linux/fs/xfs
Dave Chinner 28b783e47a xfs: bufferhead chains are invalid after end_page_writeback
In xfs_finish_page_writeback(), we have a loop that looks like this:

        do {
                if (off < bvec->bv_offset)
                        goto next_bh;
                if (off > end)
                        break;
                bh->b_end_io(bh, !error);
next_bh:
                off += bh->b_size;
        } while ((bh = bh->b_this_page) != head);

The b_end_io function is end_buffer_async_write(), which will call
end_page_writeback() once all the buffers have marked as no longer
under IO.  This issue here is that the only thing currently
protecting both the bufferhead chain and the page from being
reclaimed is the PageWriteback state held on the page.

While we attempt to limit the loop to just the buffers covered by
the IO, we still read from the buffer size and follow the next
pointer in the bufferhead chain. There is no guarantee that either
of these are valid after the PageWriteback flag has been cleared.
Hence, loops like this are completely unsafe, and result in
use-after-free issues. One such problem was caught by Calvin Owens
with KASAN:

.....
 INFO: Freed in 0x103fc80ec age=18446651500051355200 cpu=2165122683 pid=-1
  free_buffer_head+0x41/0x90
  __slab_free+0x1ed/0x340
  kmem_cache_free+0x270/0x300
  free_buffer_head+0x41/0x90
  try_to_free_buffers+0x171/0x240
  xfs_vm_releasepage+0xcb/0x3b0
  try_to_release_page+0x106/0x190
  shrink_page_list+0x118e/0x1a10
  shrink_inactive_list+0x42c/0xdf0
  shrink_zone_memcg+0xa09/0xfa0
  shrink_zone+0x2c3/0xbc0
.....
 Call Trace:
  <IRQ>  [<ffffffff81e8b8e4>] dump_stack+0x68/0x94
  [<ffffffff8153a995>] print_trailer+0x115/0x1a0
  [<ffffffff81541174>] object_err+0x34/0x40
  [<ffffffff815436e7>] kasan_report_error+0x217/0x530
  [<ffffffff81543b33>] __asan_report_load8_noabort+0x43/0x50
  [<ffffffff819d651f>] xfs_destroy_ioend+0x3bf/0x4c0
  [<ffffffff819d69d4>] xfs_end_bio+0x154/0x220
  [<ffffffff81de0c58>] bio_endio+0x158/0x1b0
  [<ffffffff81dff61b>] blk_update_request+0x18b/0xb80
  [<ffffffff821baf57>] scsi_end_request+0x97/0x5a0
  [<ffffffff821c5558>] scsi_io_completion+0x438/0x1690
  [<ffffffff821a8d95>] scsi_finish_command+0x375/0x4e0
  [<ffffffff821c3940>] scsi_softirq_done+0x280/0x340


Where the access is occuring during IO completion after the buffer
had been freed from direct memory reclaim.

Prevent use-after-free accidents in this end_io processing loop by
pre-calculating the loop conditionals before calling bh->b_end_io().
The loop is already limited to just the bufferheads covered by the
IO in progress, so the offset checks are sufficient to prevent
accessing buffers in the chain after end_page_writeback() has been
called by the the bh->b_end_io() callout.

Yet another example of why Bufferheads Must Die.

