From patchwork Tue Nov 14 01:53:22 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Leah Rumancik X-Patchwork-Id: 13454702 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 11204C4167D for ; Tue, 14 Nov 2023 01:53:51 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231585AbjKNBxw (ORCPT ); Mon, 13 Nov 2023 20:53:52 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58066 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229580AbjKNBxv (ORCPT ); Mon, 13 Nov 2023 20:53:51 -0500 Received: from mail-pl1-x62d.google.com (mail-pl1-x62d.google.com [IPv6:2607:f8b0:4864:20::62d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 609EAD44 for ; Mon, 13 Nov 2023 17:53:48 -0800 (PST) Received: by mail-pl1-x62d.google.com with SMTP id d9443c01a7336-1cc938f9612so32893355ad.1 for ; Mon, 13 Nov 2023 17:53:48 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1699926827; x=1700531627; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=tDncr2wGrgIrYIjQGRYyMav7Qe7qKyxnFaGr6mJ2zak=; b=LpOw8dxjfT/evHdYLyA3LHax2BwFvkSYFgnIBGG4vzFLEhB7lUNLoh463cfcYH+rcR B0YLdD4b0P5MSybMRFSXaxSqnxB20XlRRzFsUl4V9Ep0KBQBm498eJ2cjDtxxg2OoGxf NkFocJRsIuIF+ycG7xiblgSxTARsQ+U+MO/upIXNJBV7B81N9OT+3qIqpXoSUGU0thmJ ejdhqNqN1p5jkBl8ZX4z/QQGFeQSX1UhQGjYYnyXQibXEbRdSaLU4Aykp2grjaa5EjsN 4N5zMBc33AoogQxX9QT6cc5WlvRqebiwCsbYpAQEz7SRVxnGNF4RiUcQFYhLh9EFyDrw tC9Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1699926827; x=1700531627; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=tDncr2wGrgIrYIjQGRYyMav7Qe7qKyxnFaGr6mJ2zak=; b=xAoOR8M3DDNhDxNrzQhE4wsuIA7fBhuRLbDopgQ159lFtliCWZRtpjQ8kZ7Rvv1XeR iL8RHZznWyNS9OUiVHYagPbuSLIVHpyJvfZy9h4DTQXgzY+AkQr5W5NMnUUCi0tq7HxZ WLkBIwbRVBL1/xfXnxTRxRarcqGiOKogr58rzHTl8hoOf9uTxjsE5Sw9Qm+Og9NWrFf1 BGtnP4YTJoWpUBYQBMRy4lqNuSdcn+NIz2CqYqW9mwdCOIgVOrRip11RAlIzTcGRvXWw YOU53wvJEf1+eZ3NbrLhTZ4rSvboZrKPoTzTZZ5eC/Lx9QtdmYi+9CK2BqMOeujT4E5n V+lQ== X-Gm-Message-State: AOJu0Yz4HOWArC1MZXEY78o9cxzg6OWrvtbW5NzIC3+uf3+uVIAgK6JT i1K22/eSukshMbjhh0l3+ChfLuGudY6bFg== X-Google-Smtp-Source: AGHT+IFQUVqxjijzphjsceUpqIWlYXQ8ukMEZgR50GP7YHHdUqEZcdJjBKQQq0M+BTx08DT1GJHeYw== X-Received: by 2002:a17:903:2a84:b0:1cc:6fa6:ab62 with SMTP id lv4-20020a1709032a8400b001cc6fa6ab62mr1125194plb.29.1699926827592; Mon, 13 Nov 2023 17:53:47 -0800 (PST) Received: from lrumancik.svl.corp.google.com ([2620:15c:2a3:200:d177:a8ad:804f:74f1]) by smtp.gmail.com with ESMTPSA id a17-20020a170902ecd100b001c9cb2fb8d8sm4668592plh.49.2023.11.13.17.53.46 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 13 Nov 2023 17:53:47 -0800 (PST) From: Leah Rumancik To: linux-xfs@vger.kernel.org Cc: amir73il@gmail.com, chandan.babu@oracle.com, fred@cloudflare.com, "Darrick J. Wong" , Christoph Hellwig , Dave Chinner , Dave Chinner , Leah Rumancik Subject: [PATCH 5.15 CANDIDATE 01/17] xfs: refactor buffer cancellation table allocation Date: Mon, 13 Nov 2023 17:53:22 -0800 Message-ID: <20231114015339.3922119-2-leah.rumancik@gmail.com> X-Mailer: git-send-email 2.43.0.rc0.421.g78406f8d94-goog In-Reply-To: <20231114015339.3922119-1-leah.rumancik@gmail.com> References: <20231114015339.3922119-1-leah.rumancik@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-xfs@vger.kernel.org From: "Darrick J. Wong" [ Upstream commit 2723234923b3294dbcf6019c288c87465e927ed4 ] Move the code that allocates and frees the buffer cancellation tables used by log recovery into the file that actually uses the tables. This is a precursor to some cleanups and a memory leak fix. ( backport: dependency of 8db074bd84df5ccc88bff3f8f900f66f4b8349fa ) Signed-off-by: Darrick J. Wong Reviewed-by: Christoph Hellwig Reviewed-by: Dave Chinner Signed-off-by: Dave Chinner Signed-off-by: Leah Rumancik --- fs/xfs/libxfs/xfs_log_recover.h | 14 +++++----- fs/xfs/xfs_buf_item_recover.c | 47 +++++++++++++++++++++++++++++++++ fs/xfs/xfs_log_priv.h | 3 --- fs/xfs/xfs_log_recover.c | 32 +++++++--------------- 4 files changed, 64 insertions(+), 32 deletions(-) diff --git a/fs/xfs/libxfs/xfs_log_recover.h b/fs/xfs/libxfs/xfs_log_recover.h index ff69a0000817..b8b65a6e9b1e 100644 --- a/fs/xfs/libxfs/xfs_log_recover.h +++ b/fs/xfs/libxfs/xfs_log_recover.h @@ -108,12 +108,6 @@ struct xlog_recover { #define ITEM_TYPE(i) (*(unsigned short *)(i)->ri_buf[0].i_addr) -/* - * This is the number of entries in the l_buf_cancel_table used during - * recovery. - */ -#define XLOG_BC_TABLE_SIZE 64 - #define XLOG_RECOVER_CRCPASS 0 #define XLOG_RECOVER_PASS1 1 #define XLOG_RECOVER_PASS2 2 @@ -126,5 +120,13 @@ int xlog_recover_iget(struct xfs_mount *mp, xfs_ino_t ino, struct xfs_inode **ipp); void xlog_recover_release_intent(struct xlog *log, unsigned short intent_type, uint64_t intent_id); +void xlog_alloc_buf_cancel_table(struct xlog *log); +void xlog_free_buf_cancel_table(struct xlog *log); + +#ifdef DEBUG +void xlog_check_buf_cancel_table(struct xlog *log); +#else +#define xlog_check_buf_cancel_table(log) do { } while (0) +#endif #endif /* __XFS_LOG_RECOVER_H__ */ diff --git a/fs/xfs/xfs_buf_item_recover.c b/fs/xfs/xfs_buf_item_recover.c index e04e44ef14c6..dc099b2f4984 100644 --- a/fs/xfs/xfs_buf_item_recover.c +++ b/fs/xfs/xfs_buf_item_recover.c @@ -23,6 +23,15 @@ #include "xfs_dir2.h" #include "xfs_quota.h" +/* + * This is the number of entries in the l_buf_cancel_table used during + * recovery. + */ +#define XLOG_BC_TABLE_SIZE 64 + +#define XLOG_BUF_CANCEL_BUCKET(log, blkno) \ + ((log)->l_buf_cancel_table + ((uint64_t)blkno % XLOG_BC_TABLE_SIZE)) + /* * This structure is used during recovery to record the buf log items which * have been canceled and should not be replayed. @@ -1003,3 +1012,41 @@ const struct xlog_recover_item_ops xlog_buf_item_ops = { .commit_pass1 = xlog_recover_buf_commit_pass1, .commit_pass2 = xlog_recover_buf_commit_pass2, }; + +#ifdef DEBUG +void +xlog_check_buf_cancel_table( + struct xlog *log) +{ + int i; + + for (i = 0; i < XLOG_BC_TABLE_SIZE; i++) + ASSERT(list_empty(&log->l_buf_cancel_table[i])); +} +#endif + +void +xlog_alloc_buf_cancel_table( + struct xlog *log) +{ + int i; + + ASSERT(log->l_buf_cancel_table == NULL); + + log->l_buf_cancel_table = kmem_zalloc(XLOG_BC_TABLE_SIZE * + sizeof(struct list_head), + 0); + for (i = 0; i < XLOG_BC_TABLE_SIZE; i++) + INIT_LIST_HEAD(&log->l_buf_cancel_table[i]); +} + +void +xlog_free_buf_cancel_table( + struct xlog *log) +{ + if (!log->l_buf_cancel_table) + return; + + kmem_free(log->l_buf_cancel_table); + log->l_buf_cancel_table = NULL; +} diff --git a/fs/xfs/xfs_log_priv.h b/fs/xfs/xfs_log_priv.h index f3d68ca39f45..03393595676f 100644 --- a/fs/xfs/xfs_log_priv.h +++ b/fs/xfs/xfs_log_priv.h @@ -454,9 +454,6 @@ struct xlog { struct rw_semaphore l_incompat_users; }; -#define XLOG_BUF_CANCEL_BUCKET(log, blkno) \ - ((log)->l_buf_cancel_table + ((uint64_t)blkno % XLOG_BC_TABLE_SIZE)) - /* * Bits for operational state */ diff --git a/fs/xfs/xfs_log_recover.c b/fs/xfs/xfs_log_recover.c index 581aeb288b32..18d8eebc2d44 100644 --- a/fs/xfs/xfs_log_recover.c +++ b/fs/xfs/xfs_log_recover.c @@ -3248,7 +3248,7 @@ xlog_do_log_recovery( xfs_daddr_t head_blk, xfs_daddr_t tail_blk) { - int error, i; + int error; ASSERT(head_blk != tail_blk); @@ -3256,37 +3256,23 @@ xlog_do_log_recovery( * First do a pass to find all of the cancelled buf log items. * Store them in the buf_cancel_table for use in the second pass. */ - log->l_buf_cancel_table = kmem_zalloc(XLOG_BC_TABLE_SIZE * - sizeof(struct list_head), - 0); - for (i = 0; i < XLOG_BC_TABLE_SIZE; i++) - INIT_LIST_HEAD(&log->l_buf_cancel_table[i]); + xlog_alloc_buf_cancel_table(log); error = xlog_do_recovery_pass(log, head_blk, tail_blk, XLOG_RECOVER_PASS1, NULL); - if (error != 0) { - kmem_free(log->l_buf_cancel_table); - log->l_buf_cancel_table = NULL; - return error; - } + if (error != 0) + goto out_cancel; + /* * Then do a second pass to actually recover the items in the log. * When it is complete free the table of buf cancel items. */ error = xlog_do_recovery_pass(log, head_blk, tail_blk, XLOG_RECOVER_PASS2, NULL); -#ifdef DEBUG - if (!error) { - int i; - - for (i = 0; i < XLOG_BC_TABLE_SIZE; i++) - ASSERT(list_empty(&log->l_buf_cancel_table[i])); - } -#endif /* DEBUG */ - - kmem_free(log->l_buf_cancel_table); - log->l_buf_cancel_table = NULL; - + if (!error) + xlog_check_buf_cancel_table(log); +out_cancel: + xlog_free_buf_cancel_table(log); return error; } From patchwork Tue Nov 14 01:53:23 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Leah Rumancik X-Patchwork-Id: 13454703 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7CEB2C4167B for ; Tue, 14 Nov 2023 01:53:51 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229580AbjKNBxw (ORCPT ); Mon, 13 Nov 2023 20:53:52 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58078 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231548AbjKNBxw (ORCPT ); Mon, 13 Nov 2023 20:53:52 -0500 Received: from mail-pl1-x632.google.com (mail-pl1-x632.google.com [IPv6:2607:f8b0:4864:20::632]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 455C5D45 for ; Mon, 13 Nov 2023 17:53:49 -0800 (PST) Received: by mail-pl1-x632.google.com with SMTP id d9443c01a7336-1cc53d0030fso39780735ad.0 for ; Mon, 13 Nov 2023 17:53:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1699926828; x=1700531628; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=+QpEHm/X6Y+wEH5fOG9EXlVOtdkt4c+ZXbK0RLckQUA=; b=a4pflXExtblPSgC/78R4kyqpI9Og3DEs/CEwSZ2Y+rNDMWUYmhrg2gML0tdLQ8cjnR LjovxhhiKOjZfKKer27rqfIji10iq2DnFQJ5x1z7V9Zo9whzwNQDaDtrWZGSLwY+PNjL UYCdtEKnvGpNEGCJqKbgAXilXZkc8NAmM9bsIgxCXciHjfT0G3sPj90dLUjP6mXhuuvV VjYBQ/zeocnfh6imZYxqCkNAErHZwL6qPcwLl3W/1fbprRuIcyxYvq7oEy7PsjezRGTe +J5YOudyR6BVEGfYHnq56cjj6aX3vKvYpU21brqfYwFsUaKpWXidH7LOnBG3oH/3pz1D iLgQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1699926828; x=1700531628; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=+QpEHm/X6Y+wEH5fOG9EXlVOtdkt4c+ZXbK0RLckQUA=; b=qpM/V8Rjyc2mYl5fkFEz2YpSUXF3C2YeUcL/myX4GLWmX/OAIQp4EYSuMiyksFMlYe e8rjjoBNprhKW88h6+27+OAIwfZxEaBc+n4XLELYGVMfQMV5lG2hg+D2lToJva/xKPdm dKVNcBaGIEKDaTweH2olPSTKiXECpmXDR1X16c772UW+kDtUcZR+GWNEAZ6rS7H+vzpd FHrObISYl1WiOthnI03Q1YrUaL2fiUmS7VKLedda8gQeOnQuJidgYGU+O/gFNwzU4OY5 ubnH/fTQI8eB4nqyLKxwyHHCb6lVrngLxtjMtP+iWfShUR/52H5veZQoT/lXkybk8D/k j91w== X-Gm-Message-State: AOJu0YxOPHrj+rx50qQD7xpR97GYjLRmniGjbQLpGqK/cL+OIuB298Vx 24wxLyXaWnFl7O4DztuEYiYsDPwgB+BBFQ== X-Google-Smtp-Source: AGHT+IEIfRrzFhASMAZaZQmxkIj8CLT4f+IPI2piQpggbDr6OcqOOIJpEvBydKXKELv3h3hAL4Yw1g== X-Received: by 2002:a17:902:e80a:b0:1cc:5549:aab8 with SMTP id u10-20020a170902e80a00b001cc5549aab8mr1275183plg.5.1699926828577; Mon, 13 Nov 2023 17:53:48 -0800 (PST) Received: from lrumancik.svl.corp.google.com ([2620:15c:2a3:200:d177:a8ad:804f:74f1]) by smtp.gmail.com with ESMTPSA id a17-20020a170902ecd100b001c9cb2fb8d8sm4668592plh.49.2023.11.13.17.53.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 13 Nov 2023 17:53:48 -0800 (PST) From: Leah Rumancik To: linux-xfs@vger.kernel.org Cc: amir73il@gmail.com, chandan.babu@oracle.com, fred@cloudflare.com, "Darrick J. Wong" , Christoph Hellwig , Dave Chinner , Dave Chinner , Leah Rumancik Subject: [PATCH 5.15 CANDIDATE 02/17] xfs: don't leak xfs_buf_cancel structures when recovery fails Date: Mon, 13 Nov 2023 17:53:23 -0800 Message-ID: <20231114015339.3922119-3-leah.rumancik@gmail.com> X-Mailer: git-send-email 2.43.0.rc0.421.g78406f8d94-goog In-Reply-To: <20231114015339.3922119-1-leah.rumancik@gmail.com> References: <20231114015339.3922119-1-leah.rumancik@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-xfs@vger.kernel.org From: "Darrick J. Wong" [ Upstream commit 8db074bd84df5ccc88bff3f8f900f66f4b8349fa ] If log recovery fails, we free the memory used by the buffer cancellation buckets, but we don't actually traverse each bucket list to free the individual xfs_buf_cancel objects. This leads to a memory leak, as reported by kmemleak in xfs/051: unreferenced object 0xffff888103629560 (size 32): comm "mount", pid 687045, jiffies 4296935916 (age 10.752s) hex dump (first 32 bytes): 08 d3 0a 01 00 00 00 00 08 00 00 00 01 00 00 00 ................ d0 f5 0b 92 81 88 ff ff 80 64 64 25 81 88 ff ff .........dd%.... backtrace: [] kmem_alloc+0x73/0x140 [xfs] [] xlog_recover_buf_commit_pass1+0x139/0x200 [xfs] [] xlog_recover_commit_trans+0x307/0x350 [xfs] [] xlog_recovery_process_trans+0xa5/0xe0 [xfs] [] xlog_recover_process_data+0x8d/0x140 [xfs] [] xlog_do_recovery_pass+0x19d/0x740 [xfs] [] xlog_do_log_recovery+0x6d/0x150 [xfs] [] xlog_do_recover+0x33/0x1d0 [xfs] [] xlog_recover+0xda/0x190 [xfs] [] xfs_log_mount+0x14c/0x360 [xfs] [] xfs_mountfs+0x50d/0xa60 [xfs] [] xfs_fs_fill_super+0x6a5/0x950 [xfs] [] get_tree_bdev+0x175/0x280 [] vfs_get_tree+0x1a/0x80 [] path_mount+0x6ff/0xaa0 [] __x64_sys_mount+0x103/0x140 Signed-off-by: Darrick J. Wong Reviewed-by: Christoph Hellwig Reviewed-by: Dave Chinner Signed-off-by: Dave Chinner Signed-off-by: Leah Rumancik --- fs/xfs/xfs_buf_item_recover.c | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/fs/xfs/xfs_buf_item_recover.c b/fs/xfs/xfs_buf_item_recover.c index dc099b2f4984..635f7f8ed9c2 100644 --- a/fs/xfs/xfs_buf_item_recover.c +++ b/fs/xfs/xfs_buf_item_recover.c @@ -1044,9 +1044,22 @@ void xlog_free_buf_cancel_table( struct xlog *log) { + int i; + if (!log->l_buf_cancel_table) return; + for (i = 0; i < XLOG_BC_TABLE_SIZE; i++) { + struct xfs_buf_cancel *bc; + + while ((bc = list_first_entry_or_null( + &log->l_buf_cancel_table[i], + struct xfs_buf_cancel, bc_list))) { + list_del(&bc->bc_list); + kmem_free(bc); + } + } + kmem_free(log->l_buf_cancel_table); log->l_buf_cancel_table = NULL; } From patchwork Tue Nov 14 01:53:24 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Leah Rumancik X-Patchwork-Id: 13454704 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 585E6C072A2 for ; Tue, 14 Nov 2023 01:53:52 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231548AbjKNBxx (ORCPT ); Mon, 13 Nov 2023 20:53:53 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58092 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231713AbjKNBxx (ORCPT ); Mon, 13 Nov 2023 20:53:53 -0500 Received: from mail-pl1-x632.google.com (mail-pl1-x632.google.com [IPv6:2607:f8b0:4864:20::632]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 51EDDD44 for ; Mon, 13 Nov 2023 17:53:50 -0800 (PST) Received: by mail-pl1-x632.google.com with SMTP id d9443c01a7336-1cc37fb1310so38289365ad.1 for ; Mon, 13 Nov 2023 17:53:50 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1699926829; x=1700531629; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=1d4Xl/TZSUhhcv89hxSw9fQ4xqgWI2PHSQb3xcxvXPA=; b=Ks1Hen+qKssVKsE1iMKShGLD74s4kw6GgZ0F1H+s0nSJzTAKE48RO7ROWmfesRoe3D tgCJcRqHbfCzv0KDbx0t0kaR/dT85UJoZKxjDBjth7T3NVXiv0gmZC2TPPJXGHBPTobr xdSBAqhLnx7ecwpREV4NV0VLbeiJaLcwzmwc01BXxvBDpgMwd2jLXHRZDTEqrPeIRLUG zSV8TaR51IsUEojb0kSWAP7PZZHYB6R4SvGjdqYEi+j/M81eNrxyKgHOnkO4uidGsSWa MgN9nEwTy06OGpkFLLTyYnSgmjuXtMWhVNn2b7ggFXni529hk2gREaw3cOlx9n7Pybud iXYw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1699926829; x=1700531629; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=1d4Xl/TZSUhhcv89hxSw9fQ4xqgWI2PHSQb3xcxvXPA=; b=HSup6SKCcpK9X/gC7YULt05Ydr0flyM1w9axK1Ct9kqF1nF+e9KcsZYF+yIh3C8P53 MN8j5qxR6+S/Kb7vBCsPjtYLMSv+zYW0mROLzN3JTUkgaFE8murisrH7ngG9cgRU0mMl YTR716D78oe8iSSZkiUq80f9H+dBbJB3GLv/JIkMD2/cVqWONMk4YDGa/5CthmMKg+e5 9XrV8Bwrmhc88TyZFEW0WpSxWmeAZiiRs8LjmhBTN2xtHEyhD2udD0GEP3Vw7LC77PHE 4FFsk7NbJHl1+KbmRIWEQDlFHF13FtWCeCR8jEgu33PKebWx1KMgkvMEI9crzYMcJEAs jJpg== X-Gm-Message-State: AOJu0YyvtM/hRHBKtCj3Q3+iRa002zLJA+mrs3onM9OG/+8e2R3EFwry F9SEoO0j8LrBm69ObqR9b0DbF1OXwjRrdQ== X-Google-Smtp-Source: AGHT+IELMrMh7F2eg7URcAu7Q5XqR4AaGT5CqQBcOmGkMClESF6JMbdi2K45aQDaY/k5pgMhQn85bQ== X-Received: by 2002:a17:902:d2ce:b0:1c3:845d:a4 with SMTP id n14-20020a170902d2ce00b001c3845d00a4mr1102476plc.51.1699926829546; Mon, 13 Nov 2023 17:53:49 -0800 (PST) Received: from lrumancik.svl.corp.google.com ([2620:15c:2a3:200:d177:a8ad:804f:74f1]) by smtp.gmail.com with ESMTPSA id a17-20020a170902ecd100b001c9cb2fb8d8sm4668592plh.49.2023.11.13.17.53.48 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 13 Nov 2023 17:53:49 -0800 (PST) From: Leah Rumancik To: linux-xfs@vger.kernel.org Cc: amir73il@gmail.com, chandan.babu@oracle.com, fred@cloudflare.com, "Darrick J. Wong" , Christoph Hellwig , Dave Chinner , Dave Chinner , Leah Rumancik Subject: [PATCH 5.15 CANDIDATE 03/17] xfs: convert buf_cancel_table allocation to kmalloc_array Date: Mon, 13 Nov 2023 17:53:24 -0800 Message-ID: <20231114015339.3922119-4-leah.rumancik@gmail.com> X-Mailer: git-send-email 2.43.0.rc0.421.g78406f8d94-goog In-Reply-To: <20231114015339.3922119-1-leah.rumancik@gmail.com> References: <20231114015339.3922119-1-leah.rumancik@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-xfs@vger.kernel.org From: "Darrick J. Wong" [ Upstream commit 910bbdf2f4d7df46781bc9b723048f5ebed3d0d7 ] While we're messing around with how recovery allocates and frees the buffer cancellation table, convert the allocation to use kmalloc_array instead of the old kmem_alloc APIs, and make it handle a null return, even though that's not likely. Signed-off-by: Darrick J. Wong Reviewed-by: Christoph Hellwig Reviewed-by: Dave Chinner Signed-off-by: Dave Chinner Signed-off-by: Leah Rumancik --- fs/xfs/libxfs/xfs_log_recover.h | 2 +- fs/xfs/xfs_buf_item_recover.c | 14 ++++++++++---- fs/xfs/xfs_log_recover.c | 4 +++- 3 files changed, 14 insertions(+), 6 deletions(-) diff --git a/fs/xfs/libxfs/xfs_log_recover.h b/fs/xfs/libxfs/xfs_log_recover.h index b8b65a6e9b1e..81a065b0b571 100644 --- a/fs/xfs/libxfs/xfs_log_recover.h +++ b/fs/xfs/libxfs/xfs_log_recover.h @@ -120,7 +120,7 @@ int xlog_recover_iget(struct xfs_mount *mp, xfs_ino_t ino, struct xfs_inode **ipp); void xlog_recover_release_intent(struct xlog *log, unsigned short intent_type, uint64_t intent_id); -void xlog_alloc_buf_cancel_table(struct xlog *log); +int xlog_alloc_buf_cancel_table(struct xlog *log); void xlog_free_buf_cancel_table(struct xlog *log); #ifdef DEBUG diff --git a/fs/xfs/xfs_buf_item_recover.c b/fs/xfs/xfs_buf_item_recover.c index 635f7f8ed9c2..31cbe7deebfa 100644 --- a/fs/xfs/xfs_buf_item_recover.c +++ b/fs/xfs/xfs_buf_item_recover.c @@ -1025,19 +1025,25 @@ xlog_check_buf_cancel_table( } #endif -void +int xlog_alloc_buf_cancel_table( struct xlog *log) { + void *p; int i; ASSERT(log->l_buf_cancel_table == NULL); - log->l_buf_cancel_table = kmem_zalloc(XLOG_BC_TABLE_SIZE * - sizeof(struct list_head), - 0); + p = kmalloc_array(XLOG_BC_TABLE_SIZE, sizeof(struct list_head), + GFP_KERNEL); + if (!p) + return -ENOMEM; + + log->l_buf_cancel_table = p; for (i = 0; i < XLOG_BC_TABLE_SIZE; i++) INIT_LIST_HEAD(&log->l_buf_cancel_table[i]); + + return 0; } void diff --git a/fs/xfs/xfs_log_recover.c b/fs/xfs/xfs_log_recover.c index 18d8eebc2d44..aeb01d4c0423 100644 --- a/fs/xfs/xfs_log_recover.c +++ b/fs/xfs/xfs_log_recover.c @@ -3256,7 +3256,9 @@ xlog_do_log_recovery( * First do a pass to find all of the cancelled buf log items. * Store them in the buf_cancel_table for use in the second pass. */ - xlog_alloc_buf_cancel_table(log); + error = xlog_alloc_buf_cancel_table(log); + if (error) + return error; error = xlog_do_recovery_pass(log, head_blk, tail_blk, XLOG_RECOVER_PASS1, NULL); From patchwork Tue Nov 14 01:53:25 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Leah Rumancik X-Patchwork-Id: 13454705 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 476B7C4332F for ; Tue, 14 Nov 2023 01:53:53 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231906AbjKNBxy (ORCPT ); Mon, 13 Nov 2023 20:53:54 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58098 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231713AbjKNBxx (ORCPT ); Mon, 13 Nov 2023 20:53:53 -0500 Received: from mail-pl1-x62a.google.com (mail-pl1-x62a.google.com [IPv6:2607:f8b0:4864:20::62a]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 33C9CD45 for ; Mon, 13 Nov 2023 17:53:51 -0800 (PST) Received: by mail-pl1-x62a.google.com with SMTP id d9443c01a7336-1ccbb7f79cdso38313025ad.3 for ; Mon, 13 Nov 2023 17:53:51 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1699926830; x=1700531630; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=/Fh3uE8eMbQXl+jds6nLngO0kMMfIRt9g0Eg/S6dtoY=; b=Bax+OukgzOGVFx/fvd6A9jANi6ZOH7LAv8//R+X07vzDro/zQJv22LKScmyvBLlZJO dnK+veWAyJ4timW0GhGtf0Q+7mRqM7Jp3pwfyFSmwka3XDoykkGh0fctdBzu5+H2OCde DFYy1lJreZbJmut/159fKszz8Dq+50MT+OnV3jXi0p/ojDpgGnqi0RB/uBOp32S+pI6G O0aVy86iupjqAG6knLnuoHJjE1c1qgIXY01UXVs2KtS5WqgLorEnZ23UzcLSc5kWMEU4 PECTGzMS4pymTeqe2KKU3vna88fZwUuwhWDm2yoqNIcx80yKXBWbEokfs2M0ZuXM3tck +rwg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1699926830; x=1700531630; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=/Fh3uE8eMbQXl+jds6nLngO0kMMfIRt9g0Eg/S6dtoY=; b=BshbGpObdjxhptYbM7aK7sAFoP25xZO/ptcjtVz2cZaX5H4cuuxxtUfsn9tY+1naep a8WmuMApATWMULd9lkbH73WeZ8gE/k7Q+/8IjGuVhOa7Kw63Fq9KWq12X7M81asI+X32 4nw52bNYqbybDMT/D3WHUu+4m0KB22ErEepWu04D9JX0myq27dsIfj1WJaUcwq0EyS17 ZHOQpsCve0p3IYpa+f36XUCfAV66f3mkCdfHxX1OkcmPglF1klEgdMIDckBevTDS7Yzj V/p+72EZ57qubCvoFaa0xH8JPNbIMS+zjTwBPAC5Hp1y48VZ9MuMU02V3DNlh9nUlnz+ Mmng== X-Gm-Message-State: AOJu0YxqiTQ4QcRKF0k5atq7C1ENs+6qvt3vnXQrhugf8BMP26iNKAGh Ki6ML4DLVv8WvMwcPp8ze4RxURxcIgK/sg== X-Google-Smtp-Source: AGHT+IFv/duiTN1nk5EmvXpJmiXSp4PN9cAiGRrfbt6p6jkp8q6SdiBnbmeQKonYS/LZXw7+x1kYqA== X-Received: by 2002:a17:902:704a:b0:1ca:d778:a9ce with SMTP id h10-20020a170902704a00b001cad778a9cemr973048plt.38.1699926830502; Mon, 13 Nov 2023 17:53:50 -0800 (PST) Received: from lrumancik.svl.corp.google.com ([2620:15c:2a3:200:d177:a8ad:804f:74f1]) by smtp.gmail.com with ESMTPSA id a17-20020a170902ecd100b001c9cb2fb8d8sm4668592plh.49.2023.11.13.17.53.49 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 13 Nov 2023 17:53:50 -0800 (PST) From: Leah Rumancik To: linux-xfs@vger.kernel.org Cc: amir73il@gmail.com, chandan.babu@oracle.com, fred@cloudflare.com, Kaixu Xia , Dave Chinner , "Darrick J . Wong" , Leah Rumancik Subject: [PATCH 5.15 CANDIDATE 04/17] xfs: use invalidate_lock to check the state of mmap_lock Date: Mon, 13 Nov 2023 17:53:25 -0800 Message-ID: <20231114015339.3922119-5-leah.rumancik@gmail.com> X-Mailer: git-send-email 2.43.0.rc0.421.g78406f8d94-goog In-Reply-To: <20231114015339.3922119-1-leah.rumancik@gmail.com> References: <20231114015339.3922119-1-leah.rumancik@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-xfs@vger.kernel.org From: Kaixu Xia [ Upstream commit 82af88063961da9425924d9aec3fb67a4ebade3e ] We should use invalidate_lock and XFS_MMAPLOCK_SHARED to check the state of mmap_lock rw_semaphore in xfs_isilocked(), rather than i_rwsem and XFS_IOLOCK_SHARED. Fixes: 2433480a7e1d ("xfs: Convert to use invalidate_lock") Signed-off-by: Kaixu Xia Reviewed-by: Dave Chinner Reviewed-by: Darrick J. Wong Signed-off-by: Darrick J. Wong Signed-off-by: Leah Rumancik --- fs/xfs/xfs_inode.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/fs/xfs/xfs_inode.c b/fs/xfs/xfs_inode.c index b2ea85318214..df64b902842d 100644 --- a/fs/xfs/xfs_inode.c +++ b/fs/xfs/xfs_inode.c @@ -378,8 +378,8 @@ xfs_isilocked( } if (lock_flags & (XFS_MMAPLOCK_EXCL|XFS_MMAPLOCK_SHARED)) { - return __xfs_rwsem_islocked(&VFS_I(ip)->i_rwsem, - (lock_flags & XFS_IOLOCK_SHARED)); + return __xfs_rwsem_islocked(&VFS_I(ip)->i_mapping->invalidate_lock, + (lock_flags & XFS_MMAPLOCK_SHARED)); } if (lock_flags & (XFS_IOLOCK_EXCL | XFS_IOLOCK_SHARED)) { From patchwork Tue Nov 14 01:53:26 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Leah Rumancik X-Patchwork-Id: 13454707 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id A63CFC4167B for ; Tue, 14 Nov 2023 01:53:55 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231970AbjKNBx4 (ORCPT ); Mon, 13 Nov 2023 20:53:56 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58106 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231713AbjKNBxz (ORCPT ); Mon, 13 Nov 2023 20:53:55 -0500 Received: from mail-pl1-x62f.google.com (mail-pl1-x62f.google.com [IPv6:2607:f8b0:4864:20::62f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2FBC9D44 for ; Mon, 13 Nov 2023 17:53:52 -0800 (PST) Received: by mail-pl1-x62f.google.com with SMTP id d9443c01a7336-1cc938f9612so32893725ad.1 for ; Mon, 13 Nov 2023 17:53:52 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1699926831; x=1700531631; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=TZ4/sHcptjfXgYs4wjxdLIXPGb/MxIb6ECUkbNFIOws=; b=WKYzkDJq8rMhTdedpAFgUVFq4R/GJ92fiYCqSGkfnj52ebgTji9GD7+EdLVOblGzDa CGIgzvPmdnlJVur4u6v7H3pcd3kfikgv0c8hMPpna14CqpABxgp5msYdkYxW0TMP4yom qfXsrOrfFnA6xGuFQARo3kt+R44lNOPNbxLU4FFYRD13LJhutPkYwce4pLT5Rtt/YHuM czHr/px0sVlx8zGPC8aEnfyU7bgg4G+NIQtsgaxddHUO43VO8fYqy3nmIlPGIwGm4R1i kKM81I97EK7MF1NNtls0/d5Z1+DJnKikKoeZf65vCEIyDhMvAhrjKIVfnL6f87FmqO3I mO1w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1699926831; x=1700531631; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=TZ4/sHcptjfXgYs4wjxdLIXPGb/MxIb6ECUkbNFIOws=; b=mWWUOIcCUsFrB1eLKiXXCkgNpTHR6/JW8yKXEjXoyDyCgwfYIEuCTOBAuJRtZliz9C wqVWOLHo0o7VeHUUclYri2Vejw46+nG9lSodrVN2c3SYzAc7J3BjVWSL3ghfDTx/nN3Q 0a+GdwMAfptb1MMtorB4hloCU+rb2FMb9XLwNbwXm6SbUgfNVeIs8/KapYourNzgh46S c+JrIDX8gxz0Gskub87Bl9QxubM1Ast4XBKwuPMi2P7ZpsUxo5CYY/JGQ147YVqcYzTI wJ1VJI9+qtx13ZR/MYP3KqYcmFTARMA7XLXkDmWIkAW+PctFuepN3gDHNI1OVkjskNSk NHRg== X-Gm-Message-State: AOJu0Yy0Y8X7snvVGkI+IZDy7/nXqYyrae1qGs+MJaQ6demNyIpJb787 4W57PmtuFfsJ9W1uZQsu6W9Fb2PAmFg8XQ== X-Google-Smtp-Source: AGHT+IHAWhqmop+gWUTz5/v+OTE2B9map4v57eNxipm42lZeYE3tJm7D/47LD6s0Rlcriq9VvqI0Rg== X-Received: by 2002:a17:902:7c8f:b0:1c0:bcbc:d64 with SMTP id y15-20020a1709027c8f00b001c0bcbc0d64mr910456pll.51.1699926831381; Mon, 13 Nov 2023 17:53:51 -0800 (PST) Received: from lrumancik.svl.corp.google.com ([2620:15c:2a3:200:d177:a8ad:804f:74f1]) by smtp.gmail.com with ESMTPSA id a17-20020a170902ecd100b001c9cb2fb8d8sm4668592plh.49.2023.11.13.17.53.50 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 13 Nov 2023 17:53:51 -0800 (PST) From: Leah Rumancik To: linux-xfs@vger.kernel.org Cc: amir73il@gmail.com, chandan.babu@oracle.com, fred@cloudflare.com, "Darrick J. Wong" , Dave Chinner , Leah Rumancik Subject: [PATCH 5.15 CANDIDATE 05/17] xfs: prevent a UAF when log IO errors race with unmount Date: Mon, 13 Nov 2023 17:53:26 -0800 Message-ID: <20231114015339.3922119-6-leah.rumancik@gmail.com> X-Mailer: git-send-email 2.43.0.rc0.421.g78406f8d94-goog In-Reply-To: <20231114015339.3922119-1-leah.rumancik@gmail.com> References: <20231114015339.3922119-1-leah.rumancik@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-xfs@vger.kernel.org From: "Darrick J. Wong" [ Upstream commit 7561cea5dbb97fecb952548a0fb74fb105bf4664 ] KASAN reported the following use after free bug when running generic/475: XFS (dm-0): Mounting V5 Filesystem XFS (dm-0): Starting recovery (logdev: internal) XFS (dm-0): Ending recovery (logdev: internal) Buffer I/O error on dev dm-0, logical block 20639616, async page read Buffer I/O error on dev dm-0, logical block 20639617, async page read XFS (dm-0): log I/O error -5 XFS (dm-0): Filesystem has been shut down due to log error (0x2). XFS (dm-0): Unmounting Filesystem XFS (dm-0): Please unmount the filesystem and rectify the problem(s). ================================================================== BUG: KASAN: use-after-free in do_raw_spin_lock+0x246/0x270 Read of size 4 at addr ffff888109dd84c4 by task 3:1H/136 CPU: 3 PID: 136 Comm: 3:1H Not tainted 5.19.0-rc4-xfsx #rc4 8e53ab5ad0fddeb31cee5e7063ff9c361915a9c4 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014 Workqueue: xfs-log/dm-0 xlog_ioend_work [xfs] Call Trace: dump_stack_lvl+0x34/0x44 print_report.cold+0x2b8/0x661 ? do_raw_spin_lock+0x246/0x270 kasan_report+0xab/0x120 ? do_raw_spin_lock+0x246/0x270 do_raw_spin_lock+0x246/0x270 ? rwlock_bug.part.0+0x90/0x90 xlog_force_shutdown+0xf6/0x370 [xfs 4ad76ae0d6add7e8183a553e624c31e9ed567318] xlog_ioend_work+0x100/0x190 [xfs 4ad76ae0d6add7e8183a553e624c31e9ed567318] process_one_work+0x672/0x1040 worker_thread+0x59b/0xec0 ? __kthread_parkme+0xc6/0x1f0 ? process_one_work+0x1040/0x1040 ? process_one_work+0x1040/0x1040 kthread+0x29e/0x340 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x1f/0x30 Allocated by task 154099: kasan_save_stack+0x1e/0x40 __kasan_kmalloc+0x81/0xa0 kmem_alloc+0x8d/0x2e0 [xfs] xlog_cil_init+0x1f/0x540 [xfs] xlog_alloc_log+0xd1e/0x1260 [xfs] xfs_log_mount+0xba/0x640 [xfs] xfs_mountfs+0xf2b/0x1d00 [xfs] xfs_fs_fill_super+0x10af/0x1910 [xfs] get_tree_bdev+0x383/0x670 vfs_get_tree+0x7d/0x240 path_mount+0xdb7/0x1890 __x64_sys_mount+0x1fa/0x270 do_syscall_64+0x2b/0x80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 Freed by task 154151: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 kasan_set_free_info+0x20/0x30 ____kasan_slab_free+0x110/0x190 slab_free_freelist_hook+0xab/0x180 kfree+0xbc/0x310 xlog_dealloc_log+0x1b/0x2b0 [xfs] xfs_unmountfs+0x119/0x200 [xfs] xfs_fs_put_super+0x6e/0x2e0 [xfs] generic_shutdown_super+0x12b/0x3a0 kill_block_super+0x95/0xd0 deactivate_locked_super+0x80/0x130 cleanup_mnt+0x329/0x4d0 task_work_run+0xc5/0x160 exit_to_user_mode_prepare+0xd4/0xe0 syscall_exit_to_user_mode+0x1d/0x40 entry_SYSCALL_64_after_hwframe+0x46/0xb0 This appears to be a race between the unmount process, which frees the CIL and waits for in-flight iclog IO; and the iclog IO completion. When generic/475 runs, it starts fsstress in the background, waits a few seconds, and substitutes a dm-error device to simulate a disk falling out of a machine. If the fsstress encounters EIO on a pure data write, it will exit but the filesystem will still be online. The next thing the test does is unmount the filesystem, which tries to clean the log, free the CIL, and wait for iclog IO completion. If an iclog was being written when the dm-error switch occurred, it can race with log unmounting as follows: Thread 1 Thread 2 xfs_log_unmount xfs_log_clean xfs_log_quiesce xlog_ioend_work xlog_force_shutdown test_and_set_bit(XLOG_IOERROR) xfs_log_force xfs_log_umount_write xlog_dealloc_log xlog_cil_destroy spin_lock(&log->l_cilp->xc_push_lock) Therefore, free the CIL after waiting for the iclogs to complete. I /think/ this race has existed for quite a few years now, though I don't remember the ~2014 era logging code well enough to know if it was a real threat then or if the actual race was exposed only more recently. Fixes: ac983517ec59 ("xfs: don't sleep in xlog_cil_force_lsn on shutdown") Signed-off-by: Darrick J. Wong Reviewed-by: Dave Chinner Signed-off-by: Leah Rumancik --- fs/xfs/xfs_log.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/fs/xfs/xfs_log.c b/fs/xfs/xfs_log.c index 0fb7d05ca308..eba295f666ac 100644 --- a/fs/xfs/xfs_log.c +++ b/fs/xfs/xfs_log.c @@ -2061,8 +2061,6 @@ xlog_dealloc_log( xlog_in_core_t *iclog, *next_iclog; int i; - xlog_cil_destroy(log); - /* * Cycle all the iclogbuf locks to make sure all log IO completion * is done before we tear down these buffers. @@ -2074,6 +2072,13 @@ xlog_dealloc_log( iclog = iclog->ic_next; } + /* + * Destroy the CIL after waiting for iclog IO completion because an + * iclog EIO error will try to shut down the log, which accesses the + * CIL to wake up the waiters. + */ + xlog_cil_destroy(log); + iclog = log->l_iclog; for (i = 0; i < log->l_iclog_bufs; i++) { next_iclog = iclog->ic_next; From patchwork Tue Nov 14 01:53:27 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Leah Rumancik X-Patchwork-Id: 13454706 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id DED76C072A2 for ; Tue, 14 Nov 2023 01:53:55 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231713AbjKNBx5 (ORCPT ); Mon, 13 Nov 2023 20:53:57 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58122 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231969AbjKNBx4 (ORCPT ); Mon, 13 Nov 2023 20:53:56 -0500 Received: from mail-pl1-x62c.google.com (mail-pl1-x62c.google.com [IPv6:2607:f8b0:4864:20::62c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 36C6FD43 for ; Mon, 13 Nov 2023 17:53:53 -0800 (PST) Received: by mail-pl1-x62c.google.com with SMTP id d9443c01a7336-1cc68c1fac2so45882255ad.0 for ; Mon, 13 Nov 2023 17:53:53 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1699926832; x=1700531632; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=br54+cqWEk8yHjoqWphOFSoRh+0cWSk/62L3MX4Umkc=; b=kY2dlpgDKlcQKupE4kOgMSSvNx/VYwU2ZK6bv9ixYufDeJmLkbBi1YdXcmMtw7PQIh XuU88rMWni03I3zdRGEe4Lr4T2dkDJpMPwfFw3VS13Y0J924mJfxGu5HG0+tW78jP1Du cevXPBaOxClnsgGBPUzT9idgICmDMZDrDFjMZ4HSUcLub1Y5PVNS1oXotewdLjAmYg5B iPaPNJsU0+5sXNVUMV9dJllOHIINi0G76R47N/V5OGTHjThsLCSrjo9iyqQ31YBtHgMs Hvo735WbXUDoPTDCkmFAWgRAOw7SaGbA+vjI+etGL+qvzVGTH3NSY1l4MetlyzlroqOM kt0g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1699926832; x=1700531632; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=br54+cqWEk8yHjoqWphOFSoRh+0cWSk/62L3MX4Umkc=; b=MXcP06M4q4l6pfL8UdRh0h6Bm5xWDDWCHqpNJ3sNPywNz/VkTlWorYYPse+6vnX+3O kkOrD6Al/8HbrzQc5Q4qHo51l51ZaHtCWy7+Dciy7jULkcfNTX/NAT5RUK8qr+S58s9v 0JcRvOuNWdebDJW8i6Sdi2yW32yEdX5seNBDUCtbky5aFZiNSJKeT//YUliUOWspxYBF 9NiIk55Ptz/CVH+8YYMMZhP/EJpvgnqr2AZQQUm1Wktp0/TXH+rOZ5udVPjZ9qEGIi5T Ql///IRrIHx/WhFTxEqRBO9rAOZ090tD32/94X66taWh9lpRWf13D3ZsA54dV0uOYpRV hQcg== X-Gm-Message-State: AOJu0YwdEEw/WZLwb+pHx5rD5JMzEMNu4byuKw6N6QcAAScvITWcqCsJ 6c7NknbemUXVwMgocehOSFf8/ra7YhRPXQ== X-Google-Smtp-Source: AGHT+IGG5lgqh4XOVE3tHWbMBOGfAaGNsVa/aX3P3uOStU7j5aQc0q9hsh8DhrusXF05z1iRQK+2Lg== X-Received: by 2002:a17:902:ce90:b0:1cc:787f:fb7 with SMTP id f16-20020a170902ce9000b001cc787f0fb7mr1289767plg.19.1699926832455; Mon, 13 Nov 2023 17:53:52 -0800 (PST) Received: from lrumancik.svl.corp.google.com ([2620:15c:2a3:200:d177:a8ad:804f:74f1]) by smtp.gmail.com with ESMTPSA id a17-20020a170902ecd100b001c9cb2fb8d8sm4668592plh.49.2023.11.13.17.53.51 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 13 Nov 2023 17:53:52 -0800 (PST) From: Leah Rumancik To: linux-xfs@vger.kernel.org Cc: amir73il@gmail.com, chandan.babu@oracle.com, fred@cloudflare.com, Zhang Yi , Dave Chinner , "Darrick J . Wong" , Dave Chinner , Leah Rumancik Subject: [PATCH 5.15 CANDIDATE 06/17] xfs: flush inode gc workqueue before clearing agi bucket Date: Mon, 13 Nov 2023 17:53:27 -0800 Message-ID: <20231114015339.3922119-7-leah.rumancik@gmail.com> X-Mailer: git-send-email 2.43.0.rc0.421.g78406f8d94-goog In-Reply-To: <20231114015339.3922119-1-leah.rumancik@gmail.com> References: <20231114015339.3922119-1-leah.rumancik@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-xfs@vger.kernel.org From: Zhang Yi [ Upstream commit 04a98a036cf8b810dda172a9dcfcbd783bf63655 ] In the procedure of recover AGI unlinked lists, if something bad happenes on one of the unlinked inode in the bucket list, we would call xlog_recover_clear_agi_bucket() to clear the whole unlinked bucket list, not the unlinked inodes after the bad one. If we have already added some inodes to the gc workqueue before the bad inode in the list, we could get below error when freeing those inodes, and finaly fail to complete the log recover procedure. XFS (ram0): Internal error xfs_iunlink_remove at line 2456 of file fs/xfs/xfs_inode.c. Caller xfs_ifree+0xb0/0x360 [xfs] The problem is xlog_recover_clear_agi_bucket() clear the bucket list, so the gc worker fail to check the agino in xfs_verify_agino(). Fix this by flush workqueue before clearing the bucket. Fixes: ab23a7768739 ("xfs: per-cpu deferred inode inactivation queues") Signed-off-by: Zhang Yi Reviewed-by: Dave Chinner Reviewed-by: Darrick J. Wong Signed-off-by: Dave Chinner Signed-off-by: Leah Rumancik --- fs/xfs/xfs_log_recover.c | 1 + 1 file changed, 1 insertion(+) diff --git a/fs/xfs/xfs_log_recover.c b/fs/xfs/xfs_log_recover.c index aeb01d4c0423..04961ebf16ea 100644 --- a/fs/xfs/xfs_log_recover.c +++ b/fs/xfs/xfs_log_recover.c @@ -2739,6 +2739,7 @@ xlog_recover_process_one_iunlink( * Call xlog_recover_clear_agi_bucket() to perform a transaction to * clear the inode pointer in the bucket. */ + xfs_inodegc_flush(mp); xlog_recover_clear_agi_bucket(mp, agno, bucket); return NULLAGINO; } From patchwork Tue Nov 14 01:53:28 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Leah Rumancik X-Patchwork-Id: 13454708 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 14FC9C4167D for ; Tue, 14 Nov 2023 01:53:57 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231985AbjKNBx6 (ORCPT ); Mon, 13 Nov 2023 20:53:58 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58124 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231969AbjKNBx5 (ORCPT ); Mon, 13 Nov 2023 20:53:57 -0500 Received: from mail-pg1-x52d.google.com (mail-pg1-x52d.google.com [IPv6:2607:f8b0:4864:20::52d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 195D9D43 for ; Mon, 13 Nov 2023 17:53:54 -0800 (PST) Received: by mail-pg1-x52d.google.com with SMTP id 41be03b00d2f7-5c19a328797so1128603a12.3 for ; Mon, 13 Nov 2023 17:53:54 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1699926833; x=1700531633; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=YS8Dp+7hh1oASlwguxu+0te537Whw1CvUWHKOgCqLJc=; b=Z0k9IOD7HrkNqA95v9YwGI+ilJ7lFDQRzBoJQh4NdSFTGQDGWdfw4kyh6Y1N14xbkO w26X7XGi/n2sl15DEELKh2fCnuwOuu8M7kX6mrj3gtdibXo6y054TWsBfSFKaXTeRTTu ZqGieSgv5sP4tz/U2VsYo97mJ/hlfg+ka5jyX/BLnuf3cY4qfCfbJwcTukRZkAeL7e7o 8+RmsrqwhFMbzsyVgHEFUtAKQeAUVYYS6hbdZvNDkWNe2i52YyLo8uBxz/jycf5aIDGI yTshmQ2vYhmCYDX8SUhgosh2hOK9Sv3Z0DjOalztLpq171FfoyTz8QQxQ/9N8YnwueQe lnBg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1699926833; x=1700531633; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=YS8Dp+7hh1oASlwguxu+0te537Whw1CvUWHKOgCqLJc=; b=AaNqBOGkQO6Kn6ZA85dsSfWIZu7+SzLGlDXlxjoTaYVNUzNsFlizHhyzIIpZeqS+Xu Hs2yHCF/OMoYU9U+Sxlc2/Q0qfK9KpfPT8yDOdacxDg+ZcwTYNC42xnHPpBV4vStuahO VwXcGD8UN+8M12c8aEYPraFWWfAiqFYBqFM3c0MNlx1ltxXIvQM9oNz8t8t10Syc+Rin k2mFiQ1sxgyJ8npK847pcMxLRCYoPrEg//3qS//M6sSEiRJpzB7A+jaZMEcEqzAfVLd9 nmgJbTidb6ySIbUdgjFJEroeZTY+BjGqgzDI7FtNWlPIMuKh0h5oP+ILhn9/cDWiGVOV cfgA== X-Gm-Message-State: AOJu0YyWchdtZrcE4P72Ymyqn+mHlT57G7C+qQ5hhOlsAxwOIksV92m5 6EYbf8eP2sUl2cOhdegcpDvzUyEo2gGmjA== X-Google-Smtp-Source: AGHT+IEEZiMsIVYQgHONwJz6Jc7quX4566Ir6MvSZc8GHx/f+dHGxdgIa5ySPHZEhgEBQsKcjLuCmA== X-Received: by 2002:a05:6a20:3c9f:b0:187:174b:cc78 with SMTP id b31-20020a056a203c9f00b00187174bcc78mr69194pzj.39.1699926833401; Mon, 13 Nov 2023 17:53:53 -0800 (PST) Received: from lrumancik.svl.corp.google.com ([2620:15c:2a3:200:d177:a8ad:804f:74f1]) by smtp.gmail.com with ESMTPSA id a17-20020a170902ecd100b001c9cb2fb8d8sm4668592plh.49.2023.11.13.17.53.52 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 13 Nov 2023 17:53:53 -0800 (PST) From: Leah Rumancik To: linux-xfs@vger.kernel.org Cc: amir73il@gmail.com, chandan.babu@oracle.com, fred@cloudflare.com, "Darrick J. Wong" , hch@lst.de, kernel test robot , Dave Chinner , Leah Rumancik Subject: [PATCH 5.15 CANDIDATE 07/17] xfs: fix use-after-free in xattr node block inactivation Date: Mon, 13 Nov 2023 17:53:28 -0800 Message-ID: <20231114015339.3922119-8-leah.rumancik@gmail.com> X-Mailer: git-send-email 2.43.0.rc0.421.g78406f8d94-goog In-Reply-To: <20231114015339.3922119-1-leah.rumancik@gmail.com> References: <20231114015339.3922119-1-leah.rumancik@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-xfs@vger.kernel.org From: "Darrick J. Wong" [ Upstream commit 95ff0363f3f6ae70c21a0f2b0603e54438e5988b ] The kernel build robot reported a UAF error while running xfs/433 (edited somewhat for brevity): BUG: KASAN: use-after-free in xfs_attr3_node_inactive (fs/xfs/xfs_attr_inactive.c:214) xfs Read of size 4 at addr ffff88820ac2bd44 by task kworker/0:2/139 CPU: 0 PID: 139 Comm: kworker/0:2 Tainted: G S 5.19.0-rc2-00004-g7cf2b0f9611b #1 Hardware name: Hewlett-Packard p6-1451cx/2ADA, BIOS 8.15 02/05/2013 Workqueue: xfs-inodegc/sdb4 xfs_inodegc_worker [xfs] Call Trace: dump_stack_lvl (lib/dump_stack.c:107 (discriminator 1)) print_address_description+0x1f/0x200 print_report.cold (mm/kasan/report.c:430) kasan_report (mm/kasan/report.c:162 mm/kasan/report.c:493) xfs_attr3_node_inactive (fs/xfs/xfs_attr_inactive.c:214) xfs xfs_attr3_root_inactive (fs/xfs/xfs_attr_inactive.c:296) xfs xfs_attr_inactive (fs/xfs/xfs_attr_inactive.c:371) xfs xfs_inactive (fs/xfs/xfs_inode.c:1781) xfs xfs_inodegc_worker (fs/xfs/xfs_icache.c:1837 fs/xfs/xfs_icache.c:1860) xfs process_one_work worker_thread kthread ret_from_fork Allocated by task 139: kasan_save_stack (mm/kasan/common.c:39) __kasan_slab_alloc (mm/kasan/common.c:45 mm/kasan/common.c:436 mm/kasan/common.c:469) kmem_cache_alloc (mm/slab.h:750 mm/slub.c:3214 mm/slub.c:3222 mm/slub.c:3229 mm/slub.c:3239) _xfs_buf_alloc (include/linux/instrumented.h:86 include/linux/atomic/atomic-instrumented.h:41 fs/xfs/xfs_buf.c:232) xfs xfs_buf_get_map (fs/xfs/xfs_buf.c:660) xfs xfs_buf_read_map (fs/xfs/xfs_buf.c:777) xfs xfs_trans_read_buf_map (fs/xfs/xfs_trans_buf.c:289) xfs xfs_da_read_buf (fs/xfs/libxfs/xfs_da_btree.c:2652) xfs xfs_da3_node_read (fs/xfs/libxfs/xfs_da_btree.c:392) xfs xfs_attr3_root_inactive (fs/xfs/xfs_attr_inactive.c:272) xfs xfs_attr_inactive (fs/xfs/xfs_attr_inactive.c:371) xfs xfs_inactive (fs/xfs/xfs_inode.c:1781) xfs xfs_inodegc_worker (fs/xfs/xfs_icache.c:1837 fs/xfs/xfs_icache.c:1860) xfs process_one_work worker_thread kthread ret_from_fork Freed by task 139: kasan_save_stack (mm/kasan/common.c:39) kasan_set_track (mm/kasan/common.c:45) kasan_set_free_info (mm/kasan/generic.c:372) __kasan_slab_free (mm/kasan/common.c:368 mm/kasan/common.c:328 mm/kasan/common.c:374) kmem_cache_free (mm/slub.c:1753 mm/slub.c:3507 mm/slub.c:3524) xfs_buf_rele (fs/xfs/xfs_buf.c:1040) xfs xfs_attr3_node_inactive (fs/xfs/xfs_attr_inactive.c:210) xfs xfs_attr3_root_inactive (fs/xfs/xfs_attr_inactive.c:296) xfs xfs_attr_inactive (fs/xfs/xfs_attr_inactive.c:371) xfs xfs_inactive (fs/xfs/xfs_inode.c:1781) xfs xfs_inodegc_worker (fs/xfs/xfs_icache.c:1837 fs/xfs/xfs_icache.c:1860) xfs process_one_work worker_thread kthread ret_from_fork I reproduced this for my own satisfaction, and got the same report, along with an extra morsel: The buggy address belongs to the object at ffff88802103a800 which belongs to the cache xfs_buf of size 432 The buggy address is located 396 bytes inside of 432-byte region [ffff88802103a800, ffff88802103a9b0) I tracked this code down to: error = xfs_trans_get_buf(*trans, mp->m_ddev_targp, child_blkno, XFS_FSB_TO_BB(mp, mp->m_attr_geo->fsbcount), 