Christoph Hellwig <hch@xxxxxx> writes: > From: Jan Kara <jack@xxxxxxx> > > Currently we dropped freeze protection of aio writes just after IO was > submitted. Thus aio write could be in flight while the filesystem was > frozen and that could result in unexpected situation like aio completion > wanting to convert extent type on frozen filesystem. Testcase from > Dmitry triggering this is like: > > for ((i=0;i<60;i++));do fsfreeze -f /mnt ;sleep 1;fsfreeze -u /mnt;done & > fio --bs=4k --ioengine=libaio --iodepth=128 --size=1g --direct=1 \ > --runtime=60 --filename=/mnt/file --name=rand-write --rw=randwrite > > Fix the problem by dropping freeze protection only once IO is completed > in aio_complete(). > > [hch: The above was the changelog of the original patch from Jan. > It turns out that it fixes something even more important - a use > after free of the file structucture given that the direct I/O > code calls fput and potentially drops the last reference to it in > aio_complete. Together with two racing threads and a zero sized > I/O this seems easily exploitable] > > Reported-by: Dmitry Monakhov <dmonakhov@xxxxxxxxxx> > Signed-off-by: Jan Kara <jack@xxxxxxx> > [hch: switch to use __sb_writers_acquired and file_inode(file), > updated changelog] > Signed-off-by: Christoph Hellwig <hch@xxxxxx> Reviewed-by: Jeff Moyer <jmoyer@xxxxxxxxxx> -- To unsubscribe from this list: send the line "unsubscribe linux-fsdevel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
