From patchwork Thu Jan 11 12:52:23 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Chandan Rajendra X-Patchwork-Id: 10157951 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 4B855601A1 for ; Thu, 11 Jan 2018 12:51:27 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 5BAA428708 for ; Thu, 11 Jan 2018 12:51:27 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 4FDFA2873B; Thu, 11 Jan 2018 12:51:27 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id A6CF328708 for ; Thu, 11 Jan 2018 12:51:26 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S934333AbeAKMvZ (ORCPT ); Thu, 11 Jan 2018 07:51:25 -0500 Received: from mx0b-001b2d01.pphosted.com ([148.163.158.5]:59718 "EHLO mx0a-001b2d01.pphosted.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S934332AbeAKMvX (ORCPT ); Thu, 11 Jan 2018 07:51:23 -0500 Received: from pps.filterd (m0098421.ppops.net [127.0.0.1]) by mx0a-001b2d01.pphosted.com (8.16.0.22/8.16.0.22) with SMTP id w0BCnZYV027663 for ; Thu, 11 Jan 2018 07:51:23 -0500 Received: from e38.co.us.ibm.com (e38.co.us.ibm.com [32.97.110.159]) by mx0a-001b2d01.pphosted.com with ESMTP id 2fe7f02ekx-1 (version=TLSv1.2 cipher=AES256-SHA bits=256 verify=NOT) for ; Thu, 11 Jan 2018 07:51:22 -0500 Received: from localhost by e38.co.us.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Thu, 11 Jan 2018 05:51:22 -0700 Received: from b03cxnp08025.gho.boulder.ibm.com (9.17.130.17) by e38.co.us.ibm.com (192.168.1.138) with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted; Thu, 11 Jan 2018 05:51:19 -0700 Received: from b03ledav002.gho.boulder.ibm.com (b03ledav002.gho.boulder.ibm.com [9.17.130.233]) by b03cxnp08025.gho.boulder.ibm.com (8.14.9/8.14.9/NCO v10.0) with ESMTP id w0BCpJBj12517836; Thu, 11 Jan 2018 05:51:19 -0700 Received: from b03ledav002.gho.boulder.ibm.com (unknown [127.0.0.1]) by IMSVA (Postfix) with ESMTP id 6EA2C13603A; Thu, 11 Jan 2018 05:51:19 -0700 (MST) Received: from localhost.localdomain.com (unknown [9.102.2.104]) by b03ledav002.gho.boulder.ibm.com (Postfix) with ESMTP id BF02F136040; Thu, 11 Jan 2018 05:51:17 -0700 (MST) From: Chandan Rajendra To: linux-xfs@vger.kernel.org Cc: Chandan Rajendra , hch@infradead.org, darrick.wong@oracle.com Subject: [RFC PATCH] xfs: Fix "use after free" of intent items Date: Thu, 11 Jan 2018 18:22:23 +0530 X-Mailer: git-send-email 2.9.5 X-TM-AS-GCONF: 00 x-cbid: 18011112-0028-0000-0000-000008F94881 X-IBM-SpamModules-Scores: X-IBM-SpamModules-Versions: BY=3.00008359; HX=3.00000241; KW=3.00000007; PH=3.00000004; SC=3.00000245; SDB=6.00973447; UDB=6.00493241; IPR=6.00753393; MB=3.00018979; MTD=3.00000008; XFM=3.00000015; UTC=2018-01-11 12:51:21 X-IBM-AV-DETECTION: SAVI=unused REMOTE=unused XFE=unused x-cbparentid: 18011112-0029-0000-0000-0000391772D1 Message-Id: <20180111125223.10727-1-chandan@linux.vnet.ibm.com> X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:, , definitions=2018-01-11_04:, , signatures=0 X-Proofpoint-Spam-Details: rule=outbound_notspam policy=outbound score=0 priorityscore=1501 malwarescore=0 suspectscore=3 phishscore=0 bulkscore=0 spamscore=0 clxscore=1011 lowpriorityscore=0 impostorscore=0 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1709140000 