From patchwork Thu Oct 31 06:45:52 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Long Li X-Patchwork-Id: 13857609 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.sourceforge.net (lists.sourceforge.net [216.105.38.7]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id DAB56E68956 for ; Thu, 31 Oct 2024 06:49:23 +0000 (UTC) Received: from [127.0.0.1] (helo=sfs-ml-3.v29.lw.sourceforge.com) by sfs-ml-3.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1t6Ozi-0001GF-Os; Thu, 31 Oct 2024 06:49:22 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-3.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1t6Ozh-0001G9-Ce for linux-f2fs-devel@lists.sourceforge.net; Thu, 31 Oct 2024 06:49:20 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Type:Content-Transfer-Encoding:MIME-Version :Message-ID:Date:Subject:CC:To:From:Sender:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:In-Reply-To:References:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=17oR9Ck+M7NVQXtMg/zOU66KJrzKYqNTH7AHgeEKxXY=; b=jVsWGVQxEv4ZVfxwOjBg+7hbRX 1gfv6j7rG9tqDToxadG/ga/RuefY6snsAS7U0mcOh4rmcZHgsa+4gt23Km8Wz/+g/QRm6B7VF67Dh x9Ee098FZYy/bjPqlB4p8MuM2tMQTd+DGpUO7IESnrc7+8mHSgH28W+2m1anbnXnus8w=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Type:Content-Transfer-Encoding:MIME-Version:Message-ID:Date: Subject:CC:To:From:Sender:Reply-To:Content-ID:Content-Description:Resent-Date :Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To: References:List-Id:List-Help:List-Unsubscribe:List-Subscribe:List-Post: List-Owner:List-Archive; bh=17oR9Ck+M7NVQXtMg/zOU66KJrzKYqNTH7AHgeEKxXY=; b=d QnB6WHpeOE6wdq3MxQzljEYMYWSYzA/ftLbOPNCtRxKPWz5kYSsdGGvjWev/ZrticeNCk5dobcDm6 KdquO9bsYgstRocT0iO+1/4C0tuuTly4+ppXdDBxvgqxqzFk/cJVyZHsH9bgmVa8MSkXWJFn+lM8f Xm2fNtEdJXW9AFSc=; Received: from szxga04-in.huawei.com ([45.249.212.190]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1t6Ozf-0006Am-7B for linux-f2fs-devel@lists.sourceforge.net; Thu, 31 Oct 2024 06:49:20 +0000 Received: from mail.maildlp.com (unknown [172.19.163.44]) by szxga04-in.huawei.com (SkyGuard) with ESMTP id 4XfF1f2Qvyz20rCh; Thu, 31 Oct 2024 14:48:06 +0800 (CST) Received: from dggpemf500017.china.huawei.com (unknown [7.185.36.126]) by mail.maildlp.com (Postfix) with ESMTPS id 94531140156; Thu, 31 Oct 2024 14:49:06 +0800 (CST) Received: from huawei.com (10.175.104.67) by dggpemf500017.china.huawei.com (7.185.36.126) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.11; Thu, 31 Oct 2024 14:49:06 +0800 To: , Date: Thu, 31 Oct 2024 14:45:52 +0800 Message-ID: <20241031064553.55283-1-leo.lilong@huawei.com> X-Mailer: git-send-email 2.39.2 MIME-Version: 1.0 X-Originating-IP: [10.175.104.67] X-ClientProxiedBy: dggems705-chm.china.huawei.com (10.3.19.182) To dggpemf500017.china.huawei.com (7.185.36.126) X-Headers-End: 1t6Ozf-0006Am-7B Subject: [f2fs-dev] [PATCH 1/2] f2fs: fix race in concurrent f2fs_stop_gc_thread X-BeenThere: linux-f2fs-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: Long Li via Linux-f2fs-devel From: Long Li Reply-To: Long Li Cc: