lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <5575B061.6060603@kernel.dk>
Date:	Mon, 08 Jun 2015 09:10:25 -0600
From:	Jens Axboe <axboe@...nel.dk>
To:	Tejun Heo <tj@...nel.org>, Sasha Levin <sasha.levin@...cle.com>,
	Eric Van Hensbergen <ericvh@...il.com>,
	Ron Minnich <rminnich@...dia.gov>,
	Latchesar Ionkov <lucho@...kov.net>,
	v9fs-developer@...ts.sourceforge.net
CC:	linux-kernel@...r.kernel.org, jack@...e.cz, hch@...radead.org,
	hannes@...xchg.org, linux-fsdevel@...r.kernel.org,
	vgoyal@...hat.com, lizefan@...wei.com, cgroups@...r.kernel.org,
	linux-mm@...ck.org, mhocko@...e.cz, clm@...com,
	fengguang.wu@...el.com, david@...morbit.com, gthelen@...gle.com,
	khlebnikov@...dex-team.ru
Subject: Re: [PATCH block/for-4.2-writeback] v9fs: fix error handling in v9fs_session_init()

On 06/07/2015 11:57 PM, Tejun Heo wrote:
> On failure, v9fs_session_init() returns with the v9fs_session_info
> struct partially initialized and expects the caller to invoke
> v9fs_session_close() to clean it up; however, it doesn't track whether
> the bdi is initialized or not and curiously invokes bdi_destroy() in
> both vfs_session_init() failure path too.
>
> A. If v9fs_session_init() fails before the bdi is initialized, the
>     follow-up v9fs_session_close() will invoke bdi_destroy() on an
>     uninitialized bdi.
>
> B. If v9fs_session_init() fails after the bdi is initialized,
>     bdi_destroy() will be called twice on the same bdi - once in the
>     failure path of v9fs_session_init() and then by
>     v9fs_session_close().
>
> A is broken no matter what.  B used to be okay because bdi_destroy()
> allowed being invoked multiple times on the same bdi, which BTW was
> broken in its own way - if bdi_destroy() was invoked on an initialiezd
> but !registered bdi, it'd fail to free percpu counters.  Since
> f0054bb1e1f3 ("writeback: move backing_dev_info->wb_lock and
> ->worklist into bdi_writeback"), this no longer work - bdi_destroy()
> on an initialized but not registered bdi works correctly but multiple
> invocations of bdi_destroy() is no longer allowed.
>
> The obvious culprit here is v9fs_session_init()'s odd and broken error
> behavior.  It should simply clean up after itself on failures.  This
> patch makes the following updates to v9fs_session_init().
>
> * @rc -> @retval error return propagation removed.  It didn't serve
>    any purpose.  Just use @rc.
>
> * Move addition to v9fs_sessionlist to the end of the function so that
>    incomplete sessions are not put on the list or iterated and error
>    path doesn't have to worry about it.
>
> * Update error handling so that it cleans up after itself.
>
> Signed-off-by: Tejun Heo <tj@...nel.org>
> Reported-by: Sasha Levin <sasha.levin@...cle.com>

Added to for-4.2/writeback, thanks.

-- 
Jens Axboe

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Please read the FAQ at  http://www.tux.org/lkml/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