linux/fs/xfs
Dave Chinner c7f87f3984 xfs: fix use-after-free on CIL context on shutdown
xlog_wait() on the CIL context can reference a freed context if the
waiter doesn't get scheduled before the CIL context is freed. This
can happen when a task is on the hard throttle and the CIL push
aborts due to a shutdown. This was detected by generic/019:

thread 1			thread 2

__xfs_trans_commit
 xfs_log_commit_cil
  <CIL size over hard throttle limit>
  xlog_wait
   schedule
				xlog_cil_push_work
				wake_up_all
				<shutdown aborts commit>
				xlog_cil_committed
				kmem_free

   remove_wait_queue
    spin_lock_irqsave --> UAF

Fix it by moving the wait queue to the CIL rather than keeping it in
in the CIL context that gets freed on push completion. Because the
wait queue is now independent of the CIL context and we might have
multiple contexts in flight at once, only wake the waiters on the
push throttle when the context we are pushing is over the hard
throttle size threshold.

Fixes: 0e7ab7efe7 ("xfs: Throttle commits on delayed background CIL push")
Reported-by: Yu Kuai <yukuai3@huawei.com>
Signed-off-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
2020-06-22 19:22:57 -07:00
..
libxfs xfs: more lockdep whackamole with kmem_alloc* 2020-05-27 08:49:28 -07:00
scrub xfs: move the fork format fields into struct xfs_ifork 2020-05-19 09:40:58 -07:00
Kconfig
kmem.c mm: remove the pgprot argument to __vmalloc 2020-06-02 10:59:11 -07:00
kmem.h xfs: more lockdep whackamole with kmem_alloc* 2020-05-27 08:49:28 -07:00
Makefile xfs: refactor log recovery item sorting into a generic dispatch structure 2020-05-08 08:49:58 -07:00
mrlock.h
xfs_acl.c xfs: only allocate the buffer size actually needed in __xfs_set_acl 2020-03-02 20:55:55 -08:00
xfs_acl.h xfs: improve xfs_forget_acl 2020-03-02 20:55:55 -08:00
xfs_aops.c New code for 5.8: 2020-06-02 19:21:40 -07:00
xfs_aops.h xfs: add a xfs_inode_buftarg helper 2019-10-28 08:37:54 -07:00
xfs_attr_inactive.c xfs: cleanup xfs_idestroy_fork 2020-05-19 09:40:59 -07:00
xfs_attr_list.c xfs: move the fork format fields into struct xfs_ifork 2020-05-19 09:40:58 -07:00
xfs_bio_io.c
xfs_bmap_item.c xfs: hoist setting of XFS_LI_RECOVERED to caller 2020-05-08 08:50:01 -07:00
xfs_bmap_item.h xfs: refactor intent item RECOVERED flag into the log item 2020-05-08 08:50:01 -07:00
xfs_bmap_util.c xfs: move the fork format fields into struct xfs_ifork 2020-05-19 09:40:58 -07:00
xfs_bmap_util.h xfs: simplify xfs_iomap_eof_align_last_fsb 2019-11-03 10:22:30 -08:00
xfs_buf_item_recover.c xfs: move log recovery buffer cancellation code to xfs_buf_item_recover.c 2020-05-08 08:50:01 -07:00
xfs_buf_item.c xfs: combine xfs_trans_ail_[remove|delete]() 2020-05-07 08:27:48 -07:00
xfs_buf_item.h xfs: refactor failed buffer resubmission into xfsaild 2020-05-07 08:27:45 -07:00
xfs_buf.c New code for 5.8: 2020-06-02 19:21:40 -07:00
xfs_buf.h xfs: refactor ratelimited buffer error messages into helper 2020-05-07 08:27:46 -07:00
xfs_dir2_readdir.c xfs: move the fork format fields into struct xfs_ifork 2020-05-19 09:40:58 -07:00
xfs_discard.c xfs: remove XFS_BUF_TO_AGF 2020-03-11 09:11:39 -07:00
xfs_discard.h
xfs_dquot_item_recover.c xfs: remove log recovery quotaoff item dispatch for pass2 commit functions 2020-05-08 08:49:59 -07:00
