[PATCH] fscache: Need to go round again after processing LRU_DISCARDING state

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



David Wysochanski <dwysocha@xxxxxxxxxx> wrote:

> > [  432.921382] BUG: KASAN: use-after-free in
> > fscache_unhash_cookie+0x9e/0x160 [fscache]^M

I think the patch below is the way to fix this.

David
---
fscache: Need to go round again after processing LRU_DISCARDING state

There's a race between the LRU discard and relinquishment actions.  In the
state machine, fscache_cookie_state_machine(), the ACTIVE state transits to
the LRU_DISCARD state in preference to transiting to the RELINQUISHING or
WITHDRAWING states.

This should be fine, but the LRU_DISCARDING state just breaks out the
bottom of the function without going round again after transiting to the
QUIESCENT state.

However, if both LRU discard and relinquishment happen *before* the SM
runs, one of the queue events will get discarded, along with the ref that
would be associated with it.  The last ref is then discarded and the cookie
is removed without completing the relinquishment process - leaving the
cookie hashed.

The fix is to make sure that the SM always goes back around after changing
the state.

Signed-off-by: David Howells <dhowells@xxxxxxxxxx>
---

diff --git a/fs/fscache/cookie.c b/fs/fscache/cookie.c
index d7e825d636e2..8d0769a5ee2b 100644
--- a/fs/fscache/cookie.c
+++ b/fs/fscache/cookie.c
@@ -755,7 +755,7 @@ static void fscache_cookie_state_machine(struct fscache_cookie *cookie)
 		set_bit(FSCACHE_COOKIE_NO_DATA_TO_READ, &cookie->flags);
 		__fscache_set_cookie_state(cookie, FSCACHE_COOKIE_STATE_QUIESCENT);
 		wake = true;
-		break;
+		goto again_locked;
 
 	case FSCACHE_COOKIE_STATE_DROPPED:
 		break;

--
Linux-cachefs mailing list
Linux-cachefs@xxxxxxxxxx
https://listman.redhat.com/mailman/listinfo/linux-cachefs




[Index of Archives]     [LARTC]     [Bugtraq]     [Yosemite Forum]
  Powered by Linux