linux_dsm_epyc7002/fs/xfs
Dave Chinner c7f87f3984 xfs: fix use-after-free on CIL context on shutdown
xlog_wait() on the CIL context can reference a freed context if the
waiter doesn't get scheduled before the CIL context is freed. This
can happen when a task is on the hard throttle and the CIL push
aborts due to a shutdown. This was detected by generic/019:

thread 1			thread 2

__xfs_trans_commit
 xfs_log_commit_cil
  <CIL size over hard throttle limit>
  xlog_wait
   schedule
				xlog_cil_push_work
				wake_up_all
				<shutdown aborts commit>
				xlog_cil_committed
				kmem_free

   remove_wait_queue
    spin_lock_irqsave --> UAF

Fix it by moving the wait queue to the CIL rather than keeping it in
in the CIL context that gets freed on push completion. Because the
wait queue is now independent of the CIL context and we might have
multiple contexts in flight at once, only wake the waiters on the
push throttle when the context we are pushing is over the hard
throttle size threshold.

Fixes: 0e7ab7efe7 ("xfs: Throttle commits on delayed background CIL push")
Reported-by: Yu Kuai <yukuai3@huawei.com>
Signed-off-by: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
2020-06-22 19:22:57 -07:00
..
libxfs xfs: more lockdep whackamole with kmem_alloc* 2020-05-27 08:49:28 -07:00
scrub xfs: move the fork format fields into struct xfs_ifork 2020-05-19 09:40:58 -07:00
Kconfig
kmem.c mm: remove the pgprot argument to __vmalloc 2020-06-02 10:59:11 -07:00
kmem.h xfs: more lockdep whackamole with kmem_alloc* 2020-05-27 08:49:28 -07:00
Makefile xfs: refactor log recovery item sorting into a generic dispatch structure 2020-05-08 08:49:58 -07:00
mrlock.h
xfs_acl.c
xfs_acl.h
xfs_aops.c New code for 5.8: 2020-06-02 19:21:40 -07:00
xfs_aops.h
xfs_attr_inactive.c xfs: cleanup xfs_idestroy_fork 2020-05-19 09:40:59 -07:00
xfs_attr_list.c xfs: move the fork format fields into struct xfs_ifork 2020-05-19 09:40:58 -07:00
xfs_bio_io.c
xfs_bmap_item.c xfs: hoist setting of XFS_LI_RECOVERED to caller 2020-05-08 08:50:01 -07:00
xfs_bmap_item.h xfs: refactor intent item RECOVERED flag into the log item 2020-05-08 08:50:01 -07:00
xfs_bmap_util.c xfs: move the fork format fields into struct xfs_ifork 2020-05-19 09:40:58 -07:00
xfs_bmap_util.h
xfs_buf_item_recover.c xfs: move log recovery buffer cancellation code to xfs_buf_item_recover.c 2020-05-08 08:50:01 -07:00
xfs_buf_item.c xfs: combine xfs_trans_ail_[remove|delete]() 2020-05-07 08:27:48 -07:00
xfs_buf_item.h xfs: refactor failed buffer resubmission into xfsaild 2020-05-07 08:27:45 -07:00
xfs_buf.c New code for 5.8: 2020-06-02 19:21:40 -07:00
xfs_buf.h xfs: refactor ratelimited buffer error messages into helper 2020-05-07 08:27:46 -07:00
xfs_dir2_readdir.c xfs: move the fork format fields into struct xfs_ifork 2020-05-19 09:40:58 -07:00
xfs_discard.c
xfs_discard.h
xfs_dquot_item_recover.c xfs: remove log recovery quotaoff item dispatch for pass2 commit functions 2020-05-08 08:49:59 -07:00
xfs_dquot_item.c xfs: combine xfs_trans_ail_[remove|delete]() 2020-05-07 08:27:48 -07:00
xfs_dquot_item.h
xfs_dquot.c xfs: per-type quota timers and warn limits 2020-05-27 08:49:26 -07:00
xfs_dquot.h xfs: pass xfs_dquot to xfs_qm_adjust_dqtimers 2020-05-27 08:49:26 -07:00
xfs_error.c xfs: random buffer write failure errortag 2020-05-07 08:27:48 -07:00
xfs_error.h
xfs_export.c
xfs_export.h
xfs_extent_busy.c
xfs_extent_busy.h
xfs_extfree_item.c xfs: hoist setting of XFS_LI_RECOVERED to caller 2020-05-08 08:50:01 -07:00
xfs_extfree_item.h xfs: refactor intent item RECOVERED flag into the log item 2020-05-08 08:50:01 -07:00
xfs_file.c mmap locking API: convert mmap_sem comments 2020-06-09 09:39:14 -07:00
xfs_filestream.c
xfs_filestream.h
xfs_fsmap.c
xfs_fsmap.h
xfs_fsops.c xfs: remove unused shutdown types 2020-05-07 08:27:48 -07:00