0, &child_bp); if (error) return error; error = bp->b_error; That doesn't look right -- I think this should be dereferencing child_bp, not bp. Looking through the codebase history, I think this was added by commit 2911edb653b9 ("xfs: remove the mappedbno argument to xfs_da_get_buf"), which replaced a call to xfs_da_get_buf with the current call to xfs_trans_get_buf. Not sure why we trans_brelse'd @bp earlier in the function, but I'm guessing it's to avoid pinning too many buffers in memory while we inactivate the bottom of the attr tree. Hence we now have to get the buffer back. I /think/ this was supposed to check child_bp->b_error and fail the rest of the invalidation if child_bp had experienced any kind of IO or corruption error. I bet the xfs_da3_node_read earlier in the loop will catch most cases of incoming on-disk corruption which makes this check mostly moot unless someone corrupts the buffer and the AIL pushes it out to disk while the buffer's unlocked. In the first case we'll never get to the bad check, and in the second case the AIL will shut down the log, at which point there's no reason to check b_error. Remove the check, and null out @bp to avoid this problem in the future. Cc: hch@lst.de Reported-by: kernel test robot Fixes: 2911edb653b9 ("xfs: remove the mappedbno argument to xfs_da_get_buf") Signed-off-by: Darrick J. Wong Reviewed-by: Dave Chinner Reviewed-by: Christoph Hellwig Signed-off-by: Leah Rumancik --- fs/xfs/xfs_attr_inactive.c | 8 +++----- 1 file changed, 3 insertions(+), 5 deletions(-) diff --git a/fs/xfs/xfs_attr_inactive.c b/fs/xfs/xfs_attr_inactive.c index 2b5da6218977..2afa6d9a7f8f 100644 --- a/fs/xfs/xfs_attr_inactive.c +++ b/fs/xfs/xfs_attr_inactive.c @@ -158,6 +158,7 @@ xfs_attr3_node_inactive( } child_fsb = be32_to_cpu(ichdr.btree[0].before); xfs_trans_brelse(*trans, bp); /* no locks for later trans */ + bp = NULL; /* * If this is the node level just above the leaves, simply loop @@ -211,12 +212,8 @@ xfs_attr3_node_inactive( &child_bp); if (error) return error; - error = bp->b_error; - if (error) { - xfs_trans_brelse(*trans, child_bp); - return error; - } xfs_trans_binval(*trans, child_bp); + child_bp = NULL; /* * If we're not done, re-read the parent to get the next @@ -233,6 +230,7 @@ xfs_attr3_node_inactive( bp->b_addr); child_fsb = be32_to_cpu(phdr.btree[i + 1].before); xfs_trans_brelse(*trans, bp); + bp = NULL; } /* * Atomically commit the whole invalidate stuff. From patchwork Tue Nov 14 01:53:29 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Leah Rumancik X-Patchwork-Id: 13454710 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 938EDC074FD for ; Tue, 14 Nov 2023 01:53:57 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231989AbjKNBx7 (ORCPT ); Mon, 13 Nov 2023 20:53:59 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58128 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231983AbjKNBx6 (ORCPT ); Mon, 13 Nov 2023 20:53:58 -0500 Received: from mail-pl1-x62d.google.com (mail-pl1-x62d.google.com [IPv6:2607:f8b0:4864:20::62d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 140BAD44 for ; Mon, 13 Nov 2023 17:53:55 -0800 (PST) Received: by mail-pl1-x62d.google.com with SMTP id d9443c01a7336-1cc68c1fac2so45882485ad.0 for ; Mon, 13 Nov 2023 17:53:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1699926834; x=1700531634; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=bBeYMsYS9dTbIpPqHB0pGx1gW53aFcxx0jv/SHtFKug=; b=JwgaorsIbWIZONOX1fidxA8yyE4AajPLTM7S2tzo4g9nl2J/Ora9UXZdAKTLj7Epam fomB1R5WoHSR4rdZzlIlKqWMJI0pkEumyyswFtYYsEndwe1u7ZzyO4k57fRHOTEbOJu7 DVxXXqibuVbyK7pgsCnpwM+jIM9f+vcyW6Hgh2tEsfKWhkADMElz8w0egIu8PAkOG2E/ /lhrFdhNycd27DGMLtwd47amtWNCEE6eJGOcTDpWcjd33B3oz/XBsydMrpCUY3LWmUbE 5JxGTYnZW1239A5kTZ1CG/YMxhNT3BrsF/XuLhPWwwWkKLUAElbNjM8xNbF3JDPz9Z14 wCTA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1699926834; x=1700531634; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=bBeYMsYS9dTbIpPqHB0pGx1gW53aFcxx0jv/SHtFKug=; b=KJZWkqxkhO3Wc3AA0NdugTtshVFViTU/t89Vb/TL757rV34768FkeP+NEh4/Uq8Upf pxndNH4aOEWY08TqNzPSnd8/7Bq9gCu2kGTfmEziteKxzG12a6FgSkomnTpbIMn+xJvv /BVUUAdZCH4nEKtU9J/yTZP6O41a7DQpZ7J7SQYLEtDFO3OfzVgW0nj0xnu3Ff8wRE0s z3xcfc+uGcxjFgYuh4v8Ua4PLFO6GW4inCoOcQdXL6WcxFO6vmpmeAdsUT3ibaK9njAc /oXGzSjZjyysFjV3MeC1copB3yKZSxN7SLA3e7AGB0UOR1Wtgy0Y1V9HIR1dg+XN/7wa xFDg== X-Gm-Message-State: AOJu0Yxm6mq22kSXsFhyieYyJjxwYWuX5M9xfFv/CxEWZftGb0lPmcq6 rvGORdDuqREQA0Mus0EQaucYACO33RH3DA== X-Google-Smtp-Source: AGHT+IEOcgv3zsFMcSedXismyYxl+FSvVRICjFms3Sl6ht2zjv30sokBKjQXpZJv0HMbW0+aN5E28g== X-Received: by 2002:a17:902:7881:b0:1ce:33b2:a1e0 with SMTP id q1-20020a170902788100b001ce33b2a1e0mr1070437pll.33.1699926834321; Mon, 13 Nov 2023 17:53:54 -0800 (PST) Received: from lrumancik.svl.corp.google.com ([2620:15c:2a3:200:d177:a8ad:804f:74f1]) by smtp.gmail.com with ESMTPSA id a17-20020a170902ecd100b001c9cb2fb8d8sm4668592plh.49.2023.11.13.17.53.53 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 13 Nov 2023 17:53:54 -0800 (PST) From: Leah Rumancik To: linux-xfs@vger.kernel.org Cc: amir73il@gmail.com, chandan.babu@oracle.com, fred@cloudflare.com, "Darrick J. Wong" , Dave Chinner , Leah Rumancik Subject: [PATCH 5.15 CANDIDATE 08/17] xfs: don't leak memory when attr fork loading fails Date: Mon, 13 Nov 2023 17:53:29 -0800 Message-ID: <20231114015339.3922119-9-leah.rumancik@gmail.com> X-Mailer: git-send-email 2.43.0.rc0.421.g78406f8d94-goog In-Reply-To: <20231114015339.3922119-1-leah.rumancik@gmail.com> References: <20231114015339.3922119-1-leah.rumancik@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-xfs@vger.kernel.org From: "Darrick J. Wong" [ Upstream commit c78c2d0903183a41beb90c56a923e30f90fa91b9 ] I observed the following evidence of a memory leak while running xfs/399 from the xfs fsck test suite (edited for brevity): XFS (sde): Metadata corruption detected at xfs_attr_shortform_verify_struct.part.0+0x7b/0xb0 [xfs], inode 0x1172 attr fork XFS: Assertion failed: ip->i_af.if_u1.if_data == NULL, file: fs/xfs/libxfs/xfs_inode_fork.c, line: 315 ------------[ cut here ]------------ WARNING: CPU: 2 PID: 91635 at fs/xfs/xfs_message.c:104 assfail+0x46/0x4a [xfs] CPU: 2 PID: 91635 Comm: xfs_scrub Tainted: G W 5.19.0-rc7-xfsx #rc7 6e6475eb29fd9dda3181f81b7ca7ff961d277a40 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014 RIP: 0010:assfail+0x46/0x4a [xfs] Call Trace: xfs_ifork_zap_attr+0x7c/0xb0 xfs_iformat_attr_fork+0x86/0x110 xfs_inode_from_disk+0x41d/0x480 xfs_iget+0x389/0xd70 xfs_bulkstat_one_int+0x5b/0x540 xfs_bulkstat_iwalk+0x1e/0x30 xfs_iwalk_ag_recs+0xd1/0x160 xfs_iwalk_run_callbacks+0xb9/0x180 xfs_iwalk_ag+0x1d8/0x2e0 xfs_iwalk+0x141/0x220 xfs_bulkstat+0x105/0x180 xfs_ioc_bulkstat.constprop.0.isra.0+0xc5/0x130 xfs_file_ioctl+0xa5f/0xef0 __x64_sys_ioctl+0x82/0xa0 do_syscall_64+0x2b/0x80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 This newly-added assertion checks that there aren't any incore data structures hanging off the incore fork when we're trying to reset its contents. From the call trace, it is evident that iget was trying to construct an incore inode from the ondisk inode, but the attr fork verifier failed and we were trying to undo all the memory allocations that we had done earlier. The three assertions in xfs_ifork_zap_attr check that the caller has already called xfs_idestroy_fork, which clearly has not been done here. As the zap function then zeroes the pointers, we've effectively leaked the memory. The shortest change would have been to insert an extra call to xfs_idestroy_fork, but it makes more sense to bundle the _idestroy_fork call into _zap_attr, since all other callsites call _idestroy_fork immediately prior to calling _zap_attr. IOWs, it eliminates one way to fail. Note: This change only applies cleanly to 2ed5b09b3e8f, since we just reworked the attr fork lifetime. However, I think this memory leak has existed since 0f45a1b20cd8, since the chain xfs_iformat_attr_fork -> xfs_iformat_local -> xfs_init_local_fork will allocate ifp->if_u1.if_data, but if xfs_ifork_verify_local_attr fails, xfs_iformat_attr_fork will free i_afp without freeing any of the stuff hanging off i_afp. The solution for older kernels I think is to add the missing call to xfs_idestroy_fork just prior to calling kmem_cache_free. Found by fuzzing a.sfattr.hdr.totsize = lastbit in xfs/399. [ backport note: did not include refactoring of xfs_idestroy_fork into xfs_ifork_zap_attr, simply added the missing call as suggested in the commit for backports ] Fixes: 2ed5b09b3e8f ("xfs: make inode attribute forks a permanent part of struct xfs_inode") Probably-Fixes: 0f45a1b20cd8 ("xfs: improve local fork verification") Signed-off-by: Darrick J. Wong Reviewed-by: Dave Chinner Signed-off-by: Leah Rumancik --- fs/xfs/libxfs/xfs_inode_fork.c | 1 + 1 file changed, 1 insertion(+) diff --git a/fs/xfs/libxfs/xfs_inode_fork.c b/fs/xfs/libxfs/xfs_inode_fork.c index 20095233d7bc..c1f965af8432 100644 --- a/fs/xfs/libxfs/xfs_inode_fork.c +++ b/fs/xfs/libxfs/xfs_inode_fork.c @@ -330,6 +330,7 @@ xfs_iformat_attr_fork( } if (error) { + xfs_idestroy_fork(ip->i_afp); kmem_cache_free(xfs_ifork_zone, ip->i_afp); ip->i_afp = NULL; } From patchwork Tue Nov 14 01:53:30 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Leah Rumancik X-Patchwork-Id: 13454709 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 3E1F4C4332F for ; Tue, 14 Nov 2023 01:53:58 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231983AbjKNBx7 (ORCPT ); Mon, 13 Nov 2023 20:53:59 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58132 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231969AbjKNBx6 (ORCPT ); Mon, 13 Nov 2023 20:53:58 -0500 Received: from mail-pl1-x62f.google.com (mail-pl1-x62f.google.com [IPv6:2607:f8b0:4864:20::62f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DC1BAD43 for ; Mon, 13 Nov 2023 17:53:55 -0800 (PST) Received: by mail-pl1-x62f.google.com with SMTP id d9443c01a7336-1cc5b6d6228so31969925ad.2 for ; Mon, 13 Nov 2023 17:53:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1699926835; x=1700531635; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=DC4YtQcP1NnB7woduj3X/yOBnvN5bchaEn34vvOvQV0=; b=ApbtA1D98MJ3aY6mFqs0WOlup0h+uevxDqtNp201Nz6B34B7i8/SZvvlKHazkdoQYb fKu3IszJ9QM3pgfmyYI6NlzdMVXLt25RurDzkVNuMY0XAZxeHaj3swkOBX4vj0PISNUC s1ktnLSHVFyp/nq/UKaPX0285rW71asjGPT+ORcD2QEV97tn5M9pHin4f0M/SSrDegv3 EDEsbWOU0qVD2UVjkjdPfTETgi0kl9iqZKlnjLD+uLYFnjpX3Swow/Fs4oRzPhOeJQwt CooUGNN6DSig9DTw6CYgAtICJFT3RrdVJE5cBUHSPHKrE2P7dhXUQFkKCIs0fiD3n194 dc7w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1699926835; x=1700531635; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=DC4YtQcP1NnB7woduj3X/yOBnvN5bchaEn34vvOvQV0=; b=bBIWG58qXwVGhjMTyqCFFS3/JsHaBHRxV7hDiPoi+qiH5Sd/3EivqSKnqwaOAEMWAi dtQyL+GAJ5yQZerLRmKcVQpxBjmJYfxJThKAmvVQIwm5e5RVzD9GaOUh9Yi9MohNoN+p IsRGf3/VGU4cEmWQycyl47E3C3pFl4aEjuLw9m8CkVY7FQ5mSZBxJIQ4+wbLbzq406D8 HH2zjr7f0V5aqyYb76dttY4cJMrF4rx3um8RtBbG8XQosxN00fny6YnGZVlayBAVObtK iRpBMPcCJvM9Y1NS+l5Pfx32l21x4d8+5cOKLwc4kRjClv3WcB7+IeXEZMe8CNkW4H7D /rpw== X-Gm-Message-State: AOJu0YwIqXc6OM3tU/8b+q8slfUGFqeFf7ZJsYdG9nHX86X7dDQFP0+Y AGo5Vv+TfYd/g138AvtF7+PX1rr3ltRuVw== X-Google-Smtp-Source: AGHT+IFSWo1ZFPGZuWJvyOr0RJIsZomrL2ZcHVxv25iWUTy8mgHMjloF84YUUwfI4a0RD9WyNuqoiQ== X-Received: by 2002:a17:902:8c86:b0:1cc:32be:b13 with SMTP id t6-20020a1709028c8600b001cc32be0b13mr773330plo.64.1699926835214; Mon, 13 Nov 2023 17:53:55 -0800 (PST) Received: from lrumancik.svl.corp.google.com ([2620:15c:2a3:200:d177:a8ad:804f:74f1]) by smtp.gmail.com with ESMTPSA id a17-20020a170902ecd100b001c9cb2fb8d8sm4668592plh.49.2023.11.13.17.53.54 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 13 Nov 2023 17:53:54 -0800 (PST) From: Leah Rumancik To: linux-xfs@vger.kernel.org Cc: amir73il@gmail.com, chandan.babu@oracle.com, fred@cloudflare.com, ChenXiaoSong , Guo Xuenan , "Darrick J . Wong" , Leah Rumancik Subject: [PATCH 5.15 CANDIDATE 09/17] xfs: fix NULL pointer dereference in xfs_getbmap() Date: Mon, 13 Nov 2023 17:53:30 -0800 Message-ID: <20231114015339.3922119-10-leah.rumancik@gmail.com> X-Mailer: git-send-email 2.43.0.rc0.421.g78406f8d94-goog In-Reply-To: <20231114015339.3922119-1-leah.rumancik@gmail.com> References: <20231114015339.3922119-1-leah.rumancik@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-xfs@vger.kernel.org From: ChenXiaoSong [ Upstream commit 001c179c4e26d04db8c9f5e3fef9558b58356be6 ] Reproducer: 1. fallocate -l 100M image 2. mkfs.xfs -f image 3. mount image /mnt 4. setxattr("/mnt", "trusted.overlay.upper", NULL, 0, XATTR_CREATE) 5. char arg[32] = "\x01\xff\x00\x00\x00\x00\x03\x00\x00\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x08\x00\x00\x00\xc6\x2a\xf7"; fd = open("/mnt", O_RDONLY|O_DIRECTORY); ioctl(fd, _IOC(_IOC_READ|_IOC_WRITE, 0x58, 0x2c, 0x20), arg); NULL pointer dereference will occur when race happens between xfs_getbmap() and xfs_bmap_set_attrforkoff(): ioctl | setxattr ----------------------------|--------------------------- xfs_getbmap | xfs_ifork_ptr | xfs_inode_has_attr_fork | ip->i_forkoff == 0 | return NULL | ifp == NULL | | xfs_bmap_set_attrforkoff | ip->i_forkoff > 0 xfs_inode_has_attr_fork | ip->i_forkoff > 0 | ifp == NULL | ifp->if_format | Fix this by locking i_lock before xfs_ifork_ptr(). Fixes: abbf9e8a4507 ("xfs: rewrite getbmap using the xfs_iext_* helpers") Signed-off-by: ChenXiaoSong Signed-off-by: Guo Xuenan Reviewed-by: Darrick J. Wong [djwong: added fixes tag] Signed-off-by: Darrick J. Wong Signed-off-by: Leah Rumancik --- fs/xfs/xfs_bmap_util.c | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) diff --git a/fs/xfs/xfs_bmap_util.c b/fs/xfs/xfs_bmap_util.c index fd2ad6a3019c..bea6cc26abf9 100644 --- a/fs/xfs/xfs_bmap_util.c +++ b/fs/xfs/xfs_bmap_util.c @@ -439,29 +439,28 @@ xfs_getbmap( whichfork = XFS_COW_FORK; else whichfork = XFS_DATA_FORK; - ifp = XFS_IFORK_PTR(ip, whichfork); xfs_ilock(ip, XFS_IOLOCK_SHARED); switch (whichfork) { case XFS_ATTR_FORK: + lock = xfs_ilock_attr_map_shared(ip); if (!XFS_IFORK_Q(ip)) - goto out_unlock_iolock; + goto out_unlock_ilock; max_len = 1LL << 32; - lock = xfs_ilock_attr_map_shared(ip); break; case XFS_COW_FORK: + lock = XFS_ILOCK_SHARED; + xfs_ilock(ip, lock); + /* No CoW fork? Just return */ - if (!ifp) - goto out_unlock_iolock; + if (!XFS_IFORK_PTR(ip, whichfork)) + goto out_unlock_ilock; if (xfs_get_cowextsz_hint(ip)) max_len = mp->m_super->s_maxbytes; else max_len = XFS_ISIZE(ip); - - lock = XFS_ILOCK_SHARED; - xfs_ilock(ip, lock); break; case XFS_DATA_FORK: if (!