| Message ID | 20210511135257.878743-2-bfoster@redhat.com (mailing list archive) |
|---|---|
| State | Superseded, archived |
| Headers | show |
| Series | xfs: fix buffer use after free on unpin abort | expand |
On Tue, May 11, 2021 at 09:52:56AM -0400, Brian Foster wrote: > The special processing used to simulate a buffer I/O failure on fs > shutdown has a difficult to reproduce race that can result in a use > after free of the associated buffer. Consider a buffer that has been > committed to the on-disk log and thus is AIL resident. The buffer > lands on the writeback delwri queue, but is subsequently locked, > committed and pinned by another transaction before submitted for > I/O. At this point, the buffer is stuck on the delwri queue as it > cannot be submitted for I/O until it is unpinned. A log checkpoint > I/O failure occurs sometime later, which aborts the bli. The unpin > handler is called with the aborted log item, drops the bli reference > count, the pin count, and falls into the I/O failure simulation > path. > > The potential problem here is that once the pin count falls to zero > in ->iop_unpin(), xfsaild is free to retry delwri submission of the > buffer at any time, before the unpin handler even completes. If > delwri queue submission wins the race to the buffer lock, it > observes the shutdown state and simulates the I/O failure itself. > This releases both the bli and delwri queue holds and frees the > buffer while xfs_buf_item_unpin() sits on xfs_buf_lock() waiting to > run through the same failure sequence. This problem is rare and > requires many iterations of fstest generic/019 (which simulates disk > I/O failures) to reproduce. > > To avoid this problem, grab a hold on the buffer before the log item > is unpinned if the associated item has been aborted and will require > a simulated I/O failure. The hold is already required for the > simulated I/O failure, so the ordering simply guarantees the unpin > handler access to the buffer before it is unpinned and thus > processed by the AIL. This particular ordering is required so long > as the AIL does not acquire a reference on the bli, which is the > long term solution to this problem. Are you working on that too, or are we just going to let that lie for the time being? :) > Signed-off-by: Brian Foster <bfoster@redhat.com> > --- > fs/xfs/xfs_buf_item.c | 37 +++++++++++++++++++++---------------- > 1 file changed, 21 insertions(+), 16 deletions(-) > > diff --git a/fs/xfs/xfs_buf_item.c b/fs/xfs/xfs_buf_item.c > index fb69879e4b2b..7ff31788512b 100644 > --- a/fs/xfs/xfs_buf_item.c > +++ b/fs/xfs/xfs_buf_item.c > @@ -475,17 +475,8 @@ xfs_buf_item_pin( > } > > /* > - * This is called to unpin the buffer associated with the buf log > - * item which was previously pinned with a call to xfs_buf_item_pin(). > - * > - * Also drop the reference to the buf item for the current transaction. > - * If the XFS_BLI_STALE flag is set and we are the last reference, > - * then free up the buf log item and unlock the buffer. > - * > - * If the remove flag is set we are called from uncommit in the > - * forced-shutdown path. If that is true and the reference count on > - * the log item is going to drop to zero we need to free the item's > - * descriptor in the transaction. > + * This is called to unpin the buffer associated with the buf log item which > + * was previously pinned with a call to xfs_buf_item_pin(). > */ > STATIC void > xfs_buf_item_unpin( > @@ -502,12 +493,26 @@ xfs_buf_item_unpin( > > trace_xfs_buf_item_unpin(bip); > > + /* > + * Drop the bli ref associated with the pin and grab the hold required > + * for the I/O simulation failure in the abort case. We have to do this > + * before the pin count drops because the AIL doesn't acquire a bli > + * reference. Therefore if the refcount drops to zero, the bli could > + * still be AIL resident and the buffer submitted for I/O (and freed on > + * completion) at any point before we return. This can be removed once > + * the AIL properly holds a reference on the bli. > + */ > freed = atomic_dec_and_test(&bip->bli_refcount); > - > + if (freed && !stale && remove) > + xfs_buf_hold(bp); > if (atomic_dec_and_test(&bp->b_pin_count)) > wake_up_all(&bp->b_waiters); > > - if (freed && stale) { > + /* nothing to do but drop the pin count if the bli is active */ > + if (!freed) > + return; Hmm, this all seems convoluted as promised, but if I'm reading the code correctly, you're moving the buffer hold above where we wake the pincount waiters, because the AIL could be in xfs_buf_wait_unpin, holding the only reference? So if we wake it and the write is quick, the AIL's ioend will nuke the buffer before this thread (which is trying to kill a transaction and shut down the system?) gets a chance to free the buffer via _buf_ioend_fail? If I got that right, Reviewed-by: Darrick J. Wong <djwong@kernel.org> --D > + > + if (stale) { > ASSERT(bip->bli_flags & XFS_BLI_STALE); > ASSERT(xfs_buf_islocked(bp)); > ASSERT(bp->b_flags & XBF_STALE); > @@ -550,13 +555,13 @@ xfs_buf_item_unpin( > ASSERT(bp->b_log_item == NULL); > } > xfs_buf_relse(bp); > - } else if (freed && remove) { > + } else if (remove) { > /* > * The buffer must be locked and held by the caller to simulate > - * an async I/O failure. > + * an async I/O failure. We acquired the hold for this case > + * before the buffer was unpinned. > */ > xfs_buf_lock(bp); > - xfs_buf_hold(bp); > bp->b_flags |= XBF_ASYNC; > xfs_buf_ioend_fail(bp); > } > -- > 2.26.3 >
On Tue, May 11, 2021 at 06:52:44PM -0700, Darrick J. Wong wrote: > > is unpinned if the associated item has been aborted and will require > > a simulated I/O failure. The hold is already required for the > > simulated I/O failure, so the ordering simply guarantees the unpin > > handler access to the buffer before it is unpinned and thus > > processed by the AIL. This particular ordering is required so long > > as the AIL does not acquire a reference on the bli, which is the > > long term solution to this problem. > > Are you working on that too, or are we just going to let that lie for > the time being? :) Wouldn't that be as simple as something like the untested patch below? diff --git a/fs/xfs/xfs_buf_item.c b/fs/xfs/xfs_buf_item.c index fb69879e4b2b..07e08713ecd4 100644 --- a/fs/xfs/xfs_buf_item.c +++ b/fs/xfs/xfs_buf_item.c @@ -471,6 +471,7 @@ xfs_buf_item_pin( trace_xfs_buf_item_pin(bip); atomic_inc(&bip->bli_refcount); + xfs_buf_hold(bip->bli_buf); atomic_inc(&bip->bli_buf->b_pin_count); } @@ -552,14 +553,15 @@ xfs_buf_item_unpin( xfs_buf_relse(bp); } else if (freed && remove) { /* - * The buffer must be locked and held by the caller to simulate - * an async I/O failure. + * The buffer must be locked to simulate an async I/O failure. + * xfs_buf_ioend_fail will drop our buffer reference. */ xfs_buf_lock(bp); - xfs_buf_hold(bp); bp->b_flags |= XBF_ASYNC; xfs_buf_ioend_fail(bp); + return; } + xfs_buf_rele(bp); } STATIC uint
On Tue, May 11, 2021 at 06:52:44PM -0700, Darrick J. Wong wrote: > On Tue, May 11, 2021 at 09:52:56AM -0400, Brian Foster wrote: > > The special processing used to simulate a buffer I/O failure on fs > > shutdown has a difficult to reproduce race that can result in a use > > after free of the associated buffer. Consider a buffer that has been > > committed to the on-disk log and thus is AIL resident. The buffer > > lands on the writeback delwri queue, but is subsequently locked, > > committed and pinned by another transaction before submitted for > > I/O. At this point, the buffer is stuck on the delwri queue as it > > cannot be submitted for I/O until it is unpinned. A log checkpoint > > I/O failure occurs sometime later, which aborts the bli. The unpin > > handler is called with the aborted log item, drops the bli reference > > count, the pin count, and falls into the I/O failure simulation > > path. > > > > The potential problem here is that once the pin count falls to zero > > in ->iop_unpin(), xfsaild is free to retry delwri submission of the > > buffer at any time, before the unpin handler even completes. If > > delwri queue submission wins the race to the buffer lock, it > > observes the shutdown state and simulates the I/O failure itself. > > This releases both the bli and delwri queue holds