This is a note to let you know that I've just added the patch titled
xfs: fix use-after-free on CIL context on shutdown
to the 5.4-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
xfs-fix-use-after-free-on-cil-context-on-shutdown.patch
and it can be found in the queue-5.4 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
>From foo@baz Wed Oct 26 04:49:40 PM CEST 2022
From: Chandan Babu R <chandan.babu@xxxxxxxxxx>
Date: Wed, 26 Oct 2022 11:58:43 +0530
Subject: xfs: fix use-after-free on CIL context on shutdown
To: gregkh@xxxxxxxxxxxxxxxxxxx
Cc: sashal@xxxxxxxxxx, mcgrof@xxxxxxxxxx, linux-xfs@xxxxxxxxxxxxxxx, stable@xxxxxxxxxxxxxxx, djwong@xxxxxxxxxx, chandan.babu@xxxxxxxxxx, amir73il@xxxxxxxxx, leah.rumancik@xxxxxxxxx
Message-ID: <20221026062843.927600-27-chandan.babu@xxxxxxxxxx>
From: Dave Chinner <dchinner@xxxxxxxxxx>
commit c7f87f3984cfa1e6d32806a715f35c5947ad9c09 upstream.
xlog_wait() on the CIL context can reference a freed context if the
waiter doesn't get scheduled before the CIL context is freed. This
can happen when a task is on the hard throttle and the CIL push
aborts due to a shutdown. This was detected by generic/019:
thread 1 thread 2
__xfs_trans_commit
xfs_log_commit_cil
<CIL size over hard throttle limit>
xlog_wait
schedule
xlog_cil_push_work
wake_up_all
<shutdown aborts commit>
xlog_cil_committed
kmem_free
remove_wait_queue
spin_lock_irqsave --> UAF
Fix it by moving the wait queue to the CIL rather than keeping it in
in the CIL context that gets freed on push completion. Because the
wait queue is now independent of the CIL context and we might have
multiple contexts in flight at once, only wake the waiters on the
push throttle when the context we are pushing is over the hard
throttle size threshold.
Fixes: 0e7ab7efe7745 ("xfs: Throttle commits on delayed background CIL push")
Reported-by: Yu Kuai <yukuai3@xxxxxxxxxx>
Signed-off-by: Dave Chinner <dchinner@xxxxxxxxxx>
Reviewed-by: Darrick J. Wong <darrick.wong@xxxxxxxxxx>
Signed-off-by: Darrick J. Wong <darrick.wong@xxxxxxxxxx>
Reviewed-by: Christoph Hellwig <hch@xxxxxx>
Acked-by: Darrick J. Wong <djwong@xxxxxxxxxx>
Signed-off-by: Chandan Babu R <chandan.babu@xxxxxxxxxx>
Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx>
---
fs/xfs/xfs_log_cil.c | 10 +++++-----
fs/xfs/xfs_log_priv.h | 2 +-
2 files changed, 6 insertions(+), 6 deletions(-)
--- a/fs/xfs/xfs_log_cil.c
+++ b/fs/xfs/xfs_log_cil.c
@@ -673,7 +673,8 @@ xlog_cil_push(
/*
* Wake up any background push waiters now this context is being pushed.
*/
- wake_up_all(&ctx->push_wait);
+ if (ctx->space_used >= XLOG_CIL_BLOCKING_SPACE_LIMIT(log))
+ wake_up_all(&cil->xc_push_wait);
/*
* Check if we've anything to push. If there is nothing, then we don't
@@ -745,13 +746,12 @@ xlog_cil_push(
/*
* initialise the new context and attach it to the CIL. Then attach
- * the current context to the CIL committing lsit so it can be found
+ * the current context to the CIL committing list so it can be found
* during log forces to extract the commit lsn of the sequence that
* needs to be forced.
