Home Home > GIT Browse > SLE12-SP5-AZURE
summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorLuis Henriques <lhenriques@suse.com>2019-08-27 11:51:08 +0100
committerLuis Henriques <lhenriques@suse.com>2019-09-05 10:08:48 +0100
commitb8a1b4b45f0335e96904c21ec715cd54da1f623b (patch)
treeb8b3d74ca695f0fa079fe279d3ca97875ed2b43a
parent0277eb4e40f0e4a9e0f60d977e7aedf577fc3c95 (diff)
ceph: fix buffer free while holding i_ceph_lock in
__ceph_build_xattrs_blob() (bsc#1148133).
-rw-r--r--patches.suse/ceph-fix-buffer-free-while-holding-i_ceph_lock-in-_ceph_build_xattrs_blob.patch157
-rw-r--r--series.conf1
2 files changed, 158 insertions, 0 deletions
diff --git a/patches.suse/ceph-fix-buffer-free-while-holding-i_ceph_lock-in-_ceph_build_xattrs_blob.patch b/patches.suse/ceph-fix-buffer-free-while-holding-i_ceph_lock-in-_ceph_build_xattrs_blob.patch
new file mode 100644
index 0000000000..0dcc0e0edf
--- /dev/null
+++ b/patches.suse/ceph-fix-buffer-free-while-holding-i_ceph_lock-in-_ceph_build_xattrs_blob.patch
@@ -0,0 +1,157 @@
+From: Luis Henriques <lhenriques@suse.com>
+Date: Fri, 19 Jul 2019 15:32:21 +0100
+Subject: ceph: fix buffer free while holding i_ceph_lock in
+ __ceph_build_xattrs_blob()
+Git-commit: 12fe3dda7ed89c95cc0ef7abc001ad1ad3e092f8
+Patch-mainline: v5.3-rc6
+References: bsc#1148133
+
+Calling ceph_buffer_put() in __ceph_build_xattrs_blob() may result in
+freeing the i_xattrs.blob buffer while holding the i_ceph_lock. This can
+be fixed by having this function returning the old blob buffer and have
+the callers of this function freeing it when the lock is released.
+
+The following backtrace was triggered by fstests generic/117.
+
+ BUG: sleeping function called from invalid context at mm/vmalloc.c:2283
+ in_atomic(): 1, irqs_disabled(): 0, pid: 649, name: fsstress
+ 4 locks held by fsstress/649:
+ #0: 00000000a7478e7e (&type->s_umount_key#19){++++}, at: iterate_supers+0x77/0xf0
+ #1: 00000000f8de1423 (&(&ci->i_ceph_lock)->rlock){+.+.}, at: ceph_check_caps+0x7b/0xc60
+ #2: 00000000562f2b27 (&s->s_mutex){+.+.}, at: ceph_check_caps+0x3bd/0xc60
+ #3: 00000000f83ce16a (&mdsc->snap_rwsem){++++}, at: ceph_check_caps+0x3ed/0xc60
+ CPU: 1 PID: 649 Comm: fsstress Not tainted 5.2.0+ #439
+ Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.12.1-0-ga5cab58-prebuilt.qemu.org 04/01/2014
+ Call Trace:
+ dump_stack+0x67/0x90
+ ___might_sleep.cold+0x9f/0xb1
+ vfree+0x4b/0x60
+ ceph_buffer_release+0x1b/0x60
+ __ceph_build_xattrs_blob+0x12b/0x170
+ __send_cap+0x302/0x540
+ ? __lock_acquire+0x23c/0x1e40
+ ? __mark_caps_flushing+0x15c/0x280
+ ? _raw_spin_unlock+0x24/0x30
+ ceph_check_caps+0x5f0/0xc60
+ ceph_flush_dirty_caps+0x7c/0x150
+ ? __ia32_sys_fdatasync+0x20/0x20
+ ceph_sync_fs+0x5a/0x130
+ iterate_supers+0x8f/0xf0
+ ksys_sync+0x4f/0xb0
+ __ia32_sys_sync+0xa/0x10
+ do_syscall_64+0x50/0x1c0
+ entry_SYSCALL_64_after_hwframe+0x49/0xbe
+ RIP: 0033:0x7fc6409ab617
+
+Signed-off-by: Luis Henriques <lhenriques@suse.com>
+Reviewed-by: Jeff Layton <jlayton@kernel.org>
+Signed-off-by: Ilya Dryomov <idryomov@gmail.com>
+---
+ fs/ceph/caps.c | 5 ++++-
+ fs/ceph/snap.c | 4 +++-
+ fs/ceph/super.h | 2 +-
+ fs/ceph/xattr.c | 11 ++++++++---
+ 4 files changed, 16 insertions(+), 6 deletions(-)
+
+--- a/fs/ceph/caps.c
++++ b/fs/ceph/caps.c
+@@ -1290,6 +1290,7 @@ static int __send_cap(struct ceph_mds_cl
+ {
+ struct ceph_inode_info *ci = cap->ci;
+ struct inode *inode = &ci->vfs_inode;
++ struct ceph_buffer *old_blob = NULL;
+ struct cap_msg_args arg;
+ int held, revoking;
+ int wake = 0;
+@@ -1354,7 +1355,7 @@ static int __send_cap(struct ceph_mds_cl
+ ci->i_requested_max_size = arg.max_size;
+
+ if (flushing & CEPH_CAP_XATTR_EXCL) {