and frees the > > buffer while xfs_buf_item_unpin() sits on xfs_buf_lock() waiting to > > run through the same failure sequence. This problem is rare and > > requires many iterations of fstest generic/019 (which simulates disk > > I/O failures) to reproduce. > > > > To avoid this problem, grab a hold on the buffer before the log item > > is unpinned if the associated item has been aborted and will require > > a simulated I/O failure. The hold is already required for the > > simulated I/O failure, so the ordering simply guarantees the unpin > > handler access to the buffer before it is unpinned and thus > > processed by the AIL. This particular ordering is required so long > > as the AIL does not acquire a reference on the bli, which is the > > long term solution to this problem. > > Are you working on that too, or are we just going to let that lie for > the time being? :) > It's on my todo list. I need to think about it some more to consider the functional change to the unpin code and other potential incompatibilities if the writeback completion code assumes the AIL has a reference, etc. This patch is an extremely isolated bug fix whereas the above is a bit broader of a rework to address a design flaw. I'd prefer not to conflate the two things unless absolutely necessary. > > Signed-off-by: Brian Foster <bfoster@redhat.com> > > --- > > fs/xfs/xfs_buf_item.c | 37 +++++++++++++++++++++---------------- > > 1 file changed, 21 insertions(+), 16 deletions(-) > > > > diff --git a/fs/xfs/xfs_buf_item.c b/fs/xfs/xfs_buf_item.c > > index fb69879e4b2b..7ff31788512b 100644 > > --- a/fs/xfs/xfs_buf_item.c > > +++ b/fs/xfs/xfs_buf_item.c > > @@ -475,17 +475,8 @@ xfs_buf_item_pin( > > } > > > > /* > > - * This is called to unpin the buffer associated with the buf log > > - * item which was previously pinned with a call to xfs_buf_item_pin(). > > - * > > - * Also drop the reference to the buf item for the current transaction. > > - * If the XFS_BLI_STALE flag is set and we are the last reference, > > - * then free up the buf log item and unlock the buffer. > > - * > > - * If the remove flag is set we are called from uncommit in the > > - * forced-shutdown path. If that is true and the reference count on > > - * the log item is going to drop to zero we need to free the item's > > - * descriptor in the transaction. > > + * This is called to unpin the buffer associated with the buf log item which > > + * was previously pinned with a call to xfs_buf_item_pin(). > > */ > > STATIC void > > xfs_buf_item_unpin( > > @@ -502,12 +493,26 @@ xfs_buf_item_unpin( > > > > trace_xfs_buf_item_unpin(bip); > > > > + /* > > + * Drop the bli ref associated with the pin and grab the hold required > > + * for the I/O simulation failure in the abort case. We have to do this > > + * before the pin count drops because the AIL doesn't acquire a bli > > + * reference. Therefore if the refcount drops to zero, the bli could > > + * still be AIL resident and the buffer submitted for I/O (and freed on > > + * completion) at any point before we return. This can be removed once > > + * the AIL properly holds a reference on the bli. > > + */ > > freed = atomic_dec_and_test(&bip->bli_refcount); > > - > > + if (freed && !stale && remove) > > + xfs_buf_hold(bp); > > if (atomic_dec_and_test(&bp->b_pin_count)) > > wake_up_all(&bp->b_waiters); > > > > - if (freed && stale) { > > + /* nothing to do but drop the pin count if the bli is active */ > > + if (!freed) > > + return; > > Hmm, this all seems convoluted as promised, but if I'm reading the code > correctly, you're moving the buffer hold above where we wake the > pincount waiters, because the AIL could be in xfs_buf_wait_unpin, > holding the only reference? So if we wake it and the write is quick, > the AIL's ioend will nuke the buffer before this thread (which is trying > to kill a transaction and shut down the system?) gets a chance to > free the buffer via _buf_ioend_fail? > Mostly.. this code isn't trying to kill a transaction, it just needs to process the buffer in the event that logging it failed. The non-failure case here is that the final bli reference