cc: <stable@vger.kernel.org> # 4.7
Signed-off-by: Dave Chinner <dchinner@redhat.com>
Reported-and-Tested-by: Calvin Owens <calvinowens@fb.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Reviewed-by: Brian Foster <bfoster@redhat.com>
Signed-off-by: Dave Chinner <david@fromorbit.com>
2016-07-22 09:56:38 +10:00
..
libxfs libxfs: directory node splitting does not have an extra block 2016-07-22 09:51:05 +10:00
Kconfig
kmem.c xfs: improve kmem_realloc 2016-04-06 09:47:01 +10:00
kmem.h xfs: improve kmem_realloc 2016-04-06 09:47:01 +10:00
Makefile nfsd: add SCSI layout support 2016-03-18 11:42:53 -04:00
mrlock.h
uuid.c
uuid.h
xfs_acl.c posix_acl: Inode acl caching fixes 2016-03-31 00:30:15 -04:00
xfs_acl.h xfs: Change how listxattr generates synthetic attributes 2015-12-06 21:34:16 -05:00
xfs_aops.c xfs: bufferhead chains are invalid after end_page_writeback 2016-07-22 09:56:38 +10:00
xfs_aops.h xfs: direct calls in the direct I/O path 2016-07-20 11:38:01 +10:00
xfs_attr_inactive.c xfs: better xfs_trans_alloc interface 2016-04-06 09:19:55 +10:00
xfs_attr_list.c xfs: collapse cases in xfs_attr3_leaf_list_int 2016-04-06 07:57:47 +10:00
xfs_attr.h xfs: remove put_value from attr ->put_listent context 2016-04-06 07:57:45 +10:00
xfs_bmap_util.c DAX error handling for 4.7 2016-05-26 19:34:26 -07:00
xfs_bmap_util.h
xfs_buf_item.c xfs: allocate log vector buffers outside CIL context lock 2016-07-22 09:52:35 +10:00
xfs_buf_item.h xfs: fix non-debug build warnings 2015-08-25 10:05:13 +10:00
xfs_buf.c xfs: buffer ->bi_end_io function requires irq-safe lock 2016-05-18 10:56:41 +10:00
xfs_buf.h xfs: add configuration of error failure speed 2016-05-18 11:08:15 +10:00
xfs_dir2_readdir.c xfs: concurrent readdir hangs on data buffer locks 2016-05-18 13:20:21 -04:00
xfs_discard.c xfs: fix format specifier , should be %llx and not %llu 2016-03-02 09:57:04 +11:00
xfs_discard.h
xfs_dquot_item.c xfs: allocate log vector buffers outside CIL context lock 2016-07-22 09:52:35 +10:00
xfs_dquot_item.h
xfs_dquot.c xfs: allocate log vector buffers outside CIL context lock 2016-07-22 09:52:35 +10:00
xfs_dquot.h
xfs_error.c xfs: print name of verifier if it fails 2016-01-04 16:10:19 +11:00
xfs_error.h xfs: remove inst_t 2015-06-22 09:44:02 +10:00
xfs_export.c Various bugfixes, a RDMA update from Chuck Lever, and support for a new 2016-03-24 19:50:32 -07:00
xfs_export.h
xfs_extent_busy.c
xfs_extent_busy.h
xfs_extfree_item.c xfs: allocate log vector buffers outside CIL context lock 2016-07-22 09:52:35 +10:00
xfs_extfree_item.h xfs: fix efi/efd error handling to avoid fs shutdown hangs 2015-08-19 09:51:16 +10:00
xfs_file.c xfs: remove dax code from object file when disabled 2016-07-22 09:50:55 +10:00
xfs_filestream.c xfs: mode di_mode to vfs inode 2016-02-09 16:54:58 +11:00
xfs_filestream.h
xfs_fsops.c Merge branch 'xfs-4.7-trans-type-cleanup' into for-next 2016-05-20 10:31:52 +10:00
xfs_fsops.h xfs: remove unused function definitions 2016-02-08 14:58:07 +11:00
xfs_globals.c
xfs_icache.c xfs: move reclaim tagging functions 2016-05-18 14:20:08 +10:00
xfs_icache.h
xfs_icreate_item.c
xfs_icreate_item.h
xfs_inode_item.c xfs: allocate log vector buffers outside CIL context lock 2016-07-22 09:52:35 +10:00
xfs_inode_item.h xfs: remove timestamps from incore inode 2016-02-09 16:54:58 +11:00
xfs_inode.c Merge branch 'xfs-4.7-inode-reclaim' into for-next 2016-05-20 10:34:00 +10:00
xfs_inode.h xfs: kill ioflags 2016-07-20 11:31:42 +10:00
xfs_ioctl32.c xfs: don't pass ioflags around in the ioctl path 2016-07-20 11:29:35 +10:00
xfs_ioctl32.h
xfs_ioctl.c xfs: don't pass ioflags around in the ioctl path 2016-07-20 11:29:35 +10:00
