mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-09-26 04:16:39 +00:00
Code Issues Releases Wiki Activity
linux-stable/fs
History
Dave Wysochanski 37f0b459c9 fscache: Fix oops due to race with cookie_lru and use_cookie 
[ Upstream commit b5b52de321 ]

If a cookie expires from the LRU and the LRU_DISCARD flag is set, but
the state machine has not run yet, it's possible another thread can call
fscache_use_cookie and begin to use it.

When the cookie_worker finally runs, it will see the LRU_DISCARD flag
set, transition the cookie->state to LRU_DISCARDING, which will then
withdraw the cookie.  Once the cookie is withdrawn the object is removed
the below oops will occur because the object associated with the cookie
is now NULL.

Fix the oops by clearing the LRU_DISCARD bit if another thread uses the
cookie before the cookie_worker runs.

  BUG: kernel NULL pointer dereference, address: 0000000000000008
  ...
  CPU: 31 PID: 44773 Comm: kworker/u130:1 Tainted: G     E    6.0.0-5.dneg.x86_64 #1
  Hardware name: Google Compute Engine/Google Compute Engine, BIOS Google 08/26/2022
  Workqueue: events_unbound netfs_rreq_write_to_cache_work [netfs]
  RIP: 0010:cachefiles_prepare_write+0x28/0x90 [cachefiles]
  ...
  Call Trace:
    netfs_rreq_write_to_cache_work+0x11c/0x320 [netfs]
    process_one_work+0x217/0x3e0
    worker_thread+0x4a/0x3b0
    kthread+0xd6/0x100