xfs_fsops.h
xfs_globals.c
xfs_health.c
xfs_icache.c (More) new code for 5.8: 2020-06-02 19:48:41 -07:00
xfs_icache.h xfs: straighten out all the naming around incore inode tree walks 2020-05-27 08:49:27 -07:00
xfs_icreate_item.c xfs: refactor log recovery icreate item dispatch for pass2 commit functions 2020-05-08 08:49:59 -07:00
xfs_icreate_item.h
xfs_inode_item_recover.c xfs: improve local fork verification 2020-05-19 09:40:58 -07:00
xfs_inode_item.c xfs: move the fork format fields into struct xfs_ifork 2020-05-19 09:40:58 -07:00
xfs_inode_item.h xfs: remove unused iflush stale parameter 2020-05-07 08:27:48 -07:00
xfs_inode.c Fixes for 5.8: 2020-06-13 12:40:24 -07:00
xfs_inode.h (More) new code for 5.8: 2020-06-02 19:48:41 -07:00
xfs_ioctl32.c
xfs_ioctl32.h
xfs_ioctl.c Third part of new DAX code for 5.8: 2020-06-11 10:48:12 -07:00
xfs_ioctl.h
xfs_iomap.c xfs: refactor xfs_iomap_prealloc_size 2020-05-27 08:49:28 -07:00
xfs_iomap.h
xfs_iops.c mmap locking API: convert mmap_sem comments 2020-06-09 09:39:14 -07:00
xfs_iops.h
xfs_itable.c xfs: move the fork format fields into struct xfs_ifork 2020-05-19 09:40:58 -07:00
xfs_itable.h
xfs_iwalk.c
xfs_iwalk.h
xfs_linux.h
xfs_log_cil.c xfs: fix use-after-free on CIL context on shutdown 2020-06-22 19:22:57 -07:00
xfs_log_priv.h xfs: fix use-after-free on CIL context on shutdown 2020-06-22 19:22:57 -07:00
xfs_log_recover.c xfs: remove unnecessary includes from xfs_log_recover.c 2020-05-08 08:50:01 -07:00
xfs_log.c
xfs_log.h
xfs_message.c xfs: refactor ratelimited buffer error messages into helper 2020-05-07 08:27:46 -07:00
xfs_message.h xfs: refactor ratelimited buffer error messages into helper 2020-05-07 08:27:46 -07:00
xfs_mount.c xfs: reduce free inode accounting overhead 2020-05-27 08:49:25 -07:00
xfs_mount.h fs/xfs: Make DAX mount option a tri-state 2020-05-29 20:13:20 -07:00
xfs_mru_cache.c
xfs_mru_cache.h
xfs_ondisk.h
xfs_pnfs.c xfs: define printk_once variants for xfs messages 2020-05-04 09:03:15 -07:00
xfs_pnfs.h
xfs_pwork.c
xfs_pwork.h
xfs_qm_bhv.c
xfs_qm_syscalls.c xfs: straighten out all the naming around incore inode tree walks 2020-05-27 08:49:27 -07:00
xfs_qm.c xfs: per-type quota timers and warn limits 2020-05-27 08:49:26 -07:00
xfs_qm.h xfs: per-type quota timers and warn limits 2020-05-27 08:49:26 -07:00
xfs_quota.h
xfs_quotaops.c xfs: per-type quota timers and warn limits 2020-05-27 08:49:26 -07:00
xfs_refcount_item.c xfs: hoist setting of XFS_LI_RECOVERED to caller 2020-05-08 08:50:01 -07:00
xfs_refcount_item.h xfs: refactor intent item RECOVERED flag into the log item 2020-05-08 08:50:01 -07:00
xfs_reflink.c
xfs_reflink.h
xfs_rmap_item.c xfs: hoist setting of XFS_LI_RECOVERED to caller 2020-05-08 08:50:01 -07:00
xfs_rmap_item.h xfs: refactor intent item RECOVERED flag into the log item 2020-05-08 08:50:01 -07:00
xfs_rtalloc.c
xfs_rtalloc.h
xfs_stats.c
xfs_stats.h
xfs_super.c (More) new code for 5.8: 2020-06-02 19:48:41 -07:00
xfs_super.h
xfs_symlink.c xfs: move the fork format fields into struct xfs_ifork 2020-05-19 09:40:58 -07:00
xfs_symlink.h
xfs_sysctl.c
xfs_sysctl.h
xfs_sysfs.c
xfs_sysfs.h
xfs_trace.c
xfs_trace.h xfs: move the fork format fields into struct xfs_ifork 2020-05-19 09:40:58 -07:00
xfs_trans_ail.c xfs: refactor adding recovered intent items to the log 2020-05-08 08:50:00 -07:00
xfs_trans_buf.c
xfs_trans_dquot.c xfs: per-type quota timers and warn limits 2020-05-27 08:49:26 -07:00
xfs_trans_priv.h xfs: refactor adding recovered intent items to the log 2020-05-08 08:50:00 -07:00
xfs_trans.c xfs: remove the m_active_trans counter 2020-05-27 08:49:25 -07:00
xfs_trans.h xfs: refactor intent item RECOVERED flag into the log item 2020-05-08 08:50:01 -07:00
xfs_xattr.c xfs: remove duplicate headers 2020-05-08 08:51:34 -07:00
xfs.h