000000000008 ---[ end trace 0000000000000000 ]--- This happened because fscache_cookie_state_machine() was slow and was still running while another process invoked fscache_unuse_cookie(); this led to a fscache_cookie_lru_do_one() call, setting the FSCACHE_COOKIE_DO_LRU_DISCARD flag, which was picked up by fscache_cookie_state_machine(), withdrawing the cookie via cachefiles_withdraw_cookie(), clearing cookie->cache_priv. At the same time, yet another process invoked cachefiles_prepare_write(), which found a NULL pointer in this code line: struct cachefiles_object *object = cachefiles_cres_object(cres); The next line crashes, obviously: struct cachefiles_cache *cache = object->volume->cache; During cachefiles_prepare_write(), the "n_accesses" counter is non-zero (via fscache_begin_operation()). The cookie must not be withdrawn until it drops to zero. The counter is checked by fscache_cookie_state_machine() before switching to FSCACHE_COOKIE_STATE_RELINQUISHING and FSCACHE_COOKIE_STATE_WITHDRAWING (in "case FSCACHE_COOKIE_STATE_FAILED"), but not for FSCACHE_COOKIE_STATE_LRU_DISCARDING ("case FSCACHE_COOKIE_STATE_ACTIVE"). This patch adds the missing check. With a non-zero access counter, the function returns and the next fscache_end_cookie_access() call will queue another fscache_cookie_state_machine() call to handle the still-pending FSCACHE_COOKIE_DO_LRU_DISCARD. Fixes: 12bb21a29c19 ("fscache: Implement cookie user counting and resource pinning") Signed-off-by: Max Kellermann Signed-off-by: David Howells cc: Jeff Layton cc: netfs@lists.linux.dev cc: linux-fsdevel@vger.kernel.org cc: stable@vger.kernel.org --- fs/netfs/fscache_cookie.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/fs/netfs/fscache_cookie.c b/fs/netfs/fscache_cookie.c index bce2492186d0..d4d4b3a8b106 100644 --- a/fs/netfs/fscache_cookie.c +++ b/fs/netfs/fscache_cookie.c @@ -741,6 +741,10 @@ static void fscache_cookie_state_machine(struct fscache_cookie *cookie) spin_lock(&cookie->lock); } if (test_bit(FSCACHE_COOKIE_DO_LRU_DISCARD, &cookie->flags)) { + if (atomic_read(&cookie->n_accesses) != 0) + /* still being accessed: postpone it */ + break; + __fscache_set_cookie_state(cookie, FSCACHE_COOKIE_STATE_LRU_DISCARDING); wake = true;