drops in this unpin code, but the bli reference count does not historically govern the life cycle of the bli object. Instead, the item stays around in the AIL with refcount == 0 until the buffer is eventually written back. This can only occur when xfsaild locks an unpinned buffer, so sort of by proxy (because a pin elevates bli_refcount) this allows writeback completion to explicitly free the bli. IOW, I suspect yet another potential solution to this particular problem is to check whether the item is in the AIL in the event of an unpin abort and use that to decide who actually is responsible for the bli/buffer. I've tested something along those lines in the past as well, but it's pretty much logically equivalent to this patch so I'm not sure it's worth exploring further. Brian > If I got that right, > Reviewed-by: Darrick J. Wong <djwong@kernel.org> > > --D > > > > + > > + if (stale) { > > ASSERT(bip->bli_flags & XFS_BLI_STALE); > > ASSERT(xfs_buf_islocked(bp)); > > ASSERT(bp->b_flags & XBF_STALE); > > @@ -550,13 +555,13 @@ xfs_buf_item_unpin( > > ASSERT(bp->b_log_item == NULL); > > } > > xfs_buf_relse(bp); > > - } else if (freed && remove) { > > + } else if (remove) { > > /* > > * The buffer must be locked and held by the caller to simulate > > - * an async I/O failure. > > + * an async I/O failure. We acquired the hold for this case > > + * before the buffer was unpinned. > > */ > > xfs_buf_lock(bp); > > - xfs_buf_hold(bp); > > bp->b_flags |= XBF_ASYNC; > > xfs_buf_ioend_fail(bp); > > } > > -- > > 2.26.3 > > >
On Wed, May 12, 2021 at 01:22:49PM +0100, Christoph Hellwig wrote: > On Tue, May 11, 2021 at 06:52:44PM -0700, Darrick J. Wong wrote: > > > is unpinned if the associated item has been aborted and will require > > > a simulated I/O failure. The hold is already required for the > > > simulated I/O failure, so the ordering simply guarantees the unpin > > > handler access to the buffer before it is unpinned and thus > > > processed by the AIL. This particular ordering is required so long > > > as the AIL does not acquire a reference on the bli, which is the > > > long term solution to this problem. > > > > Are you working on that too, or are we just going to let that lie for > > the time being? :) > > Wouldn't that be as simple as something like the untested patch below? > I actually think this is moderately less simple than the RFC I started with (see the cover letter for a reference) because there's really no need for a buffer hold per pin. I moved away from the RFC approach to this to 1. isolate the hold/rele cycle to the scenario where it's actually necessary (unpin abort) and 2. document the design flaw that Dave had pointed out that contributes to this problem. So point #1 means the explicit hold basically fills the gap that the bli reference count fails to cover to preserve buffer access by (AIL resident) log item processing code, and no more, whereas the RFC and the patch below are a bit more convoluted (even though the code might look simpler) in that they obscure that context. Brian > > diff --git a/fs/xfs/xfs_buf_item.c b/fs/xfs/xfs_buf_item.c > index fb69879e4b2b..07e08713ecd4 100644 > --- a/fs/xfs/xfs_buf_item.c > +++ b/fs/xfs/xfs_buf_item.c > @@ -471,6 +471,7 @@ xfs_buf_item_pin( > trace_xfs_buf_item_pin(bip); > > atomic_inc(&bip->bli_refcount); > + xfs_buf_hold(bip->bli_buf); > atomic_inc(&bip->bli_buf->b_pin_count); > } > > @@ -552,14 +553,15 @@ xfs_buf_item_unpin( > xfs_buf_relse(bp); > } else if (freed && remove) { > /* > - * The buffer must be locked and held by the caller to simulate > - * an async I/O failure. > + * The buffer must be locked to simulate an async I/O failure. > + * xfs_buf_ioend_fail will drop our buffer reference. > */ > xfs_buf_lock(bp); > - xfs_buf_hold(bp); > bp->b_flags |= XBF_ASYNC; > xfs_buf_ioend_fail(bp); > + return; > } > + xfs_buf_rele(bp); > } > > STATIC uint >
