AuxXxilium/linux_dsm_epyc7002
1
0
Fork 0
mirror of https://github.com/AuxXxilium/linux_dsm_epyc7002.git synced 2025-02-25 09:00:42 +07:00
Code Issues Actions Packages Projects Releases Wiki Activity
0612d11663
linux_dsm_epyc7002/fs/xfs
History
Dave Chinner 0612d11663 xfs: fix intent use-after-free on abort 
When an intent is aborted during it's initial commit through
xfs_defer_trans_abort(), there is a use after free. The current
report is for a RUI  through this path in generic/388:

 Freed by task 6274:
  __kasan_slab_free+0x136/0x180
  kmem_cache_free+0xe7/0x4b0
  xfs_trans_free_items+0x198/0x2e0
  __xfs_trans_commit+0x27f/0xcc0
  xfs_trans_roll+0x17b/0x2a0
  xfs_defer_trans_roll+0x6ad/0xe60
  xfs_defer_finish+0x2a6/0x2140
  xfs_alloc_file_space+0x53a/0xf90
  xfs_file_fallocate+0x5c6/0xac0
  vfs_fallocate+0x2f5/0x930
  ioctl_preallocate+0x1dc/0x320
  do_vfs_ioctl+0xfe4/0x1690

The problem is that the RUI has two active references - one in the
current transaction, and another held by the defer_ops structure
that is passed to the RUD (intent done) so that both the intent and
the intent done structures are freed on commit of the intent done.

Hence during abort, we need to release the intent item, because the
defer_ops reference is released separately via ->abort_intent
callback. Fix all the intent code to do this correctly.