Fixes: 12bb21a29c ("fscache: Implement cookie user counting and resource pinning")
Reported-by: Daire Byrne <daire.byrne@gmail.com>
Signed-off-by: Dave Wysochanski <dwysocha@redhat.com>
Signed-off-by: David Howells <dhowells@redhat.com>
Tested-by: Daire Byrne <daire@dneg.com>
Link: https://lore.kernel.org/r/20221117115023.1350181-1-dwysocha@redhat.com/ # v1
Link: https://lore.kernel.org/r/20221117142915.1366990-1-dwysocha@redhat.com/ # v2
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2022-12-14 11:40:51 +01:00
..
9p 9p: Fix some kernel-doc comments 2022-07-02 18:52:21 +09:00
adfs
affs affs: use memcpy_to_page and remove replace kmap_atomic() 2022-08-01 19:53:31 +02:00
afs afs: Fix server->active leak in afs_put_server 2022-12-08 11:30:18 +01:00
autofs autofs: remove unused ino field inode 2022-07-17 17:31:42 -07:00
befs befs: Convert befs_symlink_read_folio() to use a folio 2022-08-02 12:34:03 -04:00
bfs
btrfs btrfs: send: avoid unaligned encoded writes when attempting to clone range 2022-12-14 11:40:48 +01:00
cachefiles cachefiles: make on-demand request distribution fairer 2022-08-31 16:41:10 +01:00
ceph ceph: fix NULL pointer dereference for req->r_session 2022-12-02 17:42:59 +01:00
cifs cifs: Use after free in debug code 2022-12-02 17:43:10 +01:00
coda coda: Convert coda_symlink_filler() to use a folio 2022-08-02 12:34:03 -04:00
configfs
cramfs cramfs: read_mapping_page() is synchronous 2022-08-02 12:34:02 -04:00
crypto fscrypt: fix keyring memory leak on mount failure 2022-11-10 18:17:30 +01:00
debugfs debugfs: add debugfs_lookup_and_remove() 2022-09-05 13:02:34 +02:00
devpts
dlm fs: dlm: fix race in lowcomms 2022-10-21 12:39:02 +02:00
ecryptfs
efivarfs efi: efivars: Fix variable writes without query_variable_store() 2022-10-26 12:22:57 +02:00
efs
erofs erofs: fix missing xas_retry() in fscache mode 2022-11-26 09:27:36 +01:00
exfat exfat: fix overflow for large capacity partition 2022-09-04 09:38:40 +09:00
exportfs
ext2 ext2: Use kvmalloc() for group descriptor array 2022-10-21 12:39:25 +02:00
ext4 ext4: fix use-after-free in ext4_ext_shift_extents 2022-12-02 17:43:10 +01:00
f2fs ext4,f2fs: fix readahead of verity data 2022-11-10 18:17:39 +01:00
fat Updates to various subsystems which I help look after. lib, ocfs2, 2022-08-07 10:03:24 -07:00
freevxfs freevxfs: Convert vxfs_immed_read_folio() to use a folio 2022-08-02 12:34:03 -04:00
fscache fscache: Fix oops due to race with cookie_lru and use_cookie 2022-12-14 11:40:51 +01:00
fuse fuse: lock inode unconditionally in fuse_fallocate() 2022-12-02 17:43:16 +01:00
gfs2 gfs2: Switch from strlcpy to strscpy 2022-11-26 09:27:55 +01:00
hfs hfs: Remove check for PageError 2022-06-29 08:51:06 -04:00
hfsplus Folio changes for 6.0 2022-08-03 10:35:43 -07:00
hostfs hostfs: Handle page write errors correctly 2022-08-02 12:34:02 -04:00
hpfs
hugetlbfs hugetlbfs: don't delete error page from pagecache 2022-11-26 09:27:22 +01:00
iomap iomap: iomap: fix memory corruption when recording errors during writeback 2022-10-21 12:38:36 +02:00
isofs fs/buffer: Combine two submit_bh() and ll_rw_block() arguments 2022-07-14 12:14:32 -06:00
jbd2 jbd2: add miss release buffer head in fc_do_one_pass() 2022-10-21 12:37:49 +02:00
jffs2 This pull request contains fixes for JFFS2, UBI and UBIFS 2022-06-03 14:42:24 -07:00
jfs Folio changes for 6.0 2022-08-03 10:35:43 -07:00
kernfs kernfs: fix use-after-free in __kernfs_remove 2022-11-04 00:00:24 +09:00
ksmbd vfs: fix copy_file_range() averts filesystem freeze protection 2022-12-08 11:30:16 +01:00
lockd lockd: detect and reject lock arguments that overflow 2022-08-04 10:28:48 -04:00
minix
netfs netfs: Fix dodgy maths 2022-11-26 09:27:38 +01:00
nfs NFSv4: Retry LOCK on OLD_STATEID during delegation return 2022-11-26 09:27:18 +01:00
nfs_common
nfsd vfs: fix copy_file_range() averts filesystem freeze protection 2022-12-08 11:30:16 +01:00
nilfs2 nilfs2: fix NULL pointer dereference in nilfs_palloc_commit_free_entry() 2022-12-08 11:30:19 +01:00
nls
notify fsnotify: Fix comment typo 2022-07-26 13:38:47 +02:00
ntfs ntfs: check overflow when iterating ATTR_RECORDs 2022-11-26 09:27:56 +01:00
ntfs3 ntfs3: rework xattr handlers and switch to POSIX ACL VFS helpers 2022-10-21 12:37:59 +02:00
ocfs2 ocfs2: fix BUG when iput after ocfs2_mknod fails 2022-10-29 10:08:29 +02:00
omfs
openpromfs
orangefs orangefs: Remove test for folio error 2022-06-29 08:51:07 -04:00
overlayfs acl: handle idmapped mounts for idmapped filesystems 2022-08-17 11:23:31 +02:00
proc mm: /proc/pid/smaps_rollup: fix no vma's null-deref 2022-10-29 10:08:36 +02:00
pstore Revert "pstore: migrate to crypto acomp interface" 2022-09-30 08:16:06 -07:00
qnx4
qnx6
quota quota: Check next/prev free block number after reading from quota file 2022-10-21 12:37:37 +02:00