(iflags & BMV_IF_DELALLOC) && @@ -491,6 +490,8 @@ xfs_getbmap( break; } + ifp = XFS_IFORK_PTR(ip, whichfork); + switch (ifp->if_format) { case XFS_DINODE_FMT_EXTENTS: case XFS_DINODE_FMT_BTREE: From patchwork Tue Nov 14 01:53:31 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Leah Rumancik X-Patchwork-Id: 13454711 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 75460C4167B for ; Tue, 14 Nov 2023 01:54:00 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232000AbjKNByB (ORCPT ); Mon, 13 Nov 2023 20:54:01 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58142 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231969AbjKNByA (ORCPT ); Mon, 13 Nov 2023 20:54:00 -0500 Received: from mail-pl1-x635.google.com (mail-pl1-x635.google.com [IPv6:2607:f8b0:4864:20::635]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id BCF4AD44 for ; Mon, 13 Nov 2023 17:53:56 -0800 (PST) Received: by mail-pl1-x635.google.com with SMTP id d9443c01a7336-1cc37fb1310so38289785ad.1 for ; Mon, 13 Nov 2023 17:53:56 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1699926836; x=1700531636; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=3gwUolg5jbvLCo3qarJX+gsvTFh8u44kjgMnElXaHxw=; b=UhrE3kxr5O99y/sjWrvDtGCgQbQFfjk9hcKblG4fE/1R18j5/JDzH1wQvA90M/mimD vJGui5UCLhL2AIPDNUoBdBUnODIrugdTMnQYWsVS8ZiPjR8OZz8x9Y1dASDADRESmNVU 5DxJ5RLfNX1HjdEVmnRokoquamJLP13+MNDttF5xBX5O8PHc2R17OnC1ulQ+TrSMIzRn YYlq62S5yTGW+gfOOMZlUwtfif5NlwPHe6gRML/r8gVdMigXIHzRHqhXNtbSRo65xDBj rLKr2nd17DAczCQDd+iLDCjM/6C8WcPWH8YC/dF0mK/vFzasA/dCp8Gb0AHVXIAfisYW x1UQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1699926836; x=1700531636; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=3gwUolg5jbvLCo3qarJX+gsvTFh8u44kjgMnElXaHxw=; b=d2i+meeQSABWQjm0ErDnswAujpuPYPzSA91YV9O5Jrxf/5oeHOstsOy/sv+LNQAMu9 xNaiTSzhqSUXW/PPJBz3A5KbqUbDpm8NBVTty5Af3Z3OM5oOUHPUanLMJLjinW+kJJCb 1CaaBTaYhcInk+6XEvisq11JHECTJrUC35IUxDWDDl3CP3UyisQ7kBl1X0kMJSzeAlYa QbPWf6FPl4g6JOdGEEKvUdX3kYSHr4PQer5haKkaGMAcBe18V3TaxZWdkEciR3FWF0Y6 7UM/tI3ChX6tZu7zkxChzVM/D8vjgeR53DVkMXKHsXgPytoo42zBTm9NmysU80LVodE9 Y4vg== X-Gm-Message-State: AOJu0YxXFMwN3jg6MWQdeWs7SQHiaLxZ5/JMREzmiKMdSC5F9Uahru5Z FXjBMrvJqijW6+iT38jvhHR8d0NqFhAGKA== X-Google-Smtp-Source: AGHT+IH78lTuy2ZMfNp/JyuyouH0iYDA5IqtUoEKDUxEgsEPRLIQDPSW1Jr2LX8z11zebB7pDrG/dg== X-Received: by 2002:a17:902:db06:b0:1cc:3daa:d368 with SMTP id m6-20020a170902db0600b001cc3daad368mr1133880plx.65.1699926836068; Mon, 13 Nov 2023 17:53:56 -0800 (PST) Received: from lrumancik.svl.corp.google.com ([2620:15c:2a3:200:d177:a8ad:804f:74f1]) by smtp.gmail.com with ESMTPSA id a17-20020a170902ecd100b001c9cb2fb8d8sm4668592plh.49.2023.11.13.17.53.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 13 Nov 2023 17:53:55 -0800 (PST) From: Leah Rumancik To: linux-xfs@vger.kernel.org Cc: amir73il@gmail.com, chandan.babu@oracle.com, fred@cloudflare.com, "Darrick J. Wong" , Dave Chinner , Leah Rumancik Subject: [PATCH 5.15 CANDIDATE 10/17] xfs: fix intermittent hang during quotacheck Date: Mon, 13 Nov 2023 17:53:31 -0800 Message-ID: <20231114015339.3922119-11-leah.rumancik@gmail.com> X-Mailer: git-send-email 2.43.0.rc0.421.g78406f8d94-goog In-Reply-To: <20231114015339.3922119-1-leah.rumancik@gmail.com> References: <20231114015339.3922119-1-leah.rumancik@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-xfs@vger.kernel.org From: "Darrick J. Wong" [ Upstream commit f0c2d7d2abca24d19831c99edea458704fac8087 ] Every now and then, I see the following hang during mount time quotacheck when running fstests. Turning on KASAN seems to make it happen somewhat more frequently. I've edited the backtrace for brevity. XFS (sdd): Quotacheck needed: Please wait. XFS: Assertion failed: bp->b_flags & _XBF_DELWRI_Q, file: fs/xfs/xfs_buf.c, line: 2411 ------------[ cut here ]------------ WARNING: CPU: 0 PID: 1831409 at fs/xfs/xfs_message.c:104 assfail+0x46/0x4a [xfs] CPU: 0 PID: 1831409 Comm: mount Tainted: G W 5.19.0-rc6-xfsx #rc6 09911566947b9f737b036b4af85e399e4b9aef64 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014 RIP: 0010:assfail+0x46/0x4a [xfs] Code: a0 8f 41 a0 e8 45 fe ff ff 8a 1d 2c 36 10 00 80 fb 01 76 0f 0f b6 f3 48 c7 c7 c0 f0 4f a0 e8 10 f0 02 e1 80 e3 01 74 02 0f 0b <0f> 0b 5b c3 48 8d 45 10 48 89 e2 4c 89 e6 48 89 1c 24 48 89 44 24 RSP: 0018:ffffc900078c7b30 EFLAGS: 00010246 RAX: 0000000000000000 RBX: ffff8880099ac000 RCX: 000000007fffffff RDX: 0000000000000000 RSI: 0000000000000000 RDI: ffffffffa0418fa0 RBP: ffff8880197bc1c0 R08: 0000000000000000 R09: 000000000000000a R10: 000000000000000a R11: f000000000000000 R12: ffffc900078c7d20 R13: 00000000fffffff5 R14: ffffc900078c7d20 R15: 0000000000000000 FS: 00007f0449903800(0000) GS:ffff88803ec00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 00005610ada631f0 CR3: 0000000014dd8002 CR4: 00000000001706f0 Call Trace: xfs_buf_delwri_pushbuf+0x150/0x160 [xfs 4561f5b32c9bfb874ec98d58d0719464e1f87368] xfs_qm_flush_one+0xd6/0x130 [xfs 4561f5b32c9bfb874ec98d58d0719464e1f87368] xfs_qm_dquot_walk.isra.0+0x109/0x1e0 [xfs 4561f5b32c9bfb874ec98d58d0719464e1f87368] xfs_qm_quotacheck+0x319/0x490 [xfs 4561f5b32c9bfb874ec98d58d0719464e1f87368] xfs_qm_mount_quotas+0x65/0x2c0 [xfs 4561f5b32c9bfb874ec98d58d0719464e1f87368] xfs_mountfs+0x6b5/0xab0 [xfs 4561f5b32c9bfb874ec98d58d0719464e1f87368] xfs_fs_fill_super+0x781/0x990 [xfs 4561f5b32c9bfb874ec98d58d0719464e1f87368] get_tree_bdev+0x175/0x280 vfs_get_tree+0x1a/0x80 path_mount+0x6f5/0xaa0 __x64_sys_mount+0x103/0x140 do_syscall_64+0x2b/0x80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 I /think/ this can happen if xfs_qm_flush_one is racing with xfs_qm_dquot_isolate (i.e. dquot reclaim) when the second function has taken the dquot flush lock but xfs_qm_dqflush hasn't yet locked the dquot buffer, let alone queued it to the delwri list. In this case, flush_one will fail to get the dquot flush lock, but it can lock the incore buffer, but xfs_buf_delwri_pushbuf will then trip over this ASSERT, which checks that the buffer isn't on a delwri list. The hang results because the _delwri_submit_buffers ignores non DELWRI_Q buffers, which means that xfs_buf_iowait waits forever for an IO that has not yet been scheduled. AFAICT, a reasonable solution here is to detect a dquot buffer that is not on a DELWRI list, drop it, and return -EAGAIN to try the flush again. It's not /that/ big of a deal if quotacheck writes the dquot buffer repeatedly before we even set QUOTA_CHKD. Signed-off-by: Darrick J. Wong Reviewed-by: Dave Chinner Signed-off-by: Leah Rumancik --- fs/xfs/xfs_qm.c | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/fs/xfs/xfs_qm.c b/fs/xfs/xfs_qm.c index 623244650a2f..792736e29a37 100644 --- a/fs/xfs/xfs_qm.c +++ b/fs/xfs/xfs_qm.c @@ -1244,6 +1244,13 @@ xfs_qm_flush_one( error = -EINVAL; goto out_unlock; } + + if (!(bp->b_flags & _XBF_DELWRI_Q)) { + error = -EAGAIN; + xfs_buf_relse(bp); + goto out_unlock; + } + xfs_buf_unlock(bp); xfs_buf_delwri_pushbuf(bp, buffer_list); From patchwork Tue Nov 14 01:53:32 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Leah Rumancik X-Patchwork-Id: 13454712 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1A475C072A2 for ; Tue, 14 Nov 2023 01:54:01 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231969AbjKNByB (ORCPT ); Mon, 13 Nov 2023 20:54:01 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58148 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231994AbjKNByA (ORCPT ); Mon, 13 Nov 2023 20:54:00 -0500 Received: from mail-pl1-x634.google.com (mail-pl1-x634.google.com [IPv6:2607:f8b0:4864:20::634]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C996CD43 for ; Mon, 13 Nov 2023 17:53:57 -0800 (PST) Received: by mail-pl1-x634.google.com with SMTP id d9443c01a7336-1cc53d0030fso39781415ad.0 for ; Mon, 13 Nov 2023 17:53:57 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1699926837; x=1700531637; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=YtjOAwAJuUbl1czCrCB3hFccBzCToeEvPWckZjUsxlw=; b=WRu4weAnZ0BmxqlHt/AOmb6JlYEQReljcK1CKABzqb9TQxtcapVeTC4zTxxPPWOfUR kDb5JqyY4pj18rzN+ylD1f1R4DIo1x2GMidOgxaD1bL1kkM4u2C4iSB8cf2Y+AXgG8sV pyjXQktPY5hUpHgTb7xvbVkSbteCcW8PCrvKYiutDfXxwIa44kLKqQ5FXwsEzon+WEOk I3SdlYusE5k/zgi3zEIxxcW7A+/IhSiLJnjeTIMV6zFaphMtw04fFsUrtBB5QCmFVR2m ref0CxBrwa/qa7PynLObU0SDkkle8KnQ7acWOnv8LiqQf0cT0aHOOHCMvadWbxLrVh6J 2WWw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1699926837; x=1700531637; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=YtjOAwAJuUbl1czCrCB3hFccBzCToeEvPWckZjUsxlw=; b=V4uwY2VjIb8y3E/TmJqRhZ/ztWstyV1Y155+PGifrNA/vZ+HvkwauVDn1GAS1UvD1Z Jp6jwNDXqL9UlbLKNaktvFZg3WTiKEPsAcOgJmNWLxHjZT29ePc3YpDejrDKrdr+/RLK JkVMnbSlQh9MUVbwF6Fadpen8Rslwe9qqKyhah3oY9+o8CgSk8ku6jnIg6DGs1j6CXO9 s7PzG5gWu0EWBs9gMi0kH7SkUfxP+5c35HI2XqGNBJJwW6+wTAvskBjziAfDYw21qWxE cBSaBHrnJidpX9EcFDRi1ikGKlKq9vWYYI3NHKYl+cLmyO/tK/j3EZrdmMCbZ9XjCigK AfGg== X-Gm-Message-State: AOJu0YwDhy0EnbEA+jD3gugdsNO8cYItz9nhy4iH+peiCY0mW3j8JX4t y3B/sC7snnqzgdLIwqFI4/hpEH5G8xRnZw== X-Google-Smtp-Source: AGHT+IHCKf3unWQoQj+Q2EDa2ZaD73wYN5ERs2u2e7HkYFdDU7yWSYf6x6JiyIyxJ/pq6hRdiwTUhw== X-Received: by 2002:a17:903:22c3:b0:1cc:436f:70c2 with SMTP id y3-20020a17090322c300b001cc436f70c2mr1318893plg.9.1699926837085; Mon, 13 Nov 2023 17:53:57 -0800 (PST) Received: from lrumancik.svl.corp.google.com ([2620:15c:2a3:200:d177:a8ad:804f:74f1]) by smtp.gmail.com with ESMTPSA id a17-20020a170902ecd100b001c9cb2fb8d8sm4668592plh.49.2023.11.13.17.53.56 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 13 Nov 2023 17:53:56 -0800 (PST) From: Leah Rumancik To: linux-xfs@vger.kernel.org Cc: amir73il@gmail.com, chandan.babu@oracle.com, fred@cloudflare.com, Gao Xiang , "Darrick J . Wong" , Leah Rumancik Subject: [PATCH 5.15 CANDIDATE 11/17] xfs: add missing cmap->br_state = XFS_EXT_NORM update Date: Mon, 13 Nov 2023 17:53:32 -0800 Message-ID: <20231114015339.3922119-12-leah.rumancik@gmail.com> X-Mailer: git-send-email 2.43.0.rc0.421.g78406f8d94-goog In-Reply-To: <20231114015339.3922119-1-leah.rumancik@gmail.com> References: <20231114015339.3922119-1-leah.rumancik@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-xfs@vger.kernel.org From: Gao Xiang [ Upstream commit 1a39ae415c1be1e46f5b3f97d438c7c4adc22b63 ] COW extents are already converted into written real extents after xfs_reflink_convert_cow_locked(), therefore cmap->br_state should reflect it. Otherwise, there is another necessary unwritten convertion triggered in xfs_dio_write_end_io() for direct I/O cases. Signed-off-by: Gao Xiang Reviewed-by: Darrick J. Wong Signed-off-by: Darrick J. Wong Signed-off-by: Leah Rumancik --- fs/xfs/xfs_reflink.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/fs/xfs/xfs_reflink.c b/fs/xfs/xfs_reflink.c index 36832e4bc803..628ce65d02bb 100644 --- a/fs/xfs/xfs_reflink.c +++ b/fs/xfs/xfs_reflink.c @@ -425,7 +425,10 @@ xfs_reflink_allocate_cow( if (!convert_now || cmap->br_state == XFS_EXT_NORM) return 0; trace_xfs_reflink_convert_cow(ip, cmap); - return xfs_reflink_convert_cow_locked(ip, offset_fsb, count_fsb); + error = xfs_reflink_convert_cow_locked(ip, offset_fsb, count_fsb); + if (!error) + cmap->br_state = XFS_EXT_NORM; + return error; out_trans_cancel: xfs_trans_cancel(tp); From patchwork Tue Nov 14 01:53:33 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Leah Rumancik X-Patchwork-Id: 13454713 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 21CB0C4332F for ; Tue, 14 Nov 2023 01:54:02 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232013AbjKNByD (ORCPT ); Mon, 13 Nov 2023 20:54:03 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43366 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232001AbjKNByC (ORCPT ); Mon, 13 Nov 2023 20:54:02 -0500 Received: from mail-pl1-x62d.google.com (mail-pl1-x62d.google.com [IPv6:2607:f8b0:4864:20::62d]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D8C20D43 for ; Mon, 13 Nov 2023 17:53:58 -0800 (PST) Received: by mail-pl1-x62d.google.com with SMTP id d9443c01a7336-1cc9b626a96so37486365ad.2 for ; Mon, 13 Nov 2023 17:53:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1699926838; x=1700531638; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=feGnkf7hecFo0+lJM4+aii3zZm5IM2/wPCItdLGBNTc=; b=J0Q7f29R5CVtqanMb/Zhcj4hVgf2fx+QqkfnX6ssxyYxCWe0soVwTNvqpfKMEGQbfp wvuqcbta/1MKjjCw5CjNV2Iy4lqz+gHjJHXk8bNjlfjH2yxq1Bwl1SnxvrNOoFiSoM6/ C2pNGL3Y864fOkdlrA125ah8A7S24mTehRJWbq8Mw+MnOeH+WDsZ7vbmgBxe4nzlpBpt kD2r7tzEQ59tXekO7iokqvOXxycPXgMFR1tyBzPspa+WXCR8drGH8YzwCDjb8IFPwpfM iTuI3Upy5fg4yXQm4Nz5sz052781Upk+YrfKQrcEggCppihrTcNKWSRpxXpjJX6ACwzv pVKw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1699926838; x=1700531638; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=feGnkf7hecFo0+lJM4+aii3zZm5IM2/wPCItdLGBNTc=; b=pEeW9oWBHw/W6thResh1SG08WwiPMne36lA2T+T1Usk5BIwvFFhy3zCpKR1j8Y5KZN BLPN1LLIdVUH1eHTBYqz/aMg4jsgBCYzz4UkjDlu3C50No8DS++VL36IwTpVUuik+Hvo xpZLrHtsM1EjiBflydL5c0z5PFXtVgq+gZtKjM0Bb4QlkJrG2kqtPn7+qMHegHqZUwDY CWAznfISQM8u7PEykLmsYZv3txpUcVcrC+SoRgjo88JoF0PQdneXKUu5tobM+ljnJyF/ hEHFz5A74v/t7avjFzg+KG5mntWVddHfff2EsFeVAMR5qdz4TefZVe853x0TECui6wb9 0urg== X-Gm-Message-State: AOJu0YyQWkRv+QI0Qm+6JTwnVXPhXUKCnsIjVyy6Zgg0152Wy5TMaHma 3DoYFSflm7QpliZcUcODYKTm57CfKpd0Qg== X-Google-Smtp-Source: AGHT+IFBiVJ1tv5npt7PmTe0+SXfFf/nhsjDwH6Q2gG1MONujliQyDjv2khfhfzQuelZHJgWlASfYw== X-Received: by 2002:a17:903:20f:b0:1cc:70dd:62e7 with SMTP id r15-20020a170903020f00b001cc70dd62e7mr946064plh.32.1699926838109; Mon, 13 Nov 2023 17:53:58 -0800 (PST) Received: from lrumancik.svl.corp.google.com ([2620:15c:2a3:200:d177:a8ad:804f:74f1]) by smtp.gmail.com with ESMTPSA id a17-20020a170902ecd100b001c9cb2fb8d8sm4668592plh.49.2023.11.13.17.53.57 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 13 Nov 2023 17:53:57 -0800 (PST) From: Leah Rumancik To: linux-xfs@vger.kernel.org Cc: amir73il@gmail.com, chandan.babu@oracle.com, fred@cloudflare.com, Wengang Wang , "Darrick J . Wong" , Leah Rumancik Subject: [PATCH 5.15 CANDIDATE 12/17] xfs: Fix false ENOSPC when performing direct write on a delalloc extent in cow fork Date: Mon, 13 Nov 2023 17:53:33 -0800 Message-ID: <20231114015339.3922119-13-leah.rumancik@gmail.com> X-Mailer: git-send-email 2.43.0.rc0.421.g78406f8d94-goog In-Reply-To: <20231114015339.3922119-1-leah.rumancik@gmail.com> References: <20231114015339.3922119-1-leah.rumancik@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-xfs@vger.kernel.org From: Chandan Babu R [ Upstream commit d62113303d691bcd8d0675ae4ac63e7769afc56c ] On a higly fragmented filesystem a Direct IO write can fail with -ENOSPC error even though the filesystem has sufficient number of free blocks. This occurs if the file offset range on which the write operation is being performed has a delalloc extent in the cow fork and this delalloc extent begins much before the Direct IO range. In such a scenario, xfs_reflink_allocate_cow() invokes xfs_bmapi_write() to allocate the blocks mapped by the delalloc extent. The extent thus allocated may not cover the beginning of file offset range on which the Direct IO write was issued. Hence xfs_reflink_allocate_cow() ends up returning -ENOSPC. The following script reliably recreates the bug described above. #!