yi.zhang@huawei.com, lonuxli.64@gmail.com, yangerkun@huawei.com, linux-kernel@vger.kernel.org, linux-f2fs-devel@lists.sourceforge.net, leo.lilong@huawei.com Errors-To: linux-f2fs-devel-bounces@lists.sourceforge.net In my test case, concurrent calls to f2fs shutdown report the following stack trace: Oops: general protection fault, probably for non-canonical address 0xc6cfff63bb5513fc: 0000 [#1] PREEMPT SMP PTI CPU: 0 UID: 0 PID: 678 Comm: f2fs_rep_shutdo Not tainted 6.12.0-rc5-next-20241029-g6fb2fa9805c5-dirty #85 Call Trace: ? show_regs+0x8b/0xa0 ? __die_body+0x26/0xa0 ? die_addr+0x54/0x90 ? exc_general_protection+0x24b/0x5c0 ? asm_exc_general_protection+0x26/0x30 ? kthread_stop+0x46/0x390 f2fs_stop_gc_thread+0x6c/0x110 f2fs_do_shutdown+0x309/0x3a0 f2fs_ioc_shutdown+0x150/0x1c0 __f2fs_ioctl+0xffd/0x2ac0 f2fs_ioctl+0x76/0xe0 vfs_ioctl+0x23/0x60 __x64_sys_ioctl+0xce/0xf0 x64_sys_call+0x2b1b/0x4540 do_syscall_64+0xa7/0x240 entry_SYSCALL_64_after_hwframe+0x76/0x7e The root cause is a race condition in f2fs_stop_gc_thread() called from different f2fs shutdown paths: [CPU0] [CPU1] ---------------------- ----------------------- f2fs_stop_gc_thread f2fs_stop_gc_thread gc_th = sbi->gc_thread gc_th = sbi->gc_thread kfree(gc_th) sbi->gc_thread = NULL < gc_th != NULL > kthread_stop(gc_th->f2fs_gc_task) //UAF The commit c7f114d864ac ("f2fs: fix to avoid use-after-free in f2fs_stop_gc_thread()") attempted to fix this issue by using a read semaphore to prevent races between shutdown and remount threads, but itfails to prevent all race conditions. While upgrading to s_umount write lock in f2fs_do_shutdown() would fix the current issue, however, using s_umount lock requires extreme caution to avoid lock recursion. A better solution is to introduce a semaphore to prevent races between concurrent f2fs_stop_gc_thread calls. Fixes: 7950e9ac638e ("f2fs: stop gc/discard thread after fs shutdown") Signed-off-by: Long Li --- fs/f2fs/f2fs.h | 1 + fs/f2fs/gc.c | 9 +++++++-- fs/f2fs/super.c | 1 + 3 files changed, 9 insertions(+), 2 deletions(-) diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h index 3c6f3cce5779..7ae1e2a4789f 100644 --- a/fs/f2fs/f2fs.h +++ b/fs/f2fs/f2fs.h @@ -1679,6 +1679,7 @@ struct f2fs_sb_info { * race between GC and GC or CP */ struct f2fs_gc_kthread *gc_thread; /* GC thread */ + struct semaphore gc_clean_lock; /* semaphore for clean GC thread */ struct atgc_management am; /* atgc management */ unsigned int cur_victim_sec; /* current victim section num */ unsigned int gc_mode; /* current GC state */ diff --git a/fs/f2fs/gc.c b/fs/f2fs/gc.c index e40bdd12e36d..e1b8bf98b5fa 100644 --- a/fs/f2fs/gc.c +++ b/fs/f2fs/gc.c @@ -232,14 +232,19 @@ int f2fs_start_gc_thread(struct f2fs_sb_info *sbi) void f2fs_stop_gc_thread(struct f2fs_sb_info *sbi) { - struct f2fs_gc_kthread *gc_th = sbi->gc_thread; + struct f2fs_gc_kthread *gc_th; - if (!gc_th) + down(&sbi->gc_clean_lock); + gc_th = sbi->gc_thread; + if (!gc_th) { + up(&sbi->gc_clean_lock); return; + } kthread_stop(gc_th->f2fs_gc_task); wake_up_all(&gc_th->fggc_wq); kfree(gc_th); sbi->gc_thread = NULL; + up(&sbi->gc_clean_lock); } static int select_gc_type(struct f2fs_sb_info *sbi, int