diff --git a/fs/xfs/xfs_buf_item.c b/fs/xfs/xfs_buf_item.c index fb69879e4b2b..7ff31788512b 100644 --- a/fs/xfs/xfs_buf_item.c +++ b/fs/xfs/xfs_buf_item.c @@ -475,17 +475,8 @@ xfs_buf_item_pin( } /* - * This is called to unpin the buffer associated with the buf log - * item which was previously pinned with a call to xfs_buf_item_pin(). - * - * Also drop the reference to the buf item for the current transaction. - * If the XFS_BLI_STALE flag is set and we are the last reference, - * then free up the buf log item and unlock the buffer. - * - * If the remove flag is set we are called from uncommit in the - * forced-shutdown path. If that is true and the reference count on - * the log item is going to drop to zero we need to free the item's - * descriptor in the transaction. + * This is called to unpin the buffer associated with the buf log item which + * was previously pinned with a call to xfs_buf_item_pin(). */ STATIC void xfs_buf_item_unpin( @@ -502,12 +493,26 @@ xfs_buf_item_unpin( trace_xfs_buf_item_unpin(bip); + /* + * Drop the bli ref associated with the pin and grab the hold required + * for the I/O simulation failure in the abort case. We have to do this + * before the pin count drops because the AIL doesn't acquire a bli + * reference. Therefore if the refcount drops to zero, the bli could + * still be AIL resident and the buffer submitted for I/O (and freed on + * completion) at any point before we return. This can be removed once + * the AIL properly holds a reference on the bli. + */ freed = atomic_dec_and_test(&bip->bli_refcount); - + if (freed && !stale && remove) + xfs_buf_hold(bp); if (atomic_dec_and_test(&bp->b_pin_count)) wake_up_all(&bp->b_waiters); - if (freed && stale) { + /* nothing to do but drop the pin count if the bli is active */ + if (!freed) + return; + + if (stale) { ASSERT(bip->bli_flags & XFS_BLI_STALE); ASSERT(xfs_buf_islocked(bp)); ASSERT(bp->b_flags & XBF_STALE); @@ -550,13 +555,13 @@ xfs_buf_item_unpin( ASSERT(bp->b_log_item == NULL); } xfs_buf_relse(bp); - } else if (freed && remove) { + } else if (remove) { /* * The buffer must be locked and held by the caller to simulate - * an async I/O failure. + * an async I/O failure. We acquired the hold for this case + * before the buffer was unpinned. */ xfs_buf_lock(bp); - xfs_buf_hold(bp); bp->b_flags |= XBF_ASYNC; xfs_buf_ioend_fail(bp); }
The special processing used to simulate a buffer I/O failure on fs shutdown has a difficult to reproduce race that can result in a use after free of the associated buffer. Consider a buffer that has been committed to the on-disk log and thus is AIL resident. The buffer lands on the writeback delwri queue, but is subsequently locked, committed and pinned by another transaction before submitted for I/O. At this point, the buffer is stuck on the delwri queue as it cannot be submitted for I/O until it is unpinned. A log checkpoint I/O failure occurs sometime later, which aborts the bli. The unpin handler is called with the aborted log item, drops the bli reference count, the pin count, and falls into the I/O failure simulation path. The potential problem here is that once the pin count falls to zero in ->iop_unpin(), xfsaild is free to retry delwri submission of the buffer at any time, before the unpin handler even completes. If delwri queue submission wins the race to the buffer lock, it observes the shutdown state and simulates the I/O failure itself. This releases both the bli and delwri queue holds and frees the buffer while xfs_buf_item_unpin() sits on xfs_buf_lock() waiting to run through the same failure sequence. This problem is rare and requires many iterations of fstest generic/019 (which simulates disk I/O failures) to reproduce. To avoid this problem, grab a hold on the buffer before the log item is unpinned if the associated item has been aborted and will require a simulated I/O failure. The hold is already required for the simulated I/O failure, so the ordering simply guarantees the unpin handler access to the buffer before it is unpinned and thus processed by the AIL. This particular ordering is required so long as the AIL does not acquire a reference on the bli, which is the long term solution to this problem. Signed-off-by: Brian Foster <bfoster@redhat.com> --- fs/xfs/xfs_buf_item.c | 37 +++++++++++++++++++++---------------- 1 file changed, 21 insertions(+), 16 deletions(-)