xfs_ioctl.h xfs: don't pass ioflags around in the ioctl path 2016-07-20 11:29:35 +10:00
xfs_iomap.c xfs: better xfs_trans_alloc interface 2016-04-06 09:19:55 +10:00
xfs_iomap.h
xfs_iops.c Merge branch 'xfs-4.7-optimise-inline-symlinks' into for-next 2016-05-20 10:32:10 +10:00
xfs_iops.h
xfs_itable.c xfs: mode di_mode to vfs inode 2016-02-09 16:54:58 +11:00
xfs_itable.h
xfs_linux.h mm, fs: get rid of PAGE_CACHE_* and page_cache_{get,release} macros 2016-04-04 10:41:08 -07:00
xfs_log_cil.c xfs: allocate log vector buffers outside CIL context lock 2016-07-22 09:52:35 +10:00
xfs_log_priv.h xfs: remove transaction types 2016-04-06 09:20:36 +10:00
xfs_log_recover.c Merge branch 'xfs-4.7-misc-fixes' into for-next 2016-05-20 10:33:17 +10:00
xfs_log.c Merge branch 'xfs-4.7-misc-fixes' into for-next 2016-05-20 10:33:17 +10:00
xfs_log.h xfs: remove transaction types 2016-04-06 09:20:36 +10:00
xfs_message.c xfs: more info from kmem deadlocks and high-level error msgs 2015-10-12 16:04:45 +11:00
xfs_message.h
xfs_mount.c xfs: update for 4.7-rc1 2016-05-26 10:13:40 -07:00
xfs_mount.h xfs: update for 4.7-rc1 2016-05-26 10:13:40 -07:00
xfs_mru_cache.c
xfs_mru_cache.h
xfs_ondisk.h xfs: check sizes of XFS on-disk structures at compile time 2016-03-09 08:15:14 +11:00
xfs_pnfs.c xfs: update for 4.7-rc1 2016-05-26 10:13:40 -07:00
xfs_pnfs.h nfsd: add SCSI layout support 2016-03-18 11:42:53 -04:00
xfs_qm_bhv.c
xfs_qm_syscalls.c xfs: better xfs_trans_alloc interface 2016-04-06 09:19:55 +10:00
xfs_qm.c xfs: better xfs_trans_alloc interface 2016-04-06 09:19:55 +10:00
xfs_qm.h xfs: Split default quota limits by quota type 2016-02-08 11:27:55 +11:00
xfs_quota.h xfs: fix quota block reservation leak when tp allocates and frees blocks 2015-06-01 07:15:37 +10:00
xfs_quotaops.c xfs: wire up Q_XGETNEXTQUOTA / get_nextdqblk 2016-02-08 11:27:38 +11:00
xfs_rtalloc.c xfs: better xfs_trans_alloc interface 2016-04-06 09:19:55 +10:00
xfs_rtalloc.h
xfs_stats.c xfs: stats are no longer dependent on CONFIG_PROC_FS 2015-10-19 08:42:46 +11:00
xfs_stats.h xfs: per-filesystem stats counter implementation 2015-10-12 18:21:22 +11:00
xfs_super.c DAX error handling for 4.7 2016-05-26 19:34:26 -07:00
xfs_super.h xfs: fix up inode32/64 (re)mount handling 2016-03-02 09:58:09 +11:00
xfs_symlink.c Merge branch 'xfs-4.7-optimise-inline-symlinks' into for-next 2016-05-20 10:32:10 +10:00
xfs_symlink.h
xfs_sysctl.c xfs: pass xfsstats structures to handlers and macros 2015-10-12 05:19:45 +11:00
xfs_sysctl.h
xfs_sysfs.c xfs: add "fail at unmount" error handling configuration 2016-05-18 11:11:27 +10:00
xfs_sysfs.h xfs: configurable error behavior via sysfs 2016-05-18 10:58:51 +10:00
xfs_trace.c
xfs_trace.h xfs: split direct I/O and DAX path 2016-07-20 11:38:55 +10:00
xfs_trans_ail.c xfs: Make xfsaild freezeable again 2016-02-08 14:59:07 +11:00
xfs_trans_buf.c xfs: remove XBF_STALE flag wrapper macros 2016-02-10 15:01:11 +11:00
xfs_trans_dquot.c xfs: Split default quota limits by quota type 2016-02-08 11:27:55 +11:00
xfs_trans_extfree.c xfs: ensure EFD trans aborts on log recovery extent free failure 2015-08-19 09:51:43 +10:00
xfs_trans_inode.c xfs: move di_changecount to VFS inode 2016-02-09 16:54:58 +11:00
xfs_trans_priv.h xfs: add helper to conditionally remove items from the AIL 2015-08-19 10:01:08 +10:00
xfs_trans.c xfs: remove transaction types 2016-04-06 09:20:36 +10:00
xfs_trans.h xfs: allocate log vector buffers outside CIL context lock 2016-07-22 09:52:35 +10:00
xfs_xattr.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2016-05-27 17:14:05 -07:00
xfs.h