hollalinux
/
linux-sg2042
mirror of https://github.com/sophgo/linux-riscv.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
linux-sg2042/fs
History
Andreas Gruenbacher 9287c6452d gfs2: Fix occasional glock use-after-free 
This patch has to do with the life cycle of glocks and buffers.  When
gfs2 metadata or journaled data is queued to be written, a gfs2_bufdata
object is assigned to track the buffer, and that is queued to various
lists, including the glock's gl_ail_list to indicate it's on the active
items list.  Once the page associated with the buffer has been written,
it is removed from the ail list, but its life isn't over until a revoke
has been successfully written.

So after the block is written, its bufdata object is moved from the
glock's gl_ail_list to a file-system-wide list of pending revokes,
sd_log_le_revoke.  At that point the glock still needs to track how many
revokes it contributed to that list (in gl_revokes) so that things like
glock go_sync can ensure all the metadata has been not only written, but
also revoked before the glock is granted to a different node.  This is
to guarantee journal replay doesn't replay the block once the glock has
been granted to another node.

Ross Lagerwall recently discovered a race in which an inode could be
evicted, and its glock freed after its ail list had been synced, but
while it still had unwritten revokes on the sd_log_le_revoke list.  The
evict decremented the glock reference count to zero, which allowed the
glock to be freed.  After the revoke was written, function
revoke_lo_after_commit tried to adjust the glock's gl_revokes counter
and clear its GLF_LFLUSH flag, at which time it referenced the freed
glock.

This patch fixes the problem by incrementing the glock reference count
in gfs2_add_revoke when the glock's first bufdata object is moved from
the glock to the global revokes list. Later, when the glock's last such
bufdata object is freed, the reference count is decremented. This
guarantees that whichever process finishes last (the revoke writing or
the evict) will properly free the glock, and neither will reference the
glock after it has been freed.

Reported-by: Ross Lagerwall <ross.lagerwall@citrix.com>
Signed-off-by: Andreas Gruenbacher <agruenba@redhat.com>
Signed-off-by: Bob Peterson <rpeterso@redhat.com>
 		2019-05-07 23:39:14 +02:00
..
9p 9p: switch to ->free_inode() 2019-05-01 22:43:23 -04:00
adfs Wimplicit-fallthrough patches for 5.2-rc1 2019-05-07 12:48:10 -07:00
affs Wimplicit-fallthrough patches for 5.2-rc1 2019-05-07 12:48:10 -07:00
afs Wimplicit-fallthrough patches for 5.2-rc1 2019-05-07 12:48:10 -07:00
autofs autofs: fix use-after-free in lockless ->d_manage() 2019-04-09 19:18:19 -04:00
befs befs: switch to ->free_inode() 2019-05-01 22:43:23 -04:00
bfs bfs: switch to ->free_inode() 2019-05-01 22:43:24 -04:00
btrfs Wimplicit-fallthrough patches for 5.2-rc1 2019-05-07 12:48:10 -07:00
cachefiles fscache, cachefiles: remove redundant variable 'cache' 2018-11-30 16:00:58 +00:00
ceph Wimplicit-fallthrough patches for 5.2-rc1 2019-05-07 12:48:10 -07:00
cifs Merge branch 'work.icache' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2019-05-07 10:57:05 -07:00
coda coda: switch to ->free_inode() 2019-05-01 22:43:26 -04:00
configfs fs: mark expected switch fall-throughs 2019-04-08 18:21:02 -05:00
cramfs Make the Cramfs code more robust against filesystem corruptions, 2018-10-30 12:46:25 -07:00
crypto crypto: shash - remove shash_desc::flags 2019-04-25 15:38:12 +08:00
debugfs debugfs: switch to ->free_inode() 2019-05-01 22:43:24 -04:00
devpts fs/devpts: always delete dcache dentry-s in dput() 2019-01-24 13:38:30 -05:00
dlm socket: Rename SO_RCVTIMEO/ SO_SNDTIMEO with _OLD suffixes 2019-02-03 11:17:31 -08:00
ecryptfs Merge branch 'work.icache' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2019-05-07 10:57:05 -07:00
efivarfs
efs efs: switch to ->free_inode() 2019-05-01 22:43:24 -04:00
exportfs exportfs: do not read dentry after free 2018-11-23 09:08:17 -05:00
ext2 ext2: switch to ->free_inode() 2019-05-01 22:43:24 -04:00