/usr/bin/bash device=/dev/loop0 shortdev=$(basename $device) mntpnt=/mnt/ file1=${mntpnt}/file1 file2=${mntpnt}/file2 fragmentedfile=${mntpnt}/fragmentedfile punchprog=/root/repos/xfstests-dev/src/punch-alternating errortag=/sys/fs/xfs/${shortdev}/errortag/bmap_alloc_minlen_extent umount $device > /dev/null 2>&1 echo "Create FS" mkfs.xfs -f -m reflink=1 $device > /dev/null 2>&1 if [[ $? != 0 ]]; then echo "mkfs failed." exit 1 fi echo "Mount FS" mount $device $mntpnt > /dev/null 2>&1 if [[ $? != 0 ]]; then echo "mount failed." exit 1 fi echo "Create source file" xfs_io -f -c "pwrite 0 32M" $file1 > /dev/null 2>&1 sync echo "Create Reflinked file" xfs_io -f -c "reflink $file1" $file2 &>/dev/null echo "Set cowextsize" xfs_io -c "cowextsize 16M" $file1 > /dev/null 2>&1 echo "Fragment FS" xfs_io -f -c "pwrite 0 64M" $fragmentedfile > /dev/null 2>&1 sync $punchprog $fragmentedfile echo "Allocate block sized extent from now onwards" echo -n 1 > $errortag echo "Create 16MiB delalloc extent in CoW fork" xfs_io -c "pwrite 0 4k" $file1 > /dev/null 2>&1 sync echo "Direct I/O write at offset 12k" xfs_io -d -c "pwrite 12k 8k" $file1 This commit fixes the bug by invoking xfs_bmapi_write() in a loop until disk blocks are allocated for atleast the starting file offset of the Direct IO write range. Fixes: 3c68d44a2b49 ("xfs: allocate direct I/O COW blocks in iomap_begin") Reported-and-Root-caused-by: Wengang Wang Signed-off-by: Chandan Babu R Reviewed-by: Darrick J. Wong [djwong: slight editing to make the locking less grody, and fix some style things] Signed-off-by: Darrick J. Wong Signed-off-by: Leah Rumancik --- fs/xfs/xfs_reflink.c | 198 +++++++++++++++++++++++++++++++++++-------- 1 file changed, 163 insertions(+), 35 deletions(-) diff --git a/fs/xfs/xfs_reflink.c b/fs/xfs/xfs_reflink.c index 628ce65d02bb..793bdf5ac2f7 100644 --- a/fs/xfs/xfs_reflink.c +++ b/fs/xfs/xfs_reflink.c @@ -340,9 +340,41 @@ xfs_find_trim_cow_extent( return 0; } -/* Allocate all CoW reservations covering a range of blocks in a file. */ -int -xfs_reflink_allocate_cow( +static int +xfs_reflink_convert_unwritten( + struct xfs_inode *ip, + struct xfs_bmbt_irec *imap, + struct xfs_bmbt_irec *cmap, + bool convert_now) +{ + xfs_fileoff_t offset_fsb = imap->br_startoff; + xfs_filblks_t count_fsb = imap->br_blockcount; + int error; + + /* + * cmap might larger than imap due to cowextsize hint. + */ + xfs_trim_extent(cmap, offset_fsb, count_fsb); + + /* + * COW fork extents are supposed to remain unwritten until we're ready + * to initiate a disk write. For direct I/O we are going to write the + * data and need the conversion, but for buffered writes we're done. + */ + if (!convert_now || cmap->br_state == XFS_EXT_NORM) + return 0; + + trace_xfs_reflink_convert_cow(ip, cmap); + + error = xfs_reflink_convert_cow_locked(ip, offset_fsb, count_fsb); + if (!error) + cmap->br_state = XFS_EXT_NORM; + + return error; +} + +static int +xfs_reflink_fill_cow_hole( struct xfs_inode *ip, struct xfs_bmbt_irec *imap, struct xfs_bmbt_irec *cmap, @@ -351,25 +383,12 @@ xfs_reflink_allocate_cow( bool convert_now) { struct xfs_mount *mp = ip->i_mount; - xfs_fileoff_t offset_fsb = imap->br_startoff; - xfs_filblks_t count_fsb = imap->br_blockcount; struct xfs_trans *tp; - int nimaps, error = 0; - bool found; xfs_filblks_t resaligned; - xfs_extlen_t resblks = 0; - - ASSERT(xfs_isilocked(ip, XFS_ILOCK_EXCL)); - if (!ip->i_cowfp) { - ASSERT(!xfs_is_reflink_inode(ip)); - xfs_ifork_init_cow(ip); - } - - error = xfs_find_trim_cow_extent(ip, imap, cmap, shared, &found); - if (error || !*shared) - return error; - if (found) - goto convert; + xfs_extlen_t resblks; + int nimaps; + int error; + bool found; resaligned = xfs_aligned_fsb_count(imap->br_startoff, imap->br_blockcount, xfs_get_cowextsz_hint(ip)); @@ -385,17 +404,17 @@ xfs_reflink_allocate_cow( *lockmode = XFS_ILOCK_EXCL; - /* - * Check for an overlapping extent again now that we dropped the ilock. - */ error = xfs_find_trim_cow_extent(ip, imap, cmap, shared, &found); if (error || !*shared) goto out_trans_cancel; + if (found) { xfs_trans_cancel(tp); goto convert; } + ASSERT(cmap->br_startoff > imap->br_startoff); + /* Allocate the entire reservation as unwritten blocks. */ nimaps = 1; error = xfs_bmapi_write(tp, ip, imap->br_startoff, imap->br_blockcount, @@ -415,26 +434,135 @@ xfs_reflink_allocate_cow( */ if (nimaps == 0) return -ENOSPC; + convert: - xfs_trim_extent(cmap, offset_fsb, count_fsb); - /* - * COW fork extents are supposed to remain unwritten until we're ready - * to initiate a disk write. For direct I/O we are going to write the - * data and need the conversion, but for buffered writes we're done. - */ - if (!convert_now || cmap->br_state == XFS_EXT_NORM) - return 0; - trace_xfs_reflink_convert_cow(ip, cmap); - error = xfs_reflink_convert_cow_locked(ip, offset_fsb, count_fsb); - if (!error) - cmap->br_state = XFS_EXT_NORM; + return xfs_reflink_convert_unwritten(ip, imap, cmap, convert_now); + +out_trans_cancel: + xfs_trans_cancel(tp); return error; +} + +static int +xfs_reflink_fill_delalloc( + struct xfs_inode *ip, + struct xfs_bmbt_irec *imap, + struct xfs_bmbt_irec *cmap, + bool *shared, + uint *lockmode, + bool convert_now) +{ + struct xfs_mount *mp = ip->i_mount; + struct xfs_trans *tp; + int nimaps; + int error; + bool found; + + do { + xfs_iunlock(ip, *lockmode); + *lockmode = 0; + + error = xfs_trans_alloc_inode(ip, &M_RES(mp)->tr_write, 0, 0, + false, &tp); + if (error) + return error; + + *lockmode = XFS_ILOCK_EXCL; + + error = xfs_find_trim_cow_extent(ip, imap, cmap, shared, + &found); + if (error || !*shared) + goto out_trans_cancel; + + if (found) { + xfs_trans_cancel(tp); + break; + } + + ASSERT(isnullstartblock(cmap->br_startblock) || + cmap->br_startblock == DELAYSTARTBLOCK); + + /* + * Replace delalloc reservation with an unwritten extent. + */ + nimaps = 1; + error = xfs_bmapi_write(tp, ip, cmap->br_startoff, + cmap->br_blockcount, + XFS_BMAPI_COWFORK | XFS_BMAPI_PREALLOC, 0, + cmap, &nimaps); + if (error) + goto out_trans_cancel; + + xfs_inode_set_cowblocks_tag(ip); + error = xfs_trans_commit(tp); + if (error) + return error; + + /* + * Allocation succeeded but the requested range was not even + * partially satisfied? Bail out! + */ + if (nimaps == 0) + return -ENOSPC; + } while (cmap->br_startoff + cmap->br_blockcount <= imap->br_startoff); + + return xfs_reflink_convert_unwritten(ip, imap, cmap, convert_now); out_trans_cancel: xfs_trans_cancel(tp); return error; } +/* Allocate all CoW reservations covering a range of blocks in a file. */ +int +xfs_reflink_allocate_cow( + struct xfs_inode *ip, + struct xfs_bmbt_irec *imap, + struct xfs_bmbt_irec *cmap, + bool *shared, + uint *lockmode, + bool convert_now) +{ + int error; + bool found; + + ASSERT(xfs_isilocked(ip, XFS_ILOCK_EXCL)); + if (!ip->i_cowfp) { + ASSERT(!xfs_is_reflink_inode(ip)); + xfs_ifork_init_cow(ip); + } + + error = xfs_find_trim_cow_extent(ip, imap, cmap, shared, &found); + if (error || !*shared) + return error; + + /* CoW fork has a real extent */ + if (found) + return xfs_reflink_convert_unwritten(ip, imap, cmap, + convert_now); + + /* + * CoW fork does not have an extent and data extent is shared. + * Allocate a real extent in the CoW fork. + */ + if (cmap->br_startoff > imap->br_startoff) + return xfs_reflink_fill_cow_hole(ip, imap, cmap, shared, + lockmode, convert_now); + + /* + * CoW fork has a delalloc reservation. Replace it with a real extent. + * There may or may not be a data fork mapping. + */ + if (isnullstartblock(cmap->br_startblock) || + cmap->br_startblock == DELAYSTARTBLOCK) + return xfs_reflink_fill_delalloc(ip, imap, cmap, shared, + lockmode, convert_now); + + /* Shouldn't get here. */ + ASSERT(0); + return -EFSCORRUPTED; +} + /* * Cancel CoW reservations for some block range of an inode. * From patchwork Tue Nov 14 01:53:34 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Leah Rumancik X-Patchwork-Id: 13454714 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id BBD33C074FD for ; Tue, 14 Nov 2023 01:54:02 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232001AbjKNByD (ORCPT ); Mon, 13 Nov 2023 20:54:03 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43372 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231994AbjKNByD (ORCPT ); Mon, 13 Nov 2023 20:54:03 -0500 Received: from mail-pl1-x632.google.com (mail-pl1-x632.google.com [IPv6:2607:f8b0:4864:20::632]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CE7A0D45 for ; Mon, 13 Nov 2023 17:53:59 -0800 (PST) Received: by mail-pl1-x632.google.com with SMTP id d9443c01a7336-1cc3388621cso45878865ad.1 for ; Mon, 13 Nov 2023 17:53:59 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1699926839; x=1700531639; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=+6aUg0Rw7SV8YlFaf1FQyTuKLiXDrzhC3SD/xZ7hvKc=; b=bTp7+SOqKCLgl8fHMxxqhh96MnDUN/wYWenXpIM3wo8rrKXP2bb+lcSswNhhb4Fmau krtNHM0UiJANdGOcp3aM9fQuQpEwq90md3nL0uELWuBL39fNi0sA6fI3aoeL/IJjdFqR IVlWdEiL11km1veb6frJl9TxDkkEsr7VFpvGEfdt+yuQDWkqBPduymlg8s/tkYS3/yUA W776uXqXzzw9hHA+yuYrc4m64Bj7mnEvRwBamx1yAwLEAJsitM/a/aPJm2cfz+Y6LSgm DXskmR3Ph9wP6RZoGwkgWk2dVMctl5H1746yprcYKdKhLUnBnYqOulPRIXQOy51itjdi 9gtQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1699926839; x=1700531639; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=+6aUg0Rw7SV8YlFaf1FQyTuKLiXDrzhC3SD/xZ7hvKc=; b=BvHzjii4u7amYww6ClXDq+DiZYcHpg7uygJoiWsMwtdzvt27s7qThPUQYy99RDwqFI mu7881GyvKRAQQbQ91LSnPUi9/Wep2/zekKk+fJGa8IkbvAVD5hKYyAgeJWmy2XYkPp6 NLhB1bFxItE3z59ky/K+ACd+6ECvkBXnqOUPTMvVd0Fmj7OppupAYi3Pt7UTp4RPJ0Pa rR5+eiezquGgCecgEVXtcmMm0IIIYNDRebad+HDYvqniw12NZLptgfX0ZCcypcMzEuIi 0a/5G2/RW1RjDBLx92MCLzZKEFmijskmrnbBotVlq3ly3uYyIFCSTMOKolDRNE529h4t aE8w== X-Gm-Message-State: AOJu0Yx+oLoaVvBgDyhNfrf94k5qX6DTOMzR/HR8/4m9iERp1SkraUIm SfxZblu4lAP+su1/cOpuBbbrIytPaX27TA== X-Google-Smtp-Source: AGHT+IGf0CKBSvqAJ1aK1UWuPEeXuPT46PskVWmdocDvQX5gnLqo/bU0Nv7dJ2UtebRqSjbErAdYag== X-Received: by 2002:a17:902:e892:b0:1cc:32df:8ebd with SMTP id w18-20020a170902e89200b001cc32df8ebdmr1488607plg.25.1699926839116; Mon, 13 Nov 2023 17:53:59 -0800 (PST) Received: from lrumancik.svl.corp.google.com ([2620:15c:2a3:200:d177:a8ad:804f:74f1]) by smtp.gmail.com with ESMTPSA id a17-20020a170902ecd100b001c9cb2fb8d8sm4668592plh.49.2023.11.13.17.53.58 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 13 Nov 2023 17:53:58 -0800 (PST) From: Leah Rumancik To: linux-xfs@vger.kernel.org Cc: amir73il@gmail.com, chandan.babu@oracle.com, fred@cloudflare.com, hexiaole , "Darrick J . Wong" , Leah Rumancik Subject: [PATCH 5.15 CANDIDATE 13/17] xfs: fix inode reservation space for removing transaction Date: Mon, 13 Nov 2023 17:53:34 -0800 Message-ID: <20231114015339.3922119-14-leah.rumancik@gmail.com> X-Mailer: git-send-email 2.43.0.rc0.421.g78406f8d94-goog In-Reply-To: <20231114015339.3922119-1-leah.rumancik@gmail.com> References: <20231114015339.3922119-1-leah.rumancik@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-xfs@vger.kernel.org From: hexiaole [ Upstream commit 031d166f968efba6e4f091ff75d0bb5206bb3918 ] In 'fs/xfs/libxfs/xfs_trans_resv.c', the comment for transaction of removing a directory entry writes: /* fs/xfs/libxfs/xfs_trans_resv.c begin */ /* * For removing a directory entry we can modify: * the parent directory inode: inode size * the removed inode: inode size ... xfs_calc_remove_reservation( struct xfs_mount *mp) { return XFS_DQUOT_LOGRES(mp) + xfs_calc_iunlink_add_reservation(mp) + max((xfs_calc_inode_res(mp, 1) + ... /* fs/xfs/libxfs/xfs_trans_resv.c end */ There has 2 inode size of space to be reserverd, but the actual code for inode reservation space writes. There only count for 1 inode size to be reserved in 'xfs_calc_inode_res(mp, 1)', rather than 2. Signed-off-by: hexiaole Reviewed-by: Darrick J. Wong [djwong: remove redundant code citations] Signed-off-by: Darrick J. Wong Signed-off-by: Leah Rumancik --- fs/xfs/libxfs/xfs_trans_resv.