gc_type) diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c index 80a53dbf1c38..47a15050ea9c 100644 --- a/fs/f2fs/super.c +++ b/fs/f2fs/super.c @@ -4419,6 +4419,7 @@ static int f2fs_fill_super(struct super_block *sb, void *data, int silent) /* initialize locks within allocated memory */ init_f2fs_rwsem(&sbi->gc_lock); + sema_init(&sbi->gc_clean_lock, 1); mutex_init(&sbi->writepages); init_f2fs_rwsem(&sbi->cp_global_sem); init_f2fs_rwsem(&sbi->node_write); From patchwork Thu Oct 31 06:45:53 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Long Li X-Patchwork-Id: 13857610 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from lists.sourceforge.net (lists.sourceforge.net [216.105.38.7]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 67E93E68958 for ; Thu, 31 Oct 2024 06:49:26 +0000 (UTC) Received: from [127.0.0.1] (helo=sfs-ml-2.v29.lw.sourceforge.com) by sfs-ml-2.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1t6Ozm-00049H-0t; Thu, 31 Oct 2024 06:49:26 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-2.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1t6Ozj-00048w-Hp for linux-f2fs-devel@lists.sourceforge.net; Thu, 31 Oct 2024 06:49:23 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Type:Content-Transfer-Encoding:MIME-Version :References:In-Reply-To:Message-ID:Date:Subject:CC:To:From:Sender:Reply-To: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=oOe6hkPr1YyWofIRAeAsDyRj5xX+Lhm2hk+codhWPrQ=; b=RHFPpC6aZNzb3zFvF4eaWqTT+o /EvpRFnoTrdOdMdd/sy/sbUtQfMDwgC2d5IkRPzGa8ehoM+di8u+phr30Pvx3owynAxFjUs33cEGX R7pSWsSUa+5dUFvoc9TsWnzyDFvoylmOmjUckFKFe7sOR4T7HeuSIxcehtNotE9mUwlA=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Type:Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:CC:To:From:Sender:Reply-To:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=oOe6hkPr1YyWofIRAeAsDyRj5xX+Lhm2hk+codhWPrQ=; b=UarsY3UhQc+zUalJR0ri0sbMHD bZtK1jvmD43wAEIGD7owQ8JwAcvEo4cIswZS9LjvvdadC+CNvoPDwiTtXDRBiN2f+/UqcXSusmJc9 nYou9ytJOg2j+0gcwo5GfXoAassFvrsp22tajE01+/kQpS61EO5KSP2QNFtk6gjalrNw=; Received: from szxga05-in.huawei.com ([45.249.212.191]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1t6Ozh-0006Ay-Lm for linux-f2fs-devel@lists.sourceforge.net; Thu, 31 Oct 2024 06:49:23 +0000 Received: from mail.maildlp.com (unknown [172.19.162.112]) by szxga05-in.huawei.com (SkyGuard) with ESMTP id 4XfDxg6jNPz1HLfd; Thu, 31 Oct 2024 14:44:39 +0800 (CST) Received: from dggpemf500017.china.huawei.com (unknown [7.185.36.126]) by mail.maildlp.com (Postfix) with ESMTPS id 612E61401F3; Thu, 31 Oct 2024 14:49:09 +0800 (CST) Received: from huawei.com (10.175.104.67) by dggpemf500017.china.huawei.com (7.185.36.126) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1544.11; Thu, 31 Oct 2024 14:49:08 +0800 To: , Date: Thu, 31 Oct 2024 14:45:53 +0800 Message-ID: <20241031064553.55283-2-leo.lilong@huawei.com> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20241031064553.55283-1-leo.lilong@huawei.com> References: <20241031064553.55283-1-leo.lilong@huawei.com> MIME-Version: 1.0 X-Originating-IP: [10.175.104.67] X-ClientProxiedBy: dggems705-chm.china.huawei.com (10.3.19.182) To dggpemf500017.china.huawei.com (7.185.36.126) X-Headers-End: 1t6Ozh-0006Ay-Lm Subject: [f2fs-dev] [PATCH 2/2] Revert "f2fs: fix to avoid use-after-free in f2fs_stop_gc_thread()" X-BeenThere: linux-f2fs-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-Patchwork-Original-From: Long Li via Linux-f2fs-devel From: Long Li Reply-To: Long Li Cc: yi.zhang@huawei.com, lonuxli.64@gmail.com, yangerkun@huawei.com, linux-kernel@vger.kernel.org, linux-f2fs-devel@lists.sourceforge.net, leo.lilong@huawei.com Errors-To: linux-f2fs-devel-bounces@lists.sourceforge.net This reverts commit c7f114d864ac91515bb07ac271e9824a20f5ed95. The race conditions between concurrent f2fs_stop_gc_thread() calls are now protected by a dedicated lock, making the additional s_umount lock protection unnecessary. Therefore, revert this patch. Signed-off-by: Long Li --- fs/f2fs/f2fs.h | 2 +- fs/f2fs/file.c | 11 ++--------- fs/f2fs/super.c | 2 +- 3 files changed, 4 insertions(+), 11 deletions(-) diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h index 7ae1e2a4789f..2143604ce416 100644 --- a/fs/f2fs/f2fs.h +++ b/fs/f2fs/f2fs.h @@ -3522,7 +3522,7 @@ int f2fs_setattr(struct mnt_idmap *idmap, struct dentry *dentry, int f2fs_truncate_hole(struct inode *inode, pgoff_t pg_start, pgoff_t pg_end); void f2fs_truncate_data_blocks_range(struct dnode_of_data *dn, int count); int f2fs_do_shutdown(struct f2fs_sb_info *sbi, unsigned int flag, - bool readonly, bool need_lock); + bool readonly); int f2fs_precache_extents(struct inode *inode); int f2fs_fileattr_get(struct dentry *dentry, struct fileattr *fa); int f2fs_fileattr_set(struct mnt_idmap *idmap, diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c index 75a8b22da664..5d7b4fdae9c4 100644 --- a/fs/f2fs/file.c +++ b/fs/f2fs/file.c @@ -2318,7 +2318,7 @@ static int f2fs_ioc_abort_atomic_write(struct file *filp) } int f2fs_do_shutdown(struct f2fs_sb_info *sbi, unsigned int flag, - bool readonly, bool need_lock) + bool readonly) { struct super_block *sb = sbi->sb; int ret = 0; @@ -2365,19 +2365,12 @@ int f2fs_do_shutdown(struct f2fs_sb_info *sbi, unsigned int flag, if (readonly) goto out; - /* grab sb->s_umount to avoid racing w/ remount() */ - if (need_lock) - down_read(&sbi->sb->s_umount); - f2fs_stop_gc_thread(sbi); f2fs_stop_discard_thread(sbi); f2fs_drop_discard_cmd(sbi); clear_opt(sbi, DISCARD); - if (need_lock) - up_read(&sbi->sb->s_umount); - f2fs_update_time(sbi, REQ_TIME); out: @@ -2414,7 +2407,7 @@ static int f2fs_ioc_shutdown(struct file *filp, unsigned long arg) } } - ret = f2fs_do_shutdown(sbi, in, readonly, true); + ret = f2fs_do_shutdown(sbi, in, readonly); if (need_drop) mnt_drop_write_file(filp); diff --git a/fs/f2fs/super.c b/fs/f2fs/super.c index 47a15050ea9c..a720fb9ef196 100644 --- a/fs/f2fs/super.c +++ b/fs/f2fs/super.c @@ -2569,7 +2569,7 @@ static int f2fs_remount(struct super_block *sb, int *flags, char *data) static void f2fs_shutdown(struct super_block *sb) { - f2fs_do_shutdown(F2FS_SB(sb), F2FS_GOING_DOWN_NOSYNC, false, false); + f2fs_do_shutdown(F2FS_SB(sb), F2FS_GOING_DOWN_NOSYNC, false); } #ifdef CONFIG_QUOTA