ext4 Merge branch 'work.icache' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2019-05-07 10:57:05 -07:00
f2fs Wimplicit-fallthrough patches for 5.2-rc1 2019-05-07 12:48:10 -07:00
fat fat: switch to ->free_inode() 2019-05-01 22:43:24 -04:00
freevxfs freevxfs: switch to ->free_inode() 2019-05-01 22:43:24 -04:00
fscache fscache: fix race between enablement and dropping of object 2018-11-30 15:57:31 +00:00
fuse Merge branch 'work.icache' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2019-05-07 10:57:05 -07:00
gfs2 gfs2: Fix occasional glock use-after-free 2019-05-07 23:39:14 +02:00
hfs hfs: switch to ->free_inode() 2019-05-01 22:43:24 -04:00
hfsplus hfsplus: switch to ->free_inode() 2019-05-01 22:43:24 -04:00
hostfs hostfs: switch to ->free_inode() 2019-05-01 22:43:24 -04:00
hpfs hpfs: switch to ->free_inode() 2019-05-01 22:43:24 -04:00
hugetlbfs hugetlb: make use of ->free_inode() 2019-05-01 22:43:27 -04:00
isofs isofs: switch to ->free_inode() 2019-05-01 22:43:24 -04:00
jbd2 jbd2: jbd2_get_transaction does not need to return a value 2019-03-01 00:36:57 -05:00
jffs2 Wimplicit-fallthrough patches for 5.2-rc1 2019-05-07 12:48:10 -07:00
jfs Several minor jfs fixes 2019-05-07 11:37:27 -07:00
kernfs Merge branch 'work.mount' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2019-03-12 14:08:19 -07:00
lockd NFS: fix mount/umount race in nlmclnt. 2019-03-18 22:39:34 -04:00
minix minix: switch to ->free_inode() 2019-05-01 22:43:25 -04:00
nfs Merge branch 'work.icache' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2019-05-07 10:57:05 -07:00
nfs_common
nfsd Wimplicit-fallthrough patches for 5.2-rc1 2019-05-07 12:48:10 -07:00
nilfs2 nilfs2: switch to ->free_inode() 2019-05-01 22:43:25 -04:00
nls
notify pidfd patches for v5.2-rc1 2019-05-07 12:30:24 -07:00
ntfs ntfs: switch to ->free_inode() 2019-05-01 22:43:26 -04:00
ocfs2 Wimplicit-fallthrough patches for 5.2-rc1 2019-05-07 12:48:10 -07:00
omfs
openpromfs openpromfs: switch to ->free_inode() 2019-05-01 22:43:25 -04:00
orangefs orangefs: make use of ->free_inode() 2019-05-01 22:43:27 -04:00
overlayfs overlayfs: make use of ->free_inode() 2019-05-01 22:43:27 -04:00
proc Merge branch 'work.icache' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2019-05-07 10:57:05 -07:00
pstore treewide: Switch printk users from %pf and %pF to %ps and %pS, respectively 2019-04-09 14:19:06 +02:00
qnx4 qnx4: switch to ->free_inode() 2019-05-01 22:43:25 -04:00
qnx6 qnx6: switch to ->free_inode() 2019-05-01 22:43:25 -04:00
quota quota: Lock s_umount in exclusive mode for Q_XQUOTA{ON,OFF} quotactls. 2018-12-18 18:29:15 +01:00
ramfs
reiserfs reiserfs: convert to ->free_inode() 2019-05-01 22:43:25 -04:00
romfs romfs: convert to ->free_inode() 2019-05-01 22:43:25 -04:00
squashfs squashfs: switch to ->free_inode() 2019-05-01 22:43:25 -04:00
sysfs Merge branch 'work.mount' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2019-03-16 10:31:02 -07:00
sysv sysv: switch to ->free_inode() 2019-05-01 22:43:25 -04:00
tracefs
ubifs Merge branch 'work.icache' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2019-05-07 10:57:05 -07:00
udf udf: switch to ->free_inode() 2019-05-01 22:43:25 -04:00
ufs Wimplicit-fallthrough patches for 5.2-rc1 2019-05-07 12:48:10 -07:00
xfs xfs: change some error-less functions to void types 2019-05-01 20:26:30 -07:00
Kconfig Merge branch 'work.mount' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2019-03-12 14:08:19 -07:00
Kconfig.binfmt
Makefile Make anon_inodes unconditional 2019-04-19 14:03:11 +02:00
aio.c aio: use kmem_cache_free() instead of kfree() 2019-04-04 20:13:59 -04:00
anon_inodes.c
attr.c
bad_inode.c
binfmt_aout.c a.out: remove core dumping support 2019-03-05 10:00:35 -08:00
binfmt_elf.c fs/binfmt_elf.c: spread const a little 2019-03-07 18:32:01 -08:00
binfmt_elf_fdpic.c
binfmt_em86.c
binfmt_flat.c
binfmt_misc.c
binfmt_script.c exec: load_script: Do not exec truncated interpreter path 2019-02-18 16:49:36 -08:00
block_dev.c Merge branch 'work.icache' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2019-05-07 10:57:05 -07:00
