Message ID | 160031337657.3624582.4680281255744277782.stgit@magnolia (mailing list archive) |
---|---|
State | Superseded |
Headers | show |
Series | xfs: fix inode use-after-free during log recovery | expand |
On Wed, Sep 16, 2020 at 08:29:36PM -0700, Darrick J. Wong wrote: > From: Darrick J. Wong <darrick.wong@oracle.com> > > In most places in XFS, we have a specific order in which we gather > resources: grab the inode, allocate a transaction, then lock the inode. > xfs_bui_item_recover doesn't do it in that order, so fix it to be more > consistent. This also makes the error bailout code a bit less weird. > > Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com> > --- > fs/xfs/xfs_bmap_item.c | 40 +++++++++++++++++++++------------------- > 1 file changed, 21 insertions(+), 19 deletions(-) This probably needs to go before the xfs_qm_dqattach() fix, or the dqattach fix need to come after this.... > > > diff --git a/fs/xfs/xfs_bmap_item.c b/fs/xfs/xfs_bmap_item.c > index 877afe76d76a..6f589f04f358 100644 > --- a/fs/xfs/xfs_bmap_item.c > +++ b/fs/xfs/xfs_bmap_item.c > @@ -475,25 +475,26 @@ xfs_bui_item_recover( > (bmap->me_flags & ~XFS_BMAP_EXTENT_FLAGS)) > goto garbage; > > - error = xfs_trans_alloc(mp, &M_RES(mp)->tr_itruncate, > - XFS_EXTENTADD_SPACE_RES(mp, XFS_DATA_FORK), 0, 0, &tp); > - if (error) > - return error; > - > - budp = xfs_trans_get_bud(tp, buip); > - > /* Grab the inode. */ > - error = xfs_iget(mp, tp, bmap->me_owner, 0, XFS_ILOCK_EXCL, &ip); > + error = xfs_iget(mp, NULL, bmap->me_owner, 0, 0, &ip); > if (error) > - goto err_inode; > + return error; > > error = xfs_qm_dqattach(ip); > if (error) > - goto err_inode; > + goto err_rele; > > if (VFS_I(ip)->i_nlink == 0) > xfs_iflags_set(ip, XFS_IRECOVERY); > > + /* Allocate transaction and do the work. */ > + error = xfs_trans_alloc(mp, &M_RES(mp)->tr_itruncate, > + XFS_EXTENTADD_SPACE_RES(mp, XFS_DATA_FORK), 0, 0, &tp); > + if (error) > + goto err_rele; Hmmmm - don't all the error cased before we call xfs_trans_get_bud() need to release the bui? Cheers, Dave.
On Thu, Sep 17, 2020 at 03:13:33PM +1000, Dave Chinner wrote: > On Wed, Sep 16, 2020 at 08:29:36PM -0700, Darrick J. Wong wrote: > > From: Darrick J. Wong <darrick.wong@oracle.com> > > > > In most places in XFS, we have a specific order in which we gather > > resources: grab the inode, allocate a transaction, then lock the inode. > > xfs_bui_item_recover doesn't do it in that order, so fix it to be more > > consistent. This also makes the error bailout code a bit less weird. > > > > Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com> > > --- > > fs/xfs/xfs_bmap_item.c | 40 +++++++++++++++++++++------------------- > > 1 file changed, 21 insertions(+), 19 deletions(-) > > This probably needs to go before the xfs_qm_dqattach() fix, or > the dqattach fix need to come after this.... <nod> I'll fix the previous patch. > > > > diff --git a/fs/xfs/xfs_bmap_item.c b/fs/xfs/xfs_bmap_item.c > > index 877afe76d76a..6f589f04f358 100644 > > --- a/fs/xfs/xfs_bmap_item.c > > +++ b/fs/xfs/xfs_bmap_item.c > > @@ -475,25 +475,26 @@ xfs_bui_item_recover( > > (bmap->me_flags & ~XFS_BMAP_EXTENT_FLAGS)) > > goto garbage; > > > > - error = xfs_trans_alloc(mp, &M_RES(mp)->tr_itruncate, > > - XFS_EXTENTADD_SPACE_RES(mp, XFS_DATA_FORK), 0, 0, &tp); > > - if (error) > > - return error; > > - > > - budp = xfs_trans_get_bud(tp, buip); > > - > > /* Grab the inode. */ > > - error = xfs_iget(mp, tp, bmap->me_owner, 0, XFS_ILOCK_EXCL, &ip); > > + error = xfs_iget(mp, NULL, bmap->me_owner, 0, 0, &ip); > > if (error) > > - goto err_inode; > > + return error; > > > > error = xfs_qm_dqattach(ip); > > if (error) > > - goto err_inode; > > + goto err_rele; > > > > if (VFS_I(ip)->i_nlink == 0) > > xfs_iflags_set(ip, XFS_IRECOVERY); > > > > + /* Allocate transaction and do the work. */ > > + error = xfs_trans_alloc(mp, &M_RES(mp)->tr_itruncate, > > + XFS_EXTENTADD_SPACE_RES(mp, XFS_DATA_FORK), 0, 0, &tp); > > + if (error) > > + goto err_rele; > > Hmmmm - don't all the error cased before we call xfs_trans_get_bud() > need to release the bui? Yes, I think so. Come to think of it, the other intent items seem like they have the same bug. --D > > Cheers, > > Dave. > -- > Dave Chinner > david@fromorbit.com
diff --git a/fs/xfs/xfs_bmap_item.c b/fs/xfs/xfs_bmap_item.c index 877afe76d76a..6f589f04f358 100644 --- a/fs/xfs/xfs_bmap_item.c +++ b/fs/xfs/xfs_bmap_item.c @@ -475,25 +475,26 @@ xfs_bui_item_recover( (bmap->me_flags & ~XFS_BMAP_EXTENT_FLAGS)) goto garbage; - error = xfs_trans_alloc(mp, &M_RES(mp)->tr_itruncate, - XFS_EXTENTADD_SPACE_RES(mp, XFS_DATA_FORK), 0, 0, &tp); - if (error) - return error; - - budp = xfs_trans_get_bud(tp, buip); - /* Grab the inode. */ - error = xfs_iget(mp, tp, bmap->me_owner, 0, XFS_ILOCK_EXCL, &ip); + error = xfs_iget(mp, NULL, bmap->me_owner, 0, 0, &ip); if (error) - goto err_inode; + return error; error = xfs_qm_dqattach(ip); if (error) - goto err_inode; + goto err_rele; if (VFS_I(ip)->i_nlink == 0) xfs_iflags_set(ip, XFS_IRECOVERY); + /* Allocate transaction and do the work. */ + error = xfs_trans_alloc(mp, &M_RES(mp)->tr_itruncate, + XFS_EXTENTADD_SPACE_RES(mp, XFS_DATA_FORK), 0, 0, &tp); + if (error) + goto err_rele; + + budp = xfs_trans_get_bud(tp, buip); + xfs_ilock(ip, XFS_ILOCK_EXCL); xfs_trans_ijoin(tp, ip, 0); count = bmap->me_len; @@ -501,7 +502,7 @@ xfs_bui_item_recover( whichfork, bmap->me_startoff, bmap->me_startblock, &count, state); if (error) - goto err_inode; + goto err_cancel; if (count > 0) { ASSERT(bui_type == XFS_BMAP_UNMAP); @@ -512,18 +513,19 @@ xfs_bui_item_recover( xfs_bmap_unmap_extent(tp, ip, &irec); } + /* Commit transaction, which frees tp. */ error = xlog_recover_trans_commit(tp, dfcp); + if (error) + goto err_unlock; + return 0; + +err_cancel: + xfs_trans_cancel(tp); +err_unlock: xfs_iunlock(ip, XFS_ILOCK_EXCL); +err_rele: xfs_irele(ip); return error; - -err_inode: - xfs_trans_cancel(tp); - if (ip) { - xfs_iunlock(ip, XFS_ILOCK_EXCL); - xfs_irele(ip); - } - return error; garbage: xfs_bui_release(buip); return -EFSCORRUPTED;