lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <ffb13c36-521e-0e06-8fd6-30b0fec727da@huawei.com>
Date:   Tue, 19 Jul 2022 20:15:13 +0800
From:   Baokun Li <libaokun1@...wei.com>
To:     Greg KH <gregkh@...uxfoundation.org>
CC:     <stable@...r.kernel.org>, <linux-ext4@...r.kernel.org>,
        <tytso@....edu>, <adilger.kernel@...ger.ca>, <jack@...e.cz>,
        <ritesh.list@...il.com>, <lczerner@...hat.com>,
        <enwlinux@...il.com>, <linux-kernel@...r.kernel.org>,
        <yi.zhang@...wei.com>, <yebin10@...wei.com>, <yukuai3@...wei.com>,
        Hulk Robot <hulkci@...wei.com>
Subject: Re: [PATCH 4.19] ext4: fix race condition between ext4_ioctl_setflags
 and ext4_fiemap

在 2022/7/19 19:26, Greg KH 写道:
> On Sat, Jul 16, 2022 at 10:33:30AM +0800, Baokun Li wrote:
>> 在 2022/7/15 22:10, Greg KH 写道:
>>> On Fri, Jul 15, 2022 at 10:39:28AM +0800, Baokun Li wrote:
>>>> This patch and problem analysis is based on v4.19 LTS.
>>>> The d3b6f23f7167("ext4: move ext4_fiemap to use iomap framework") patch
>>>> is incorporated in v5.7-rc1. This patch avoids this problem by switching
>>>> to iomap in ext4_fiemap.
>>>>
>>>> Hulk Robot reported a BUG on stable 4.19.252:
>>>> ==================================================================
>>>> kernel BUG at fs/ext4/extents_status.c:762!
>>>> invalid opcode: 0000 [#1] SMP KASAN PTI
>>>> CPU: 7 PID: 2845 Comm: syz-executor Not tainted 4.19.252 #46
>>>> RIP: 0010:ext4_es_cache_extent+0x30e/0x370
>>>> [...]
>>>> Call Trace:
>>>>    ext4_cache_extents+0x238/0x2f0
>>>>    ext4_find_extent+0x785/0xa40
>>>>    ext4_fiemap+0x36d/0xe90
>>>>    do_vfs_ioctl+0x6af/0x1200
>>>> [...]
>>>> ==================================================================
>>>>
>>>> Above issue may happen as follows:
>>>> -------------------------------------
>>>>              cpu1		    cpu2
>>>> _____________________|_____________________
>>>> do_vfs_ioctl
>>>>    ext4_ioctl
>>>>     ext4_ioctl_setflags
>>>>      ext4_ind_migrate
>>>>                           do_vfs_ioctl
>>>>                            ioctl_fiemap
>>>>                             ext4_fiemap
>>>>                              ext4_test_inode_flag(inode, EXT4_INODE_EXTENTS)
>>>>                              ext4_fill_fiemap_extents
>>>>       down_write(&EXT4_I(inode)->i_data_sem);
>>>>       ext4_ext_check_inode
>>>>       ext4_clear_inode_flag(inode, EXT4_INODE_EXTENTS)
>>>>       memset(ei->i_data, 0, sizeof(ei->i_data))
>>>>       up_write(&EXT4_I(inode)->i_data_sem);
>>>>                               down_read(&EXT4_I(inode)->i_data_sem);
>>>>                               ext4_find_extent
>>>>                                ext4_cache_extents
>>>>                                 ext4_es_cache_extent
>>>>                                  BUG_ON(end < lblk)
>>>>
>>>> We can easily reproduce this problem with the syzkaller testcase:
>>>> ```
>>>> 02:37:07 executing program 3:
>>>> r0 = openat(0xffffffffffffff9c, &(0x7f0000000040)='./file0\x00', 0x26e1, 0x0)
>>>> ioctl$FS_IOC_FSSETXATTR(r0, 0x40086602, &(0x7f0000000080)={0x17e})
>>>> mkdirat(0xffffffffffffff9c, &(0x7f00000000c0)='./file1\x00', 0x1ff)
>>>> r1 = openat(0xffffffffffffff9c, &(0x7f0000000100)='./file1\x00', 0x0, 0x0)
>>>> ioctl$FS_IOC_FIEMAP(r1, 0xc020660b, &(0x7f0000000180)={0x0, 0x1, 0x0, 0xef3, 0x6, []}) (async, rerun: 32)
>>>> ioctl$FS_IOC_FSSETXATTR(r1, 0x40086602, &(0x7f0000000140)={0x17e}) (rerun: 32)
>>>> ```
>>>>
>>>> To solve this issue, we use __generic_block_fiemap() instead of
>>>> generic_block_fiemap() and add inode_lock_shared to avoid race condition.
>>>>
>>>> Reported-by: Hulk Robot <hulkci@...wei.com>
>>>> Signed-off-by: Baokun Li <libaokun1@...wei.com>
>>>> ---
>>>>    fs/ext4/extents.c | 15 +++++++++++----
>>>>    1 file changed, 11 insertions(+), 4 deletions(-)
>>> What is the git commit id of this change in Linus's tree?
>>>
>>> If it is not in Linus's tree, why not?
>>>
>>> confused,
>>>
>>> greg k-h
>>> .
>> This patch does not exist in the Linus' tree.
>>
>> This problem persists until the patch d3b6f23f7167("ext4: move ext4_fiemap
>> to use iomap framework") is incorporated in v5.7-rc1.
> Then why not ask for that change to be added instead?
>
> thanks,
>
> greg k-h
> .

If we want to switch to the iomap framework, we need to analyze and 
integrate about 60 patches.

The workload may be greater than that of solving this problem alone.

Thank you!

Thanks a lot!

-- 
With Best Regards,
Baokun Li


-- 
With Best Regards,
Baokun Li

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