xfs_dquot_item.c xfs: combine xfs_trans_ail_[remove|delete]() 2020-05-07 08:27:48 -07:00
xfs_dquot_item.h xfs: factor out quotaoff intent AIL removal and memory free 2020-03-18 08:12:23 -07:00
xfs_dquot.c xfs: per-type quota timers and warn limits 2020-05-27 08:49:26 -07:00
xfs_dquot.h xfs: pass xfs_dquot to xfs_qm_adjust_dqtimers 2020-05-27 08:49:26 -07:00
xfs_error.c xfs: random buffer write failure errortag 2020-05-07 08:27:48 -07:00
xfs_error.h xfs: xfs_buf_corruption_error should take __this_address 2020-03-12 07:58:12 -07:00
xfs_export.c xfs: factor out a new xfs_log_force_inode helper 2020-04-06 08:44:35 -07:00
xfs_export.h
xfs_extent_busy.c xfs: cleanup use of the XFS_ALLOC_ flags 2019-11-03 10:22:31 -08:00
xfs_extent_busy.h
xfs_extfree_item.c xfs: hoist setting of XFS_LI_RECOVERED to caller 2020-05-08 08:50:01 -07:00
xfs_extfree_item.h xfs: refactor intent item RECOVERED flag into the log item 2020-05-08 08:50:01 -07:00
xfs_file.c mmap locking API: convert mmap_sem comments 2020-06-09 09:39:14 -07:00
xfs_filestream.c xfs: make xfs_*read_agf return EAGAIN to ALLOC_FLAG_TRYLOCK callers 2020-01-26 14:32:26 -08:00
xfs_filestream.h
xfs_fsmap.c xfs: prohibit fs freezing when using empty transactions 2020-03-26 08:19:24 -07:00
xfs_fsmap.h
xfs_fsops.c xfs: remove unused shutdown types 2020-05-07 08:27:48 -07:00
xfs_fsops.h
xfs_globals.c
xfs_health.c
xfs_icache.c (More) new code for 5.8: 2020-06-02 19:48:41 -07:00
xfs_icache.h xfs: straighten out all the naming around incore inode tree walks 2020-05-27 08:49:27 -07:00
xfs_icreate_item.c xfs: refactor log recovery icreate item dispatch for pass2 commit functions 2020-05-08 08:49:59 -07:00
xfs_icreate_item.h
xfs_inode_item_recover.c xfs: improve local fork verification 2020-05-19 09:40:58 -07:00
xfs_inode_item.c xfs: move the fork format fields into struct xfs_ifork 2020-05-19 09:40:58 -07:00
xfs_inode_item.h xfs: remove unused iflush stale parameter 2020-05-07 08:27:48 -07:00
xfs_inode.c Fixes for 5.8: 2020-06-13 12:40:24 -07:00
xfs_inode.h (More) new code for 5.8: 2020-06-02 19:48:41 -07:00
xfs_ioctl32.c xfs: lift cursor copy in/out into xfs_ioc_attr_list 2020-03-02 20:55:54 -08:00
xfs_ioctl32.h xfs: rename compat_time_t to old_time32_t 2020-01-06 08:57:36 -08:00
xfs_ioctl.c Third part of new DAX code for 5.8: 2020-06-11 10:48:12 -07:00
xfs_ioctl.h xfs: embedded the attrlist cursor into struct xfs_attr_list_context 2020-03-02 20:55:55 -08:00
xfs_iomap.c xfs: refactor xfs_iomap_prealloc_size 2020-05-27 08:49:28 -07:00
xfs_iomap.h xfs: simplify the xfs_iomap_write_direct calling 2019-11-03 10:22:30 -08:00
xfs_iops.c mmap locking API: convert mmap_sem comments 2020-06-09 09:39:14 -07:00
xfs_iops.h
xfs_itable.c xfs: move the fork format fields into struct xfs_ifork 2020-05-19 09:40:58 -07:00
xfs_itable.h
xfs_iwalk.c xfs: kill the XFS_WANT_CORRUPT_* macros 2019-11-12 17:19:02 -08:00
xfs_iwalk.h
xfs_linux.h xfs: clean up the attr flag confusion 2020-03-02 20:55:55 -08:00
xfs_log_cil.c xfs: fix use-after-free on CIL context on shutdown 2020-06-22 19:22:57 -07:00
xfs_log_priv.h xfs: fix use-after-free on CIL context on shutdown 2020-06-22 19:22:57 -07:00
xfs_log_recover.c xfs: remove unnecessary includes from xfs_log_recover.c 2020-05-08 08:50:01 -07:00
xfs_log.c xfs: don't write a corrupt unmount record to force summary counter recalc 2020-03-27 08:32:55 -07:00