Signed-Off-By: Dave Chinner <dchinner@redhat.com>
Reviewed-by: Darrick J. Wong <darrick.wong@oracle.com>
Signed-off-by: Darrick J. Wong <darrick.wong@oracle.com>
2018-04-02 20:08:27 -07:00
..
libxfs xfs: clean up xfs_mount allocation and dynamic initializers 2018-03-26 08:54:15 -07:00
scrub xfs: xfs_scrub_iallocbt_xref_rmap_inodes should use xref_set_corrupt 2018-03-23 18:05:09 -07:00
Kconfig fs/*/Kconfig: drop links to 404-compliant http://acl.bestbits.at 2018-01-01 12:45:37 -07:00
kmem.c xfs: fall back to vmalloc when allocation log vector buffers 2018-03-11 20:27:55 -07:00
kmem.h xfs: fall back to vmalloc when allocation log vector buffers 2018-03-11 20:27:55 -07:00
Makefile
mrlock.h
xfs_acl.c
xfs_acl.h
xfs_aops.c xfs: minor cleanup for xfs_get_blocks 2018-03-15 10:31:38 -07:00
xfs_aops.h
xfs_attr_inactive.c
xfs_attr_list.c xfs: remove u_int* type usage 2017-11-09 15:50:29 -08:00
xfs_attr.h
xfs_bmap_item.c xfs: fix intent use-after-free on abort 2018-04-02 20:08:27 -07:00
xfs_bmap_item.h xfs: log recovery should replay deferred ops in order 2017-11-27 09:34:08 -08:00
xfs_bmap_util.c xfs: remove xfs_zero_range 2018-03-15 10:31:38 -07:00
xfs_bmap_util.h
xfs_buf_item.c xfs: Rename xa_ elements to ail_ 2018-03-11 20:27:56 -07:00
xfs_buf_item.h Use list_head infra-structure for buffer's log items list 2018-01-29 07:27:22 -08:00
xfs_buf.c xfs: Correctly invert xfs_buftarg LRU isolation logic 2018-03-11 20:27:56 -07:00
xfs_buf.h Use list_head infra-structure for buffer's log items list 2018-01-29 07:27:22 -08:00
xfs_dir2_readdir.c xfs: directory scrubber must walk through data block to offset 2018-01-17 21:00:46 -08:00
xfs_discard.c
xfs_discard.h
xfs_dquot_item.c xfs: Rename xa_ elements to ail_ 2018-03-11 20:27:56 -07:00
xfs_dquot_item.h
xfs_dquot.c xfs: Rename xa_ elements to ail_ 2018-03-11 20:27:56 -07:00
xfs_dquot.h
xfs_error.c xfs: refactor inode buffer verifier error logging 2018-03-23 18:05:07 -07:00
xfs_error.h xfs: refactor inode buffer verifier error logging 2018-03-23 18:05:07 -07:00
xfs_export.c xfs: merge _xfs_log_force_lsn and xfs_log_force_lsn 2018-03-14 11:12:52 -07:00
xfs_export.h
xfs_extent_busy.c xfs: merge _xfs_log_force and xfs_log_force 2018-03-14 11:12:52 -07:00
xfs_extent_busy.h
xfs_extfree_item.c xfs: fix intent use-after-free on abort 2018-04-02 20:08:27 -07:00
xfs_extfree_item.h
xfs_file.c xfs: remove xfs_zero_range 2018-03-15 10:31:38 -07:00
xfs_filestream.c
xfs_filestream.h
xfs_fsmap.c
xfs_fsmap.h
xfs_fsops.c xfs: convert XFS_AGFL_SIZE to a helper function 2018-03-11 20:27:56 -07:00
xfs_fsops.h xfs: hoist xfs_fs_geometry to libxfs 2018-01-08 10:54:48 -08:00
xfs_globals.c
xfs_icache.c xfs: catch inode allocation state mismatch corruption 2018-03-23 18:05:09 -07:00
xfs_icache.h xfs: remove leftover CoW reservations when remounting ro 2017-12-21 08:47:32 -08:00
xfs_icreate_item.c
xfs_icreate_item.h
xfs_inode_item.c xfs: remove an outdated comment for xfs_inode_item_committing 2018-03-14 11:12:51 -07:00
xfs_inode_item.h
xfs_inode.c xfs: Remove "committed" argument of xfs_dir_ialloc 2018-04-02 15:47:43 -07:00
xfs_inode.h xfs: Remove "committed" argument of xfs_dir_ialloc 2018-04-02 15:47:43 -07:00
xfs_ioctl32.c xfs: refactor the geometry structure filling function 2018-01-08 10:54:48 -08:00
xfs_ioctl32.h
xfs_ioctl.c xfs: refactor the geometry structure filling function 2018-01-08 10:54:48 -08:00
xfs_ioctl.h xfs: remove u_int* type usage 2017-11-09 15:50:29 -08:00
xfs_iomap.c xfs: don't block on the ilock for RWF_NOWAIT 2018-03-01 14:12:45 -08:00
xfs_iomap.h
xfs_iops.c xfs: remove xfs_zero_range 2018-03-15 10:31:38 -07:00
xfs_iops.h
xfs_itable.c
xfs_itable.h
xfs_linux.h xfs: use %px for data pointers when debugging 2018-01-12 14:09:08 -08:00
xfs_log_cil.c xfs: fall back to vmalloc when allocation log vector buffers 2018-03-11 20:27:55 -07:00
xfs_log_priv.h
xfs_log_recover.c xfs: do not log/recover swapext extent owner changes for deleted inodes 2018-03-29 10:19:15 -07:00
xfs_log.c xfs: unwind the try_again loop in xfs_log_force 2018-03-23 18:05:06 -07:00
xfs_log.h xfs: merge _xfs_log_force_lsn and xfs_log_force_lsn 2018-03-14 11:12:52 -07:00
xfs_message.c
xfs_message.h
xfs_mount.c xfs: clean up xfs_mount allocation and dynamic initializers 2018-03-26 08:54:15 -07:00
xfs_mount.h xfs: detect agfl count corruption and reset agfl 2018-03-23 18:05:06 -07:00
xfs_mru_cache.c
xfs_mru_cache.h
xfs_ondisk.h
xfs_pnfs.c
xfs_pnfs.h
xfs_qm_bhv.c
xfs_qm_syscalls.c
xfs_qm.c xfs: Remove "committed" argument of xfs_dir_ialloc 2018-04-02 15:47:43 -07:00
xfs_qm.h
xfs_quota.h
xfs_quotaops.c
xfs_refcount_item.c xfs: fix intent use-after-free on abort 2018-04-02 20:08:27 -07:00
xfs_refcount_item.h xfs: log recovery should replay deferred ops in order 2017-11-27 09:34:08 -08:00
xfs_reflink.c xfs: minor cleanup for xfs_reflink_end_cow 2018-03-15 10:31:38 -07:00
xfs_reflink.h
xfs_rmap_item.c xfs: fix intent use-after-free on abort 2018-04-02 20:08:27 -07:00
xfs_rmap_item.h
xfs_rtalloc.c
xfs_rtalloc.h xfs: cross-reference the realtime bitmap 2018-01-17 21:00:46 -08:00
xfs_stats.c
xfs_stats.h
xfs_super.c xfs: clean up xfs_mount allocation and dynamic initializers 2018-03-26 08:54:15 -07:00
xfs_super.h xfs: add scrub to XFS_BUILD_OPTIONS 2018-02-01 21:06:15 -08:00
xfs_symlink.c xfs: Remove "committed" argument of xfs_dir_ialloc 2018-04-02 15:47:43 -07:00
xfs_symlink.h
xfs_sysctl.c
xfs_sysctl.h
xfs_sysfs.c
xfs_sysfs.h
xfs_trace.c fs: xfs: remove duplicate includes 2017-12-08 17:51:05 -08:00
xfs_trace.h xfs: detect agfl count corruption and reset agfl 2018-03-23 18:05:06 -07:00
xfs_trans_ail.c xfs: Rename xa_ elements to ail_ 2018-03-11 20:27:56 -07:00
xfs_trans_bmap.c
xfs_trans_buf.c xfs: Rename xa_ elements to ail_ 2018-03-11 20:27:56 -07:00
xfs_trans_dquot.c
xfs_trans_extfree.c
xfs_trans_inode.c xfs: implement the lazytime mount option 2018-03-11 20:27:55 -07:00
xfs_trans_priv.h xfs: Rename xa_ elements to ail_ 2018-03-11 20:27:56 -07:00
xfs_trans_refcount.c
xfs_trans_rmap.c
xfs_trans.c xfs: merge _xfs_log_force_lsn and xfs_log_force_lsn 2018-03-14 11:12:52 -07:00
xfs_trans.h Use list_head infra-structure for buffer's log items list 2018-01-29 07:27:22 -08:00
xfs_xattr.c
xfs.h