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/fs/xfs/libxfs/xfs_trans_resv.c b/fs/xfs/libxfs/xfs_trans_resv.c index 5e300daa2559..2db9d9d12344 100644 --- a/fs/xfs/libxfs/xfs_trans_resv.c +++ b/fs/xfs/libxfs/xfs_trans_resv.c @@ -423,7 +423,7 @@ xfs_calc_remove_reservation( { return XFS_DQUOT_LOGRES(mp) + xfs_calc_iunlink_add_reservation(mp) + - max((xfs_calc_inode_res(mp, 1) + + max((xfs_calc_inode_res(mp, 2) + xfs_calc_buf_res(XFS_DIROP_LOG_COUNT(mp), XFS_FSB_TO_B(mp, 1))), (xfs_calc_buf_res(4, mp->m_sb.sb_sectsize) + From patchwork Tue Nov 14 01:53:35 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Leah Rumancik X-Patchwork-Id: 13454715 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id BF7AFC4167B for ; Tue, 14 Nov 2023 01:54:03 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232017AbjKNByF (ORCPT ); Mon, 13 Nov 2023 20:54:05 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43396 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232018AbjKNByE (ORCPT ); Mon, 13 Nov 2023 20:54:04 -0500 Received: from mail-pg1-x52e.google.com (mail-pg1-x52e.google.com [IPv6:2607:f8b0:4864:20::52e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B30D7D43 for ; Mon, 13 Nov 2023 17:54:00 -0800 (PST) Received: by mail-pg1-x52e.google.com with SMTP id 41be03b00d2f7-5c19a328797so1128645a12.3 for ; Mon, 13 Nov 2023 17:54:00 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1699926840; x=1700531640; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=IeNJFUYfbpQmri6PrATtJa01ZPb74ElHklhAToKqLME=; b=NNdysbieDy1TtiikNzYG2cafs1Wenhhdx8wFl9m1PwfE5FjYm6NN8RGC3tMkc7xY5i PdqCNUoavtYHNAQElPHkyFKhA6pTiXHwV0fe8doAooAEPp+JbgVotDL+yHMQOQes4JRy DmUaFwv7JbarnYI9ooHhVyOBQ6HmvcSWU1PQENSAtOibXWCgyNfe6HeSQupkXQaD4OL7 piEavlD9Kp82v5zNpJHjCEDlyW969EKV2NzXkw9sIqooDOQ3iI3n2TUNQyEqdX8mMp1X QFVQyAL2vIgcf2c88LMDU9pw41X0+UPxuMSY0OCgnCrFlWYrc1Mz7BuV1Ul6l4T5t837 5jHQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1699926840; x=1700531640; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=IeNJFUYfbpQmri6PrATtJa01ZPb74ElHklhAToKqLME=; b=gVEb+87OvPqsJMUk0C/oAIT/wi0CcyTCDe7rLfUxlM7cZMWytxVCGC5INNhygfY4py nJKpSujHvXIPo7kjd4Mitbzl3OF6F6t60Hn1+aabF6Sk/YyBg8+YJkLXiOyqP69F9YMK QONC6Rvr5IwADOpD50fs3kkyuFt0l/BouNShHPKmvJhj0QyUlumlYxFgU+3d6titZLnq VyufCoOPofWVQlauzIrE/HfU/lCp3reugkiEBAWdjsvHQiaSJ1IyDw7MnOwiqUmhYJlr 3N5SDFp867byFVejY37955MOJPiMnKXMDqH8QJjlZndi2mRa/eFdThkhFbjuu83iqppY 4AzQ== X-Gm-Message-State: AOJu0YycPrmIhfOT5UyReXOjppASqxO6OMAM2pGo1U4A30F9ZfcixRyE Mi+duWTo1WT9MadXAgCfjaXndVnMTMuMpA== X-Google-Smtp-Source: AGHT+IGh63qJekyTCVOVahepGvVnaMSf7XXy5J34r/qYadUfpiXottTRSPzjouQIaCWyN8h+5Php0w== X-Received: by 2002:a05:6a21:998d:b0:17b:cd83:6555 with SMTP id ve13-20020a056a21998d00b0017bcd836555mr7241783pzb.23.1699926839995; Mon, 13 Nov 2023 17:53:59 -0800 (PST) Received: from lrumancik.svl.corp.google.com ([2620:15c:2a3:200:d177:a8ad:804f:74f1]) by smtp.gmail.com with ESMTPSA id a17-20020a170902ecd100b001c9cb2fb8d8sm4668592plh.49.2023.11.13.17.53.59 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 13 Nov 2023 17:53:59 -0800 (PST) From: Leah Rumancik To: linux-xfs@vger.kernel.org Cc: amir73il@gmail.com, chandan.babu@oracle.com, fred@cloudflare.com, "Darrick J. Wong" , Christoph Hellwig , Leah Rumancik Subject: [PATCH 5.15 CANDIDATE 14/17] xfs: avoid a UAF when log intent item recovery fails Date: Mon, 13 Nov 2023 17:53:35 -0800 Message-ID: <20231114015339.3922119-15-leah.rumancik@gmail.com> X-Mailer: git-send-email 2.43.0.rc0.421.g78406f8d94-goog In-Reply-To: <20231114015339.3922119-1-leah.rumancik@gmail.com> References: <20231114015339.3922119-1-leah.rumancik@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-xfs@vger.kernel.org From: "Darrick J. Wong" [ Upstream commit 97cf79677ecb50a38517253ae2fd705849a7e51a ] KASAN reported a UAF bug when I was running xfs/235: BUG: KASAN: use-after-free in xlog_recover_process_intents+0xa77/0xae0 [xfs] Read of size 8 at addr ffff88804391b360 by task mount/5680 CPU: 2 PID: 5680 Comm: mount Not tainted 6.0.0-xfsx #6.0.0 77e7b52a4943a975441e5ac90a5ad7748b7867f6 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.15.0-1 04/01/2014 Call Trace: dump_stack_lvl+0x34/0x44 print_report.cold+0x2cc/0x682 kasan_report+0xa3/0x120 xlog_recover_process_intents+0xa77/0xae0 [xfs fb841c7180aad3f8359438576e27867f5795667e] xlog_recover_finish+0x7d/0x970 [xfs fb841c7180aad3f8359438576e27867f5795667e] xfs_log_mount_finish+0x2d7/0x5d0 [xfs fb841c7180aad3f8359438576e27867f5795667e] xfs_mountfs+0x11d4/0x1d10 [xfs fb841c7180aad3f8359438576e27867f5795667e] xfs_fs_fill_super+0x13d5/0x1a80 [xfs fb841c7180aad3f8359438576e27867f5795667e] get_tree_bdev+0x3da/0x6e0 vfs_get_tree+0x7d/0x240 path_mount+0xdd3/0x17d0 __x64_sys_mount+0x1fa/0x270 do_syscall_64+0x2b/0x80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 RIP: 0033:0x7ff5bc069eae Code: 48 8b 0d 85 1f 0f 00 f7 d8 64 89 01 48 83 c8 ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 49 89 ca b8 a5 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 52 1f 0f 00 f7 d8 64 89 01 48 RSP: 002b:00007ffe433fd448 EFLAGS: 00000246 ORIG_RAX: 00000000000000a5 RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007ff5bc069eae RDX: 00005575d7213290 RSI: 00005575d72132d0 RDI: 00005575d72132b0 RBP: 00005575d7212fd0 R08: 00005575d7213230 R09: 00005575d7213fe0 R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000 R13: 00005575d7213290 R14: 00005575d72132b0 R15: 00005575d7212fd0 Allocated by task 5680: kasan_save_stack+0x1e/0x40 __kasan_slab_alloc+0x66/0x80 kmem_cache_alloc+0x152/0x320 xfs_rui_init+0x17a/0x1b0 [xfs] xlog_recover_rui_commit_pass2+0xb9/0x2e0 [xfs] xlog_recover_items_pass2+0xe9/0x220 [xfs] xlog_recover_commit_trans+0x673/0x900 [xfs] xlog_recovery_process_trans+0xbe/0x130 [xfs] xlog_recover_process_data+0x103/0x2a0 [xfs] xlog_do_recovery_pass+0x548/0xc60 [xfs] xlog_do_log_recovery+0x62/0xc0 [xfs] xlog_do_recover+0x73/0x480 [xfs] xlog_recover+0x229/0x460 [xfs] xfs_log_mount+0x284/0x640 [xfs] xfs_mountfs+0xf8b/0x1d10 [xfs] xfs_fs_fill_super+0x13d5/0x1a80 [xfs] get_tree_bdev+0x3da/0x6e0 vfs_get_tree+0x7d/0x240 path_mount+0xdd3/0x17d0 __x64_sys_mount+0x1fa/0x270 do_syscall_64+0x2b/0x80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 Freed by task 5680: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 kasan_set_free_info+0x20/0x30 ____kasan_slab_free+0x144/0x1b0 slab_free_freelist_hook+0xab/0x180 kmem_cache_free+0x1f1/0x410 xfs_rud_item_release+0x33/0x80 [xfs] xfs_trans_free_items+0xc3/0x220 [xfs] xfs_trans_cancel+0x1fa/0x590 [xfs] xfs_rui_item_recover+0x913/0xd60 [xfs] xlog_recover_process_intents+0x24e/0xae0 [xfs] xlog_recover_finish+0x7d/0x970 [xfs] xfs_log_mount_finish+0x2d7/0x5d0 [xfs] xfs_mountfs+0x11d4/0x1d10 [xfs] xfs_fs_fill_super+0x13d5/0x1a80 [xfs] get_tree_bdev+0x3da/0x6e0 vfs_get_tree+0x7d/0x240 path_mount+0xdd3/0x17d0 __x64_sys_mount+0x1fa/0x270 do_syscall_64+0x2b/0x80 entry_SYSCALL_64_after_hwframe+0x46/0xb0 The buggy address belongs to the object at ffff88804391b300 which belongs to the cache xfs_rui_item of size 688 The buggy address is located 96 bytes inside of 688-byte region [ffff88804391b300, ffff88804391b5b0) The buggy address belongs to the physical page: page:ffffea00010e4600 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888043919320 pfn:0x43918 head:ffffea00010e4600 order:2 compound_mapcount:0 compound_pincount:0 flags: 0x4fff80000010200(slab|head|node=1|zone=1|lastcpupid=0xfff) raw: 04fff80000010200 0000000000000000 dead000000000122 ffff88807f0eadc0 raw: ffff888043919320 0000000080140010 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88804391b200: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc ffff88804391b280: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >ffff88804391b300: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88804391b380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88804391b400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== The test fuzzes an rmap btree block and starts writer threads to induce a filesystem shutdown on the corrupt block. When the filesystem is remounted, recovery will try to replay the committed rmap intent item, but the corruption problem causes the recovery transaction to fail. Cancelling the transaction frees the RUD, which frees the RUI that we recovered. When we return to xlog_recover_process_intents, @lip is now a dangling pointer, and we cannot use it to find the iop_recover method for the tracepoint. Hence we must store the item ops before calling ->iop_recover if we want to give it to the tracepoint so that the trace data will tell us exactly which intent item failed. Signed-off-by: Darrick J. Wong Reviewed-by: Christoph Hellwig Signed-off-by: Leah Rumancik --- fs/xfs/xfs_log_recover.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/fs/xfs/xfs_log_recover.c b/fs/xfs/xfs_log_recover.c index 04961ebf16ea..3d844a250b71 100644 --- a/fs/xfs/xfs_log_recover.c +++ b/fs/xfs/xfs_log_recover.c @@ -2560,6 +2560,7 @@ xlog_recover_process_intents( for (lip = xfs_trans_ail_cursor_first(ailp, &cur, 0); lip != NULL; lip = xfs_trans_ail_cursor_next(ailp, &cur)) { + const struct xfs_item_ops *ops; /* * We're done when we see something other than an intent. * There should be no intents left in the AIL now. @@ -2584,13 +2585,17 @@ xlog_recover_process_intents( * deferred ops, you /must/ attach them to the capture list in * the recover routine or else those subsequent intents will be * replayed in the wrong order! + * + * The recovery function can free the log item, so we must not + * access lip after it returns. */ spin_unlock(&ailp->ail_lock); - error = lip->li_ops->iop_recover(lip, &capture_list); + ops = lip->li_ops; + error = ops->iop_recover(lip, &capture_list); spin_lock(&ailp->ail_lock); if (error) { trace_xlog_intent_recovery_failed(log->l_mp, error, - lip->li_ops->iop_recover); + ops->iop_recover); break; } } From patchwork Tue Nov 14 01:53:36 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Leah Rumancik X-Patchwork-Id: 13454716 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 17DB1C4167D for ; Tue, 14 Nov 2023 01:54:05 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231966AbjKNByF (ORCPT ); Mon, 13 Nov 2023 20:54:05 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43402 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231994AbjKNByE (ORCPT ); Mon, 13 Nov 2023 20:54:04 -0500 Received: from mail-pl1-x62e.google.com (mail-pl1-x62e.google.com [IPv6:2607:f8b0:4864:20::62e]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 9A0B6D45 for ; Mon, 13 Nov 2023 17:54:01 -0800 (PST) Received: by mail-pl1-x62e.google.com with SMTP id d9443c01a7336-1cc29f39e7aso32263975ad.0 for ; Mon, 13 Nov 2023 17:54:01 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1699926841; x=1700531641; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=UzdbB6rBdwY86jjPtAwWjvXgf/I3wbz5qWLRkhwvpE0=; b=l2Gx6G+NP18Soo17htx4F3sMldz1gaFDO/hrry+MKpg8vDBifb/LnhCuVHqSOnNQBm s779wzk3wVILXQnMRiwc3/26JryQd8i6O2FkSKIDNml+Mzf8NGFLQYN/6XI/OHFurdQe 3ilMkL1MFkH+8IyKAMsdXv2ThSnjhHjKnE6xyT9eaJ7+FnoE4JaKjanX0U8GkIuSJSCO hls0zX1BJgc385JDBjoIMWjypN/At7mEni1fksDn2+8tP44VhXK8Clq5SdDf1qyumrJB RgqbtIOjWhx06H8Ec6FCxrEvUF3Afq7acJuoWx/EkXiIQaCWu8UQv1umIWo4aN4ZMwCx wEVA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1699926841; x=1700531641; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=UzdbB6rBdwY86jjPtAwWjvXgf/I3wbz5qWLRkhwvpE0=; b=kfd5MiafrJPt4HommX7+7Ade+65VaO4RFUQgFnrA2CJ6eTADhrI4VY9FpfhTb/rSOD 3nczbUUTIPQQwKFloRVT508IA7yGRWFPcgPQOaVFGpcZTTmT9fCgHQHc8pIBuPWgPmd0 VoT4Ne6194AqyvfmO133VYTEswU4JucW7jxTG8UorBJ0pAOZiwom2xGGESb9N72brJeY CR/fLKv2U2hAuG0W4EkiEmR1AaMswWA5DHfOu41V4uqfBUyekaDa5WW4t+aeFg+8SOrD r7UsapfwxxJ07cdrsEJTG8mp0MBC5kcTXaFRLrw5zlu6G9w9h7QRQVVETEakcvg6FgHD KBxw== X-Gm-Message-State: AOJu0Ywp9xY0atXQ370y1BDQTZeCfgOM+xfbd2TgHt5BDMfryIfCr8zK zQkb1+nQwYL10lUe0Dkdd4eX3Nz4Sci7Yg== X-Google-Smtp-Source: AGHT+IH/wccOE27gNmr7j2Vgm4Tf3VX+fCHW9FQY8ChNdyDVG3+8uPF/d/kEdhZbS4MJBiYbDTxLGA== X-Received: by 2002:a17:902:e552:b0:1cc:2c45:757a with SMTP id n18-20020a170902e55200b001cc2c45757amr1168709plf.10.1699926840874; Mon, 13 Nov 2023 17:54:00 -0800 (PST) Received: from lrumancik.svl.corp.google.com ([2620:15c:2a3:200:d177:a8ad:804f:74f1]) by smtp.gmail.com with ESMTPSA id a17-20020a170902ecd100b001c9cb2fb8d8sm4668592plh.49.2023.11.13.17.54.00 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 13 Nov 2023 17:54:00 -0800 (PST) From: Leah Rumancik To: linux-xfs@vger.kernel.org Cc: amir73il@gmail.com, chandan.babu@oracle.com, fred@cloudflare.com, Guo Xuenan , Hou Tao , "Darrick J . Wong" , Leah Rumancik Subject: [PATCH 5.15 CANDIDATE 15/17] xfs: fix exception caused by unexpected illegal bestcount in leaf dir Date: Mon, 13 Nov 2023 17:53:36 -0800 Message-ID: <20231114015339.3922119-16-leah.rumancik@gmail.com> X-Mailer: git-send-email 2.43.0.rc0.421.g78406f8d94-goog In-Reply-To: <20231114015339.3922119-1-leah.rumancik@gmail.com> References: <20231114015339.3922119-1-leah.rumancik@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-xfs@vger.kernel.org From: Guo Xuenan [ Upstream commit 13cf24e00665c9751951a422756d975812b71173 ] For leaf dir, In most cases, there should be as many bestfree slots as the dir data blocks that can fit under i_size (except for [1]). Root cause is we don't examin the number bestfree slots, when the slots number less than dir data blocks, if we need to allocate new dir data block and update the bestfree array, we will use the dir block number as index to assign bestfree array, while we did not check the leaf buf boundary which may cause UAF or other memory access problem. This issue can also triggered with test cases xfs/473 from fstests. According to Dave Chinner & Darrick's suggestion, adding buffer verifier to detect this abnormal situation in time. Simplify the testcase for fstest xfs/554 [1] The error log is shown as follows: ================================================================== BUG: KASAN: use-after-free in xfs_dir2_leaf_addname+0x1995/0x1ac0 Write of size 2 at addr ffff88810168b000 by task touch/1552 CPU: 5 PID: 1552 Comm: touch Not tainted 6.0.0-rc3+ #101 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 Call Trace: dump_stack_lvl+0x4d/0x66 print_report.cold+0xf6/0x691 kasan_report+0xa8/0x120 xfs_dir2_leaf_addname+0x1995/0x1ac0 xfs_dir_createname+0x58c/0x7f0 xfs_create+0x7af/0x1010 xfs_generic_create+0x270/0x5e0 path_openat+0x270b/0x3450 do_filp_open+0x1cf/0x2b0 do_sys_openat2+0x46b/0x7a0 do_sys_open+0xb7/0x130 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7fe4d9e9312b Code: 25 00 00 41 00 3d 00 00 41 00 74 4b 64 8b 04 25 18 00 00 00 85 c0 75 67 44 89 e2 48 89 ee bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 91 00 00 00 48 8b 4c 24 28 64 48 33 0c 25 RSP: 002b:00007ffda4c16c20 