+- __ceph_build_xattrs_blob(ci);
++ old_blob = __ceph_build_xattrs_blob(ci);
+ arg.xattr_version = ci->i_xattrs.version;
+ arg.xattr_buf = ci->i_xattrs.blob;
+ } else {
+@@ -1389,6 +1390,8 @@ static int __send_cap(struct ceph_mds_cl
+
+ spin_unlock(&ci->i_ceph_lock);
+
++ ceph_buffer_put(old_blob);
++
+ ret = send_cap_msg(&arg);
+ if (ret < 0) {
+ dout("error sending cap msg, must requeue %p\n", inode);
+--- a/fs/ceph/snap.c
++++ b/fs/ceph/snap.c
+@@ -459,6 +459,7 @@ void ceph_queue_cap_snap(struct ceph_ino
+ struct inode *inode = &ci->vfs_inode;
+ struct ceph_cap_snap *capsnap;
+ struct ceph_snap_context *old_snapc, *new_snapc;
++ struct ceph_buffer *old_blob = NULL;
+ int used, dirty;
+
+ capsnap = kzalloc(sizeof(*capsnap), GFP_NOFS);
+@@ -535,7 +536,7 @@ void ceph_queue_cap_snap(struct ceph_ino
+ capsnap->gid = inode->i_gid;
+
+ if (dirty & CEPH_CAP_XATTR_EXCL) {
+- __ceph_build_xattrs_blob(ci);
++ old_blob = __ceph_build_xattrs_blob(ci);
+ capsnap->xattr_blob =
+ ceph_buffer_get(ci->i_xattrs.blob);
+ capsnap->xattr_version = ci->i_xattrs.version;
+@@ -578,6 +579,7 @@ update_snapc:
+ }
+ spin_unlock(&ci->i_ceph_lock);
+
++ ceph_buffer_put(old_blob);
+ kfree(capsnap);
+ ceph_put_snap_context(old_snapc);
+ }
+--- a/fs/ceph/super.h
++++ b/fs/ceph/super.h
+@@ -895,7 +895,7 @@ extern int ceph_getattr(const struct pat
+ int __ceph_setxattr(struct inode *, const char *, const void *, size_t, int);
+ ssize_t __ceph_getxattr(struct inode *, const char *, void *, size_t);
+ extern ssize_t ceph_listxattr(struct dentry *, char *, size_t);
+-extern void __ceph_build_xattrs_blob(struct ceph_inode_info *ci);
++extern struct ceph_buffer *__ceph_build_xattrs_blob(struct ceph_inode_info *ci);
+ extern void __ceph_destroy_xattrs(struct ceph_inode_info *ci);
+ extern void __init ceph_xattr_init(void);
+ extern void ceph_xattr_exit(void);
+--- a/fs/ceph/xattr.c
++++ b/fs/ceph/xattr.c
+@@ -754,12 +754,15 @@ static int __get_required_blob_size(stru
+
+ /*
+ * If there are dirty xattrs, reencode xattrs into the prealloc_blob
+- * and swap into place.
++ * and swap into place. It returns the old i_xattrs.blob (or NULL) so
++ * that it can be freed by the caller as the i_ceph_lock is likely to be
++ * held.
+ */
+-void __ceph_build_xattrs_blob(struct ceph_inode_info *ci)
++struct ceph_buffer *__ceph_build_xattrs_blob(struct ceph_inode_info *ci)
+ {
+ struct rb_node *p;
+ struct ceph_inode_xattr *xattr = NULL;
++ struct ceph_buffer *old_blob = NULL;
+ void *dest;
+
+ dout("__build_xattrs_blob %p\n", &ci->vfs_inode);
+@@ -790,12 +793,14 @@ void __ceph_build_xattrs_blob(struct cep
+ dest - ci->i_xattrs.prealloc_blob->vec.iov_base;
+
+ if (ci->i_xattrs.blob)
+- ceph_buffer_put(ci->i_xattrs.blob);
++ old_blob = ci->i_xattrs.blob;
+ ci->i_xattrs.blob = ci->i_xattrs.prealloc_blob;
+ ci->i_xattrs.prealloc_blob = NULL;
+ ci->i_xattrs.dirty = false;
+ ci->i_xattrs.version++;
+ }
++
++ return old_blob;
+ }
+
+ static inline int __get_request_mask(struct inode *in) {
diff --git a/series.conf b/series.conf
index 7da3c785a6..cc2d427a2d 100644
--- a/series.conf
+++ b/series.conf
@@ -24128,6 +24128,7 @@
patches.suse/drm-mediatek-mtk_drm_drv.c-Add-of_node_put-before-go.patch
patches.suse/libceph-allow-ceph_buffer_put-to-receive-a-null-ceph_buffer.patch
patches.suse/ceph-fix-buffer-free-while-holding-i_ceph_lock-in-_ceph_setxattr.patch
+ patches.suse/ceph-fix-buffer-free-while-holding-i_ceph_lock-in-_ceph_build_xattrs_blob.patch
patches.suse/vfs-fix-page-locking-deadlocks-when-deduping-files.patch
patches.suse/fs-xfs-Fix-return-code-of-xfs_break_leased_layouts.patch
patches.suse/Revert-dm-bufio-fix-deadlock-with-loop-device.patch