definitions=main-1801110178 Sender: linux-xfs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-xfs@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP generic/388 can cause the following "use after free" error to occur, ============================================================================= BUG xfs_efi_item (Not tainted): Poison overwritten ----------------------------------------------------------------------------- Disabling lock debugging due to kernel taint INFO: 0x00000000292c4bd4-0x00000000292c4bd4. First byte 0x6a instead of 0x6b INFO: Allocated in .kmem_zone_alloc+0xcc/0x190 age=79 cpu=0 pid=12436 .__slab_alloc+0x54/0x80 .kmem_cache_alloc+0x124/0x350 .kmem_zone_alloc+0xcc/0x190 .xfs_efi_init+0x48/0xf0 .xfs_extent_free_create_intent+0x40/0x130 .xfs_defer_intake_work+0x74/0x1e0 .xfs_defer_finish+0xac/0x5c0 .xfs_itruncate_extents+0x170/0x590 .xfs_inactive_truncate+0xcc/0x170 .xfs_inactive+0x1d8/0x2f0 .xfs_fs_destroy_inode+0xe4/0x3d0 .destroy_inode+0x68/0xb0 .do_unlinkat+0x1e8/0x390 system_call+0x58/0x6c INFO: Freed in .xfs_efi_item_free+0x44/0x80 age=79 cpu=0 pid=12436 .kmem_cache_free+0x120/0x2b0 .xfs_efi_item_free+0x44/0x80 .xfs_trans_free_items+0xd4/0x130 .__xfs_trans_commit+0xd0/0x350 .xfs_trans_roll+0x4c/0x90 .xfs_defer_trans_roll+0xa4/0x2b0 .xfs_defer_finish+0xb8/0x5c0 .xfs_itruncate_extents+0x170/0x590 .xfs_inactive_truncate+0xcc/0x170 .xfs_inactive+0x1d8/0x2f0 .xfs_fs_destroy_inode+0xe4/0x3d0 .destroy_inode+0x68/0xb0 .do_unlinkat+0x1e8/0x390 system_call+0x58/0x6c This happens due to the following interaction, 1. xfs_defer_finish() creates "extent free" intent item and adds it to the list at xfs_trans->t_items. 2. xfs_defer_trans_roll() invokes __xfs_trans_commit(). Here, if the XFS_MOUNT_FS_SHUTDOWN flag is set, we invoke io_unlock() operation of the corresponding log item. For "extent free" log items xfs_efi_item_unlock() gets invoked which frees the xfs_efi_log_item. 3. xfs_defer_trans_roll() then invokes xfs_defer_trans_abort(). Since the xfs_defer_pending->dfp_intent is still set to the "extent free" intent item, we invoke xfs_extent_free_abort_intent(). This accesses the previously freed xfs_efi_log_item to decrement the ref count. This commit fixes the bug by changing xfs_efi_item_unlock() to invoke xfs_efi_release() instead of xfs_efi_item_free(). The xfs_efi_log_item gets freed when xfs_extent_free_abort_intent() invokes xfs_efi_release() once again i.e. its refcount becomes zero and hence xfs_efi_item_free() is invoked. Reported-by: Christoph Hellwig Signed-off-by: Chandan Rajendra --- The above mentioned "use after free" occurs with other log items. (e.g. xfs_rui_item). If the below fix is found to be correct, I will apply it to other affected log items as well and post a new patch. fs/xfs/xfs_extfree_item.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/xfs/xfs_extfree_item.c b/fs/xfs/xfs_extfree_item.c index 64da906..2119441 100644 --- a/fs/xfs/xfs_extfree_item.c +++ b/fs/xfs/xfs_extfree_item.c @@ -151,7 +151,7 @@ xfs_efi_item_unlock( struct xfs_log_item *lip) { if (lip->li_flags & XFS_LI_ABORTED) - xfs_efi_item_free(EFI_ITEM(lip)); + xfs_efi_release(EFI_ITEM(lip)); } /*