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007fe4d9e9312b RDX: 0000000000000941 RSI: 00007ffda4c17f33 RDI: 00000000ffffff9c RBP: 00007ffda4c17f33 R08: 0000000000000000 R09: 0000000000000000 R10: 00000000000001b6 R11: 0000000000000246 R12: 0000000000000941 R13: 00007fe4d9f631a4 R14: 00007ffda4c17f33 R15: 0000000000000000 The buggy address belongs to the physical page: page:ffffea000405a2c0 refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10168b flags: 0x2fffff80000000(node=0|zone=2|lastcpupid=0x1fffff) raw: 002fffff80000000 ffffea0004057788 ffffea000402dbc8 0000000000000000 raw: 0000000000000000 0000000000170000 00000000ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88810168af00: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ffff88810168af80: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 >ffff88810168b000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ^ ffff88810168b080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ffff88810168b100: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ================================================================== Disabling lock debugging due to kernel taint 00000000: 58 44 44 33 5b 53 35 c2 00 00 00 00 00 00 00 78 XDD3[S5........x XFS (sdb): Internal error xfs_dir2_data_use_free at line 1200 of file fs/xfs/libxfs/xfs_dir2_data.c. Caller xfs_dir2_data_use_free+0x28a/0xeb0 CPU: 5 PID: 1552 Comm: touch Tainted: G B 6.0.0-rc3+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 Call Trace: dump_stack_lvl+0x4d/0x66 xfs_corruption_error+0x132/0x150 xfs_dir2_data_use_free+0x198/0xeb0 xfs_dir2_leaf_addname+0xa59/0x1ac0 xfs_dir_createname+0x58c/0x7f0 xfs_create+0x7af/0x1010 xfs_generic_create+0x270/0x5e0 path_openat+0x270b/0x3450 do_filp_open+0x1cf/0x2b0 do_sys_openat2+0x46b/0x7a0 do_sys_open+0xb7/0x130 do_syscall_64+0x35/0x80 entry_SYSCALL_64_after_hwframe+0x63/0xcd RIP: 0033:0x7fe4d9e9312b Code: 25 00 00 41 00 3d 00 00 41 00 74 4b 64 8b 04 25 18 00 00 00 85 c0 75 67 44 89 e2 48 89 ee bf 9c ff ff ff b8 01 01 00 00 0f 05 <48> 3d 00 f0 ff ff 0f 87 91 00 00 00 48 8b 4c 24 28 64 48 33 0c 25 RSP: 002b:00007ffda4c16c20 EFLAGS: 00000246 ORIG_RAX: 0000000000000101 RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00007fe4d9e9312b RDX: 0000000000000941 RSI: 00007ffda4c17f46 RDI: 00000000ffffff9c RBP: 00007ffda4c17f46 R08: 0000000000000000 R09: 0000000000000001 R10: 00000000000001b6 R11: 0000000000000246 R12: 0000000000000941 R13: 00007fe4d9f631a4 R14: 00007ffda4c17f46 R15: 0000000000000000 XFS (sdb): Corruption detected. Unmount and run xfs_repair [1] https://lore.kernel.org/all/20220928095355.2074025-1-guoxuenan@huawei.com/ Reviewed-by: Hou Tao Signed-off-by: Guo Xuenan Reviewed-by: Darrick J. Wong Signed-off-by: Darrick J. Wong Signed-off-by: Leah Rumancik --- fs/xfs/libxfs/xfs_dir2_leaf.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/fs/xfs/libxfs/xfs_dir2_leaf.c b/fs/xfs/libxfs/xfs_dir2_leaf.c index d9b66306a9a7..cb9e950a911d 100644 --- a/fs/xfs/libxfs/xfs_dir2_leaf.c +++ b/fs/xfs/libxfs/xfs_dir2_leaf.c @@ -146,6 +146,8 @@ xfs_dir3_leaf_check_int( xfs_dir2_leaf_tail_t *ltp; int stale; int i; + bool isleaf1 = (hdr->magic == XFS_DIR2_LEAF1_MAGIC || + hdr->magic == XFS_DIR3_LEAF1_MAGIC); ltp = xfs_dir2_leaf_tail_p(geo, leaf); @@ -158,8 +160,7 @@ xfs_dir3_leaf_check_int( return __this_address; /* Leaves and bests don't overlap in leaf format. */ - if ((hdr->magic == XFS_DIR2_LEAF1_MAGIC || - hdr->magic == XFS_DIR3_LEAF1_MAGIC) && + if (isleaf1 && (char *)&hdr->ents[hdr->count] > (char *)xfs_dir2_leaf_bests_p(ltp)) return __this_address; @@ -175,6 +176,10 @@ xfs_dir3_leaf_check_int( } if (hdr->ents[i].address == cpu_to_be32(XFS_DIR2_NULL_DATAPTR)) stale++; + if (isleaf1 && xfs_dir2_dataptr_to_db(geo, + be32_to_cpu(hdr->ents[i].address)) >= + be32_to_cpu(ltp->bestcount)) + return __this_address; } if (hdr->stale != stale) return __this_address; From patchwork Tue Nov 14 01:53:37 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Leah Rumancik X-Patchwork-Id: 13454717 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 017DCC4332F for ; Tue, 14 Nov 2023 01:54:05 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232018AbjKNByG (ORCPT ); Mon, 13 Nov 2023 20:54:06 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43414 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232026AbjKNByF (ORCPT ); Mon, 13 Nov 2023 20:54:05 -0500 Received: from mail-pl1-x635.google.com (mail-pl1-x635.google.com [IPv6:2607:f8b0:4864:20::635]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 67905D43 for ; Mon, 13 Nov 2023 17:54:02 -0800 (PST) Received: by mail-pl1-x635.google.com with SMTP id d9443c01a7336-1cc4f777ab9so38444515ad.0 for ; Mon, 13 Nov 2023 17:54:02 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1699926842; x=1700531642; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=hUGX3VgFsnNHZC9R3rbXJYOY523PFQ3Z8gGKhkElgwg=; b=l8yZFMVlR3Au0a5PuYXGOcoNIeiSNVHEKVSyF+IFaORw5ht7+iKSPBaG9G1HmqmLSc fbRTPv5InhdgtqbtWL6PCn+44z4YfyYbwZiZCUPq1MR9Xi0rjqk/WUb4BgYRAUaflPoJ ZyGdpNtlT9G+FxlnEkw6AnxFJpebmRxzNkLoyxEbcHu5opMznSf27hiRxrpBH9QXQKdP bzrsN+b/j7L/C6/cW7/Of1M+txBQFBAsz7UWCzwieQt0dfdDYlbQfbn3EejDhsVZgIe0 9nC3W6YVFnEEq3xHM/sIB0pDZcv332r2jf7hCaHh5tTO9hYhL4hxjgDg6gI6LJu669r1 my/A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1699926842; x=1700531642; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=hUGX3VgFsnNHZC9R3rbXJYOY523PFQ3Z8gGKhkElgwg=; b=LIQnxjlX0atHXjfKbQTQ+paaanIjvk6ZD9niISRuq/GM6zOG+p4imzO9i7tf53SR2/ 8Y2PKZK4uzOqOmqxyRVz4QVB3P91IvyftHjNgj4cexGafqLnxs1sOTJAPUUbqOrPlf0q RdwkhaxF62WkvtMwY3KP+tGiFPiWKPSTjF5BX3LUdIzTb0nUzaGQWVWhpEgd+hYq+o1u Td9OsK4ax6dHcQDtqtg0usy9lHJw3uE/AzGC9RFeoKNhsL9b63tdIxYk3oCtusuF3xEA RFltymQYTICWwI51sjBU+i5GSNmVNr6FxQT9ReI4pXTkVFkWVvmEO7buclOmGB5TWa2F rtUg== X-Gm-Message-State: AOJu0YyvUglRtkuCnd3Fh0PqqwK0sjupnmsEK0CAIoBMnA+kQbHb7bEZ oXQDRS/dKP0s3mGe9Q2Lw1KeGOvZOyO5fA== X-Google-Smtp-Source: AGHT+IFLcvMabqelLpN6wbScfkRsqJ++8AXUqODX8OVvI8WSHP12yR4rdWMfpbmBI6SpR0pKsyXeTg== X-Received: by 2002:a17:902:8603:b0:1cc:449b:68a8 with SMTP id f3-20020a170902860300b001cc449b68a8mr1017872plo.46.1699926841731; Mon, 13 Nov 2023 17:54:01 -0800 (PST) Received: from lrumancik.svl.corp.google.com ([2620:15c:2a3:200:d177:a8ad:804f:74f1]) by smtp.gmail.com with ESMTPSA id a17-20020a170902ecd100b001c9cb2fb8d8sm4668592plh.49.2023.11.13.17.54.01 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 13 Nov 2023 17:54:01 -0800 (PST) From: Leah Rumancik To: linux-xfs@vger.kernel.org Cc: amir73il@gmail.com, chandan.babu@oracle.com, fred@cloudflare.com, Zeng Heng , "Darrick J . Wong" , Leah Rumancik Subject: [PATCH 5.15 CANDIDATE 16/17] xfs: fix memory leak in xfs_errortag_init Date: Mon, 13 Nov 2023 17:53:37 -0800 Message-ID: <20231114015339.3922119-17-leah.rumancik@gmail.com> X-Mailer: git-send-email 2.43.0.rc0.421.g78406f8d94-goog In-Reply-To: <20231114015339.3922119-1-leah.rumancik@gmail.com> References: <20231114015339.3922119-1-leah.rumancik@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-xfs@vger.kernel.org From: Zeng Heng [ Upstream commit cf4f4c12dea7a977a143c8fe5af1740b7f9876f8 ] When `xfs_sysfs_init` returns failed, `mp->m_errortag` needs to free. Otherwise kmemleak would report memory leak after mounting xfs image: unreferenced object 0xffff888101364900 (size 192): comm "mount", pid 13099, jiffies 4294915218 (age 335.207s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ backtrace: [<00000000f08ad25c>] __kmalloc+0x41/0x1b0 [<00000000dca9aeb6>] kmem_alloc+0xfd/0x430 [<0000000040361882>] xfs_errortag_init+0x20/0x110 [<00000000b384a0f6>] xfs_mountfs+0x6ea/0x1a30 [<000000003774395d>] xfs_fs_fill_super+0xe10/0x1a80 [<000000009cf07b6c>] get_tree_bdev+0x3e7/0x700 [<00000000046b5426>] vfs_get_tree+0x8e/0x2e0 [<00000000952ec082>] path_mount+0xf8c/0x1990 [<00000000beb1f838>] do_mount+0xee/0x110 [<000000000e9c41bb>] __x64_sys_mount+0x14b/0x1f0 [<00000000f7bb938e>] do_syscall_64+0x3b/0x90 [<000000003fcd67a9>] entry_SYSCALL_64_after_hwframe+0x63/0xcd Fixes: c68401011522 ("xfs: expose errortag knobs via sysfs") Signed-off-by: Zeng Heng Reviewed-by: Darrick J. Wong Signed-off-by: Darrick J. Wong Signed-off-by: Leah Rumancik --- fs/xfs/xfs_error.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/fs/xfs/xfs_error.c b/fs/xfs/xfs_error.c index 81c445e9489b..b0ccec92e015 100644 --- a/fs/xfs/xfs_error.c +++ b/fs/xfs/xfs_error.c @@ -224,13 +224,18 @@ int xfs_errortag_init( struct xfs_mount *mp) { + int ret; + mp->m_errortag = kmem_zalloc(sizeof(unsigned int) * XFS_ERRTAG_MAX, KM_MAYFAIL); if (!mp->m_errortag) return -ENOMEM; - return xfs_sysfs_init(&mp->m_errortag_kobj, &xfs_errortag_ktype, - &mp->m_kobj, "errortag"); + ret = xfs_sysfs_init(&mp->m_errortag_kobj, &xfs_errortag_ktype, + &mp->m_kobj, "errortag"); + if (ret) + kmem_free(mp->m_errortag); + return ret; } void From patchwork Tue Nov 14 01:53:38 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Leah Rumancik X-Patchwork-Id: 13454718 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 830CCC4167B for ; Tue, 14 Nov 2023 01:54:07 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232042AbjKNByH (ORCPT ); Mon, 13 Nov 2023 20:54:07 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43418 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231994AbjKNByG (ORCPT ); Mon, 13 Nov 2023 20:54:06 -0500 Received: from mail-pl1-x630.google.com (mail-pl1-x630.google.com [IPv6:2607:f8b0:4864:20::630]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3FFD3D44 for ; Mon, 13 Nov 2023 17:54:03 -0800 (PST) Received: by mail-pl1-x630.google.com with SMTP id d9443c01a7336-1cc316ccc38so39078675ad.1 for ; Mon, 13 Nov 2023 17:54:03 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20230601; t=1699926842; x=1700531642; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:from:to:cc:subject:date :message-id:reply-to; bh=e7Weq4mcO8egufoNanwWgqHQ/ZlZcVQcelpjA5N9A5k=; b=g9VZaK1CHvyvNcwkObqD5JKE+ZWXuBkA+uOKuBaZF+A4oo4OMy6loh4HR3kNTabS2k P81KDzi4VF4E6r46U5rqVyOiR5gxLgufjhNcpeLeEFcKLzC7Y6Ertj+bwNd5C9q7vGIu tF4WEItitF6PIKPn/RvqKX+us9Vyc8ZoNR+14tTP2XmoE/gQqvyBJH1lmz/FxaWnFun8 sCt2mT3VNVgG3mv9fyAdeXmTP1ngLDbrpfhEGumi223DVxZdFbUtXs8hEV4LfOYUD4yC Dzdv1ISVlHmT+/AP7igQijpjr0N0wcAJbpNrSkdnl7+kZUSNQi+SNfgVcr37H3M/VX4G QOgA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1699926842; x=1700531642; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:cc:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=e7Weq4mcO8egufoNanwWgqHQ/ZlZcVQcelpjA5N9A5k=; b=tKJYYk6cmzAI6Yy7QzwK9bt3VdWCFilrZUgqV0oQ1voO6AxdOKYZs0XxJPjrBKJBQo lM7Y/gdZep2ttDJ8bvuFC6FdzPtSwM7KGsj2RFls2wQDFCBqAm7qIqbcnykOAIzDOWt3 TwJr5fVAoy6XPUuPAPMOEJ6kfhmPv7zlU8UqGT/ZjZwXs1gtKY3fVB7jeP8N6UtujgaU 8gnpNUtUy7OEm7R5KU1ASPwXDr+8DYxKP3eiL8j1mlUCsHiysG/U7aQ0+tAN9pBJfE4h qzPvjQ4QRhyfNZbL04WLqEOzuQz9WE+w+8ioa/7CB6Xnv4Lgbz89VTibKFYA5+StvSX1 2K/Q== X-Gm-Message-State: AOJu0YxO4TRbm7fOL8raQl5Daj1/Uqtl8yYlow6EN3Y7+YiDnZDXqr82 viV9Wx3xyiTd/juBWlODtOEP74GT5PgV0g== X-Google-Smtp-Source: AGHT+IH6XsFgt4mmKSzl55D8l7oeHd4a7SGaV1ph/QjbEhWHC3sCrXZOh9UoNL0Vjy3CssaeSma3sA== X-Received: by 2002:a17:902:9343:b0:1cc:6597:f42c with SMTP id g3-20020a170902934300b001cc6597f42cmr867291plp.21.1699926842575; Mon, 13 Nov 2023 17:54:02 -0800 (PST) Received: from lrumancik.svl.corp.google.com ([2620:15c:2a3:200:d177:a8ad:804f:74f1]) by smtp.gmail.com with ESMTPSA id a17-20020a170902ecd100b001c9cb2fb8d8sm4668592plh.49.2023.11.13.17.54.01 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 13 Nov 2023 17:54:02 -0800 (PST) From: Leah Rumancik To: linux-xfs@vger.kernel.org Cc: amir73il@gmail.com, chandan.babu@oracle.com, fred@cloudflare.com, Li Zetao , "Darrick J . Wong" , Leah Rumancik Subject: [PATCH 5.15 CANDIDATE 17/17] xfs: Fix unreferenced object reported by kmemleak in xfs_sysfs_init() Date: Mon, 13 Nov 2023 17:53:38 -0800 Message-ID: <20231114015339.3922119-18-leah.rumancik@gmail.com> X-Mailer: git-send-email 2.43.0.rc0.421.g78406f8d94-goog In-Reply-To: <20231114015339.3922119-1-leah.rumancik@gmail.com> References: <20231114015339.3922119-1-leah.rumancik@gmail.com> MIME-Version: 1.0 Precedence: bulk List-ID: X-Mailing-List: linux-xfs@vger.kernel.org From: Li Zetao [ Upstream commit d08af40340cad0e025d643c3982781a8f99d5032 ] kmemleak reported a sequence of memory leaks, and one of them indicated we failed to free a pointer: comm "mount", pid 19610, jiffies 4297086464 (age 60.635s) hex dump (first 8 bytes): 73 64 61 00 81 88 ff ff sda..... backtrace: [<00000000d77f3e04>] kstrdup_const+0x46/0x70 [<00000000e51fa804>] kobject_set_name_vargs+0x2f/0xb0 [<00000000247cd595>] kobject_init_and_add+0xb0/0x120 [<00000000f9139aaf>] xfs_mountfs+0x367/0xfc0 [<00000000250d3caf>] xfs_fs_fill_super+0xa16/0xdc0 [<000000008d873d38>] get_tree_bdev+0x256/0x390 [<000000004881f3fa>] vfs_get_tree+0x41/0xf0 [<000000008291ab52>] path_mount+0x9b3/0xdd0 [<0000000022ba8f2d>] __x64_sys_mount+0x190/0x1d0 As mentioned in kobject_init_and_add() comment, if this function returns an error, kobject_put() must be called to properly clean up the memory associated with the object. Apparently, xfs_sysfs_init() does not follow such a requirement. When kobject_init_and_add() returns an error, the space of kobj->kobject.name alloced by kstrdup_const() is unfree, which will cause the above stack. Fix it by adding kobject_put() when kobject_init_and_add returns an error. Fixes: a31b1d3d89e4 ("xfs: add xfs_mount sysfs kobject") Signed-off-by: Li Zetao Reviewed-by: Darrick J. Wong Signed-off-by: Darrick J. Wong Signed-off-by: Leah Rumancik --- fs/xfs/xfs_sysfs.h | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/fs/xfs/xfs_sysfs.h b/fs/xfs/xfs_sysfs.h index 43585850f154..513095e353a5 100644 --- a/fs/xfs/xfs_sysfs.h +++ b/fs/xfs/xfs_sysfs.h @@ -33,10 +33,15 @@ xfs_sysfs_init( const char *name) { struct kobject *parent; + int err; parent = parent_kobj ? &parent_kobj->kobject : NULL; init_completion(&kobj->complete); - return kobject_init_and_add(&kobj->kobject, ktype, parent, "%s", name); + err = kobject_init_and_add(&kobj->kobject, ktype, parent, "%s", name); + if (err) + kobject_put(&kobj->kobject); + + return err; } static inline void