buffer.c iomap: Fix use-after-free error in page_done callback 2019-05-01 07:47:37 -07:00
char_dev.c
compat.c
compat_binfmt_elf.c
compat_ioctl.c media updates for v4.20-rc1 2018-10-29 14:29:58 -07:00
coredump.c
d_path.c
dax.c fs/dax: Deposit pagetable even when installing zero page 2019-03-13 13:58:46 -07:00
dcache.c dcache: sort the freeing-without-RCU-delay mess for good. 2019-04-09 19:18:04 -04:00
dcookies.c
direct-io.c block: allow bio_for_each_segment_all() to iterate over multi-page bvec 2019-02-15 08:40:11 -07:00
drop_caches.c fs/drop_caches.c: avoid softlockups in drop_pagecache_sb() 2019-02-01 15:46:24 -08:00
eventfd.c
eventpoll.c epoll: use rwlock in order to reduce ep_poll_callback() contention 2019-03-07 18:32:01 -08:00
exec.c exec: increase BINPRM_BUF_SIZE to 256 2019-03-07 18:32:01 -08:00
fcntl.c fs: mark expected switch fall-throughs 2019-04-08 18:21:02 -05:00
fhandle.c
file.c io_uring-2019-03-06 2019-03-08 14:48:40 -08:00
file_table.c fs: add fget_many() and fput_many() 2019-02-28 08:24:23 -07:00
filesystems.c vfs: Implement a filesystem superblock creation/configuration context 2019-02-28 03:29:26 -05:00
fs-writeback.c writeback: synchronize sync(2) against cgroup writeback membership switches 2019-01-22 14:39:38 -07:00
fs_context.c vfs: Implement logging through fs_context 2019-02-28 03:29:37 -05:00
fs_parser.c fs: fs_parser: fix printk format warning 2019-03-29 10:01:38 -07:00
fs_pin.c
fs_struct.c
fs_types.c fs: common implementation of file type 2019-01-21 17:48:13 +01:00
inode.c Merge branch 'work.icache' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2019-05-07 10:57:05 -07:00
internal.h Changes for Linux 5.2: 2019-05-07 11:43:32 -07:00
io_uring.c io_uring: avoid page allocation warnings 2019-05-01 10:00:25 -06:00
ioctl.c Remove 'type' argument from access_ok() function 2019-01-03 18:57:57 -08:00
iomap.c iomap: move iomap_read_inline_data around 2019-05-01 20:16:40 -07:00
libfs.c fs: mark expected switch fall-throughs 2019-04-08 18:21:02 -05:00
locks.c Wimplicit-fallthrough patches for 5.2-rc1 2019-05-07 12:48:10 -07:00
mbcache.c
mount.h saner handling of temporary namespaces 2019-01-30 17:44:07 -05:00
mpage.c block: allow bio_for_each_segment_all() to iterate over multi-page bvec 2019-02-15 08:40:11 -07:00
namei.c Merge branch 'work.mount' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2019-03-12 14:08:19 -07:00
namespace.c Merge branch 'work.mount' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2019-03-12 14:08:19 -07:00
no-block.c
nsfs.c dcache: sort the freeing-without-RCU-delay mess for good. 2019-04-09 19:18:04 -04:00
open.c vfs: pass ppos=NULL to .read()/.write() of FMODE_STREAM files 2019-05-06 17:46:52 +03:00
pipe.c Merge branch 'page-refs' (page ref overflow) 2019-04-14 15:09:40 -07:00
pnode.c separate copying and locking mount tree on cross-userns copies 2019-01-30 17:14:50 -05:00
pnode.h separate copying and locking mount tree on cross-userns copies 2019-01-30 17:14:50 -05:00
posix_acl.c
proc_namespace.c
read_write.c vfs: pass ppos=NULL to .read()/.write() of FMODE_STREAM files 2019-05-06 17:46:52 +03:00
readdir.c Remove 'type' argument from access_ok() function 2019-01-03 18:57:57 -08:00
select.c y2038: syscalls: rename y2038 compat syscalls 2019-02-07 00:13:27 +01:00
seq_file.c fs: mark expected switch fall-throughs 2019-04-08 18:21:02 -05:00
signalfd.c fs: mark expected switch fall-throughs 2019-04-08 18:21:02 -05:00
splice.c There tracing fixes: 2019-04-26 11:09:55 -07:00
stack.c
stat.c fs: move generic stat response attr handling to vfs_getattr_nosec 2019-02-01 01:55:45 -05:00
statfs.c vfs: add vfs_get_fsid() helper 2019-02-07 16:38:35 +01:00
super.c [fix] get rid of checking for absent device name in vfs_get_tree() 2019-04-28 21:34:21 -04:00
sync.c
timerfd.c y2038: syscalls: rename y2038 compat syscalls 2019-02-07 00:13:27 +01:00
userfaultfd.c coredump: fix race condition between mmget_not_zero()/get_task_mm() and core dumping 2019-04-19 09:46:05 -07:00
utimes.c y2038: syscalls: rename y2038 compat syscalls 2019-02-07 00:13:27 +01:00
xattr.c