ramfs
reiserfs Folio changes for 6.0 2022-08-03 10:35:43 -07:00
romfs
smbfs_common Add various fsctl structs 2022-05-23 20:24:12 -05:00
squashfs squashfs: fix buffer release race condition in readahead code 2022-11-04 00:00:19 +09:00
sysfs
sysv Not a lot of material this cycle. Many singleton patches against various 2022-05-27 11:22:03 -07:00
tracefs tracefs: Only clobber mode/uid/gid on remount if asked 2022-09-08 17:10:54 -04:00
ubifs - The usual batches of cleanups from Baoquan He, Muchun Song, Miaohe 2022-08-05 16:32:45 -07:00
udf udf: Fix a slab-out-of-bounds write bug in udf_find_entry() 2022-11-16 10:04:09 +01:00
ufs Folio changes for 6.0 2022-08-03 10:35:43 -07:00
unicode
vboxsf
verity fs-verity: mention btrfs support 2022-07-15 23:42:30 -07:00
xfs fs: record I_DIRTY_TIME even if inode already has I_DIRTY_INODE 2022-10-21 12:37:47 +02:00
zonefs zonefs: fix zone report size in __zonefs_io_error() 2022-12-02 17:43:15 +01:00
aio.c iov_iter work, part 1 - isolated cleanups and optimizations. 2022-08-03 13:50:22 -07:00
anon_inodes.c
attr.c vfs: Check the truncate maximum size in inode_newsize_ok() 2022-08-08 10:39:29 -07:00
bad_inode.c
binfmt_aout.c
binfmt_elf.c fs/binfmt_elf: Fix memory leak in load_elf_binary() 2022-11-04 00:00:20 +09:00
binfmt_elf_fdpic.c
binfmt_elf_test.c
binfmt_flat.c
binfmt_misc.c
binfmt_script.c
buffer.c mm: fs: initialize fsdata passed to write_begin/write_end interface 2022-11-26 09:27:56 +01:00
char_dev.c
compat_binfmt_elf.c
coredump.c fix coredump breakage 2022-10-12 09:39:04 +02:00
d_path.c
dax.c Merge branch 'for-6.0/dax' into libnvdimm-fixes 2022-09-24 18:14:12 -07:00
dcache.c dcache: move the DCACHE_OP_COMPARE case out of the __d_lookup_rcu loop 2022-08-17 14:33:03 -07:00
direct-io.c iov_iter: advancing variants of iov_iter_get_pages{,_alloc}() 2022-08-08 22:37:22 -04:00
drop_caches.c
eventfd.c eventfd: guard wake_up in eventfd fs calls as well 2022-10-21 12:38:47 +02:00
eventpoll.c epoll: autoremove wakers even more aggressively 2022-07-17 17:31:40 -07:00
exec.c exec: Copy oldsighand->action under spin-lock 2022-11-04 00:00:21 +09:00
fcntl.c keep iocb_flags() result cached in struct file 2022-06-10 16:10:23 -04:00
fhandle.c
file.c fs: use acquire ordering in __fget_light() 2022-12-14 11:40:46 +01:00
file_table.c locks: fix TOCTOU race when granting write lease 2022-10-21 12:38:31 +02:00
filesystems.c
fs-writeback.c fs: do not update freeing inode i_io_list 2022-12-02 17:43:07 +01:00
fs_context.c
fs_parser.c
fs_pin.c
fs_struct.c
fs_types.c
fsopen.c
init.c
inode.c fs: fix UAF/GPF bug in nilfs_mdt_destroy 2022-10-12 09:39:03 +02:00
internal.h locks: fix TOCTOU race when granting write lease 2022-10-21 12:38:31 +02:00
ioctl.c
Kconfig mm: hugetlb_vmemmap: introduce the name HVO 2022-08-08 18:06:42 -07:00
Kconfig.binfmt m68knommu: changes for linux 5.19 2022-05-30 10:56:18 -07:00
kernel_read_file.c fs/kernel_read_file: allow to read files up-to ssize_t 2022-06-16 19:58:21 -07:00
libfs.c
locks.c locks: Fix dropped call to ->fl_release_private() 2022-08-17 15:08:58 -04:00
Makefile io_uring: move to separate directory 2022-07-24 18:39:10 -06:00
mbcache.c mbcache: Avoid nesting of cache->c_list_lock under bit locks 2022-10-21 12:37:37 +02:00
mount.h switch try_to_unlazy_next() to __legitimize_mnt() 2022-07-05 16:18:21 -04:00
mpage.c Folio changes for 6.0 2022-08-03 10:35:43 -07:00
namei.c mm: fs: initialize fsdata passed to write_begin/write_end interface 2022-11-26 09:27:56 +01:00
namespace.c fs: require CAP_SYS_ADMIN in target namespace for idmapped mounts 2022-08-17 11:27:11 +02:00
no-block.c
nsfs.c
open.c locks: fix TOCTOU race when granting write lease 2022-10-21 12:38:31 +02:00
pipe.c Not a lot of material this cycle. Many singleton patches against various 2022-05-27 11:22:03 -07:00
pnode.c
pnode.h
posix_acl.c acl: return EOPNOTSUPP in posix_acl_fix_xattr_common() 2022-10-21 12:37:59 +02:00
proc_namespace.c vfs: escape hash as well 2022-06-28 13:58:05 -04:00
read_write.c vfs: fix copy_file_range() averts filesystem freeze protection 2022-12-08 11:30:16 +01:00
readdir.c
remap_range.c - The usual batches of cleanups from Baoquan He, Muchun Song, Miaohe 2022-08-05 16:32:45 -07:00
select.c
seq_file.c
signalfd.c
splice.c iter_to_pipe(): switch to advancing variant of iov_iter_get_pages() 2022-08-08 22:37:23 -04:00
stack.c
stat.c RISC-V Patches for the 5.19 Merge Window, Part 1 2022-05-31 14:10:54 -07:00
statfs.c
super.c fscrypt: fix keyring memory leak on mount failure 2022-11-10 18:17:30 +01:00
sync.c
sysctls.c
timerfd.c
userfaultfd.c userfaultfd: open userfaultfds with O_RDONLY 2022-10-21 12:37:58 +02:00
utimes.c
xattr.c acl: move idmapped mount fixup into vfs_{g,s}etxattr() 2022-07-15 22:08:59 +02:00