*/
INIT_LIST_HEAD(&new_ctx->committing);
INIT_LIST_HEAD(&new_ctx->busy_extents);
- init_waitqueue_head(&new_ctx->push_wait);
new_ctx->sequence = ctx->sequence + 1;
new_ctx->cil = cil;
cil->xc_ctx = new_ctx;
@@ -946,7 +946,7 @@ xlog_cil_push_background(
if (cil->xc_ctx->space_used >= XLOG_CIL_BLOCKING_SPACE_LIMIT(log)) {
trace_xfs_log_cil_wait(log, cil->xc_ctx->ticket);
ASSERT(cil->xc_ctx->space_used < log->l_logsize);
- xlog_wait(&cil->xc_ctx->push_wait, &cil->xc_push_lock);
+ xlog_wait(&cil->xc_push_wait, &cil->xc_push_lock);
return;
}
@@ -1222,12 +1222,12 @@ xlog_cil_init(
INIT_LIST_HEAD(&cil->xc_committing);
spin_lock_init(&cil->xc_cil_lock);
spin_lock_init(&cil->xc_push_lock);
+ init_waitqueue_head(&cil->xc_push_wait);
init_rwsem(&cil->xc_ctx_lock);
init_waitqueue_head(&cil->xc_commit_wait);
INIT_LIST_HEAD(&ctx->committing);
INIT_LIST_HEAD(&ctx->busy_extents);
- init_waitqueue_head(&ctx->push_wait);
ctx->sequence = 1;
ctx->cil = cil;
cil->xc_ctx = ctx;
--- a/fs/xfs/xfs_log_priv.h
+++ b/fs/xfs/xfs_log_priv.h
@@ -247,7 +247,6 @@ struct xfs_cil_ctx {
struct xfs_log_vec *lv_chain; /* logvecs being pushed */
struct list_head iclog_entry;
struct list_head committing; /* ctx committing list */
- wait_queue_head_t push_wait; /* background push throttle */
struct work_struct discard_endio_work;
};
@@ -281,6 +280,7 @@ struct xfs_cil {
wait_queue_head_t xc_commit_wait;
xfs_lsn_t xc_current_sequence;
struct work_struct xc_push_work;
+ wait_queue_head_t xc_push_wait; /* background push throttle */
} ____cacheline_aligned_in_smp;
/*
Patches currently in stable-queue which might be from chandan.babu@xxxxxxxxxx are
queue-5.4/xfs-check-owner-of-dir3-blocks.patch
queue-5.4/xfs-throttle-commits-on-delayed-background-cil-push.patch
queue-5.4/xfs-factor-common-ail-item-deletion-code.patch
queue-5.4/xfs-remove-the-xfs_dq_logitem_t-typedef.patch
queue-5.4/xfs-fix-buffer-corruption-reporting-when-xfs_dir3_free_header_check-fails.patch
queue-5.4/xfs-xfs_buf_corruption_error-should-take-__this_address.patch
queue-5.4/xfs-open-code-insert-range-extent-split-helper.patch
queue-5.4/xfs-don-t-write-a-corrupt-unmount-record-to-force-summary-counter-recalc.patch
queue-5.4/xfs-check-owner-of-dir3-data-blocks.patch
queue-5.4/xfs-factor-out-quotaoff-intent-ail-removal-and-memory-free.patch
queue-5.4/xfs-trylock-underlying-buffer-on-dquot-flush.patch
queue-5.4/xfs-remove-the-xfs_disk_dquot_t-and-xfs_dquot_t.patch
queue-5.4/xfs-add-a-function-to-deal-with-corrupt-buffers-post-verifiers.patch
queue-5.4/xfs-fix-use-after-free-on-cil-context-on-shutdown.patch
queue-5.4/xfs-tail-updates-only-need-to-occur-when-lsn-changes.patch
queue-5.4/xfs-use-scnprintf-for-avoiding-potential-buffer-overflow.patch
queue-5.4/xfs-move-inode-flush-to-the-sync-workqueue.patch
queue-5.4/xfs-lower-cil-flush-limit-for-large-logs.patch
queue-5.4/xfs-rework-collapse-range-into-an-atomic-operation.patch
queue-5.4/xfs-remove-the-xfs_qoff_logitem_t-typedef.patch
queue-5.4/xfs-fix-unmount-hang-and-memory-leak-on-shutdown-during-quotaoff.patch
queue-5.4/xfs-preserve-default-grace-interval-during-quotacheck.patch
queue-5.4/xfs-replace-function-declaration-by-actual-definition.patch
queue-5.4/xfs-rework-insert-range-into-an-atomic-operation.patch
queue-5.4/xfs-factor-out-a-new-xfs_log_force_inode-helper.patch
queue-5.4/xfs-reflink-should-force-the-log-out-if-mounted-with-wsync.patch
