lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <20130712194229.GC342@thunk.org>
Date:	Fri, 12 Jul 2013 15:42:29 -0400
From:	Theodore Ts'o <tytso@....edu>
To:	Dave Jones <davej@...hat.com>,
	Linux Kernel <linux-kernel@...r.kernel.org>,
	linux-ext4@...r.kernel.org
Subject: Re: WARNING: at fs/ext4/inode.c:230 ext4_evict_inode+0x4b9/0x6d0()

On Fri, Jul 12, 2013 at 03:35:28PM -0400, Dave Jones wrote:
> Just hit a bunch of these..
> 
> WARNING: CPU: 0 PID: 995613 at fs/ext4/inode.c:230 ext4_evict_inode+0x4b9/0x6d0()

This is fixed up by the following commit which is queued up to be sent
to Linus, hopefully before he ships -rc1.  I'm just waiting for the
regression tests to complete before I sent a pull request.

Thanks for testing and reporting this warning!

	   	    	     	      	   - Ted

commit 822dbba33458cd6ad0e715f3f4a57ebc99d54d1b
Author: Jan Kara <jack@...e.cz>
Date:   Wed Jul 10 21:31:04 2013 -0400

    ext4: fix warning in ext4_evict_inode()
    
    The following race can lead to ext4_evict_inode() seeing i_ioend_count
    > 0 and thus triggering a sanity check warning:
    
            CPU1                                    CPU2
    ext4_end_bio()                          ext4_evict_inode()
      ext4_finish_bio()
        end_page_writeback();
                                              truncate_inode_pages()
                                                evict page
                                            WARN_ON(i_ioend_count > 0);
      ext4_put_io_end_defer()
        ext4_release_io_end()
          dec i_ioend_count
    
    This is possible use-after-free bug since we decrement i_ioend_count in
    possibly released inode.
    
    Since i_ioend_count is used only for sanity checks one possible solution
    would be to just remove it but for now I'd like to keep those sanity
    checks to help debugging the new ext4 writeback code.
    
    This patch changes ext4_end_bio() to call ext4_put_io_end_defer() before
    ext4_finish_bio() in the shortcut case when unwritten extent conversion
    isn't needed.  In that case we don't need the io_end so we are safe to
    drop it early.
    
    Reported-by: Guenter Roeck <linux@...ck-us.net>
    Tested-by: Guenter Roeck <linux@...ck-us.net>
    Signed-off-by: Jan Kara <jack@...e.cz>
    Signed-off-by: "Theodore Ts'o" <tytso@....edu>
--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