xfs_log.h xfs: refactor and split xfs_log_done() 2020-03-27 08:32:53 -07:00
xfs_message.c xfs: refactor ratelimited buffer error messages into helper 2020-05-07 08:27:46 -07:00
xfs_message.h xfs: refactor ratelimited buffer error messages into helper 2020-05-07 08:27:46 -07:00
xfs_mount.c xfs: reduce free inode accounting overhead 2020-05-27 08:49:25 -07:00
xfs_mount.h fs/xfs: Make DAX mount option a tri-state 2020-05-29 20:13:20 -07:00
xfs_mru_cache.c
xfs_mru_cache.h
xfs_ondisk.h xfs: make struct xfs_buf_log_format have a consistent size 2020-01-16 08:07:23 -08:00
xfs_pnfs.c xfs: define printk_once variants for xfs messages 2020-05-04 09:03:15 -07:00
xfs_pnfs.h
xfs_pwork.c
xfs_pwork.h
xfs_qm_bhv.c xfs: remove the xfs_disk_dquot_t and xfs_dquot_t 2019-11-13 11:13:45 -08:00
xfs_qm_syscalls.c xfs: straighten out all the naming around incore inode tree walks 2020-05-27 08:49:27 -07:00
xfs_qm.c xfs: per-type quota timers and warn limits 2020-05-27 08:49:26 -07:00
xfs_qm.h xfs: per-type quota timers and warn limits 2020-05-27 08:49:26 -07:00
xfs_quota.h xfs: remove the icdinode di_uid/di_gid members 2020-03-02 20:55:50 -08:00
xfs_quotaops.c xfs: per-type quota timers and warn limits 2020-05-27 08:49:26 -07:00
xfs_refcount_item.c xfs: hoist setting of XFS_LI_RECOVERED to caller 2020-05-08 08:50:01 -07:00
xfs_refcount_item.h xfs: refactor intent item RECOVERED flag into the log item 2020-05-08 08:50:01 -07:00
xfs_reflink.c xfs: fix partially uninitialized structure in xfs_reflink_remap_extent 2020-04-13 08:00:23 -07:00
xfs_reflink.h xfs: change return value of xfs_inode_need_cow to int 2020-01-20 14:34:47 -08:00
xfs_rmap_item.c xfs: hoist setting of XFS_LI_RECOVERED to caller 2020-05-08 08:50:01 -07:00
xfs_rmap_item.h xfs: refactor intent item RECOVERED flag into the log item 2020-05-08 08:50:01 -07:00
xfs_rtalloc.c xfs: make xfs_trans_get_buf return an error code 2020-01-26 14:32:26 -08:00
xfs_rtalloc.h
xfs_stats.c xfs: Use scnprintf() for avoiding potential buffer overflow 2020-03-12 07:58:13 -07:00
xfs_stats.h
xfs_super.c (More) new code for 5.8: 2020-06-02 19:48:41 -07:00
xfs_super.h xfs: include QUOTA, FATAL ASSERT build options in XFS_BUILD_OPTIONS 2019-10-21 09:04:57 -07:00
xfs_symlink.c xfs: move the fork format fields into struct xfs_ifork 2020-05-19 09:40:58 -07:00
xfs_symlink.h xfs: Correct comment tyops -> typos 2019-11-10 10:21:57 -08:00
xfs_sysctl.c sysctl: pass kernel pointers to ->proc_handler 2020-04-27 02:07:40 -04:00
xfs_sysctl.h
xfs_sysfs.c
xfs_sysfs.h
xfs_trace.c xfs: support bulk loading of staged btrees 2020-03-18 08:12:23 -07:00
xfs_trace.h xfs: move the fork format fields into struct xfs_ifork 2020-05-19 09:40:58 -07:00
xfs_trans_ail.c xfs: refactor adding recovered intent items to the log 2020-05-08 08:50:00 -07:00
xfs_trans_buf.c xfs: fix xfs_buf_ioerror_alert location reporting 2020-01-26 14:32:27 -08:00
xfs_trans_dquot.c xfs: per-type quota timers and warn limits 2020-05-27 08:49:26 -07:00
xfs_trans_priv.h xfs: refactor adding recovered intent items to the log 2020-05-08 08:50:00 -07:00
xfs_trans.c xfs: remove the m_active_trans counter 2020-05-27 08:49:25 -07:00
xfs_trans.h xfs: refactor intent item RECOVERED flag into the log item 2020-05-08 08:50:01 -07:00
xfs_xattr.c xfs: remove duplicate headers 2020-05-08 08:51:34 -07:00
xfs.h