This is a note to let you know that I've just added the patch titled xfs: avoid mount-time deadlock in CoW extent recovery to the 4.9-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: xfs-avoid-mount-time-deadlock-in-cow-extent-recovery.patch and it can be found in the queue-4.9 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From 3ecb3ac7b950ff8f6c6a61e8b7b0d6e3546429a0 Mon Sep 17 00:00:00 2001 From: "Darrick J. Wong" <darrick.wong@xxxxxxxxxx> Date: Mon, 15 May 2017 19:16:15 -0700 Subject: xfs: avoid mount-time deadlock in CoW extent recovery From: Darrick J. Wong <darrick.wong@xxxxxxxxxx> commit 3ecb3ac7b950ff8f6c6a61e8b7b0d6e3546429a0 upstream. If a malicious user corrupts the refcount btree to cause a cycle between different levels of the tree, the next mount attempt will deadlock in the CoW recovery routine while grabbing buffer locks. We can use the ability to re-grab a buffer that was previous locked to a transaction to avoid deadlocks, so do that here. Signed-off-by: Darrick J. Wong <darrick.wong@xxxxxxxxxx> Reviewed-by: Brian Foster <bfoster@xxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- fs/xfs/libxfs/xfs_refcount.c | 43 +++++++++++++++++++++++++++++++------------ 1 file changed, 31 insertions(+), 12 deletions(-) --- a/fs/xfs/libxfs/xfs_refcount.c +++ b/fs/xfs/libxfs/xfs_refcount.c @@ -1629,13 +1629,28 @@ xfs_refcount_recover_cow_leftovers( if (mp->m_sb.sb_agblocks >= XFS_REFC_COW_START) return -EOPNOTSUPP; - error = xfs_alloc_read_agf(mp, NULL, agno, 0, &agbp); + INIT_LIST_HEAD(&debris); + + /* + * In this first part, we use an empty transaction to gather up + * all the leftover CoW extents so that we can subsequently + * delete them. The empty transaction is used to avoid + * a buffer lock deadlock if there happens to be a loop in the + * refcountbt because we're allowed to re-grab a buffer that is + * already attached to our transaction. When we're done + * recording the CoW debris we cancel the (empty) transaction + * and everything goes away cleanly. + */ + error = xfs_trans_alloc_empty(mp, &tp); if (error) return error; - cur = xfs_refcountbt_init_cursor(mp, NULL, agbp, agno, NULL); + + error = xfs_alloc_read_agf(mp, tp, agno, 0, &agbp); + if (error) + goto out_trans; + cur = xfs_refcountbt_init_cursor(mp, tp, agbp, agno, NULL); /* Find all the leftover CoW staging extents. */ - INIT_LIST_HEAD(&debris); memset(&low, 0, sizeof(low)); memset(&high, 0, sizeof(high)); low.rc.rc_startblock = XFS_REFC_COW_START; @@ -1645,10 +1660,11 @@ xfs_refcount_recover_cow_leftovers( if (error) goto out_cursor; xfs_btree_del_cursor(cur, XFS_BTREE_NOERROR); - xfs_buf_relse(agbp); + xfs_trans_brelse(tp, agbp); + xfs_trans_cancel(tp); /* Now iterate the list to free the leftovers */ - list_for_each_entry(rr, &debris, rr_list) { + list_for_each_entry_safe(rr, n, &debris, rr_list) { /* Set up transaction. */ error = xfs_trans_alloc(mp, &M_RES(mp)->tr_write, 0, 0, 0, &tp); if (error) @@ -1676,8 +1692,16 @@ xfs_refcount_recover_cow_leftovers( error = xfs_trans_commit(tp); if (error) goto out_free; + + list_del(&rr->rr_list); + kmem_free(rr); } + return error; +out_defer: + xfs_defer_cancel(&dfops); +out_trans: + xfs_trans_cancel(tp); out_free: /* Free the leftover list */ list_for_each_entry_safe(rr, n, &debris, rr_list) { @@ -1688,11 +1712,6 @@ out_free: out_cursor: xfs_btree_del_cursor(cur, XFS_BTREE_ERROR); - xfs_buf_relse(agbp); - goto out_free; - -out_defer: - xfs_defer_cancel(&dfops); - xfs_trans_cancel(tp); - goto out_free; + xfs_trans_brelse(tp, agbp); + goto out_trans; } Patches currently in stable-queue which might be from darrick.wong@xxxxxxxxxx are queue-4.9/xfs-fix-missed-holes-in-seek_hole-implementation.patch queue-4.9/xfs-fix-indlen-accounting-error-on-partial-delalloc-conversion.patch queue-4.9/xfs-fix-over-copying-of-getbmap-parameters-from-userspace.patch queue-4.9/xfs-bad-assertion-for-delalloc-an-extent-that-start-at-i_size.patch queue-4.9/xfs-bmapx-shouldn-t-barf-on-inline-format-directories.patch queue-4.9/xfs-drop-iolock-from-reclaim-context-to-appease-lockdep.patch queue-4.9/xfs-fix-off-by-one-on-max-nr_pages-in-xfs_find_get_desired_pgoff.patch queue-4.9/xfs-update-ag-iterator-to-support-wait-on-new-inodes.patch queue-4.9/xfs-use-dedicated-log-worker-wq-to-avoid-deadlock-with-cil-wq.patch queue-4.9/xfs-fix-up-quotacheck-buffer-list-error-handling.patch queue-4.9/xfs-wait-on-new-inodes-during-quotaoff-dquot-release.patch queue-4.9/xfs-rework-the-inline-directory-verifiers.patch queue-4.9/xfs-use-b_state-to-fix-buffer-i-o-accounting-release-race.patch queue-4.9/xfs-avoid-mount-time-deadlock-in-cow-extent-recovery.patch queue-4.9/xfs-fix-off-by-in-in-loop-termination-in-xfs_find_get_desired_pgoff.patch queue-4.9/xfs-xfs_trans_alloc_empty.patch queue-4.9/xfs-fix-integer-truncation-in-xfs_bmap_remap_alloc.patch queue-4.9/xfs-actually-report-xattr-extents-via-iomap.patch queue-4.9/xfs-fix-use-after-free-in-xfs_finish_page_writeback.patch queue-4.9/xfs-reserve-enough-blocks-to-handle-btree-splits-when-remapping.patch queue-4.9/xfs-support-ability-to-wait-on-new-inodes.patch queue-4.9/xfs-verify-inline-directory-data-forks.patch queue-4.9/xfs-prevent-multi-fsb-dir-readahead-from-reading-random-blocks.patch queue-4.9/xfs-fix-unaligned-access-in-xfs_btree_visit_blocks.patch queue-4.9/xfs-handle-array-index-overrun-in-xfs_dir2_leaf_readbuf.patch queue-4.9/xfs-fix-kernel-memory-exposure-problems.patch