• B
    xfs: hold buffer across unpin and potential shutdown processing · baa590d3
    Brian Foster 提交于
    mainline inclusion
    from mainline-v5.13-rc4
    commit 84d8949e
    category: bugfix
    bugzilla: 185862 https://gitee.com/openeuler/kernel/issues/I4KIAO
    
    Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=84d8949e770745b16a7e8a68dcb1d0f3687bdee9
    
    --------------------------------
    
    The special processing used to simulate a buffer I/O failure on fs
    shutdown has a difficult to reproduce race that can result in a use
    after free of the associated buffer. Consider a buffer that has been
    committed to the on-disk log and thus is AIL resident. The buffer
    lands on the writeback delwri queue, but is subsequently locked,
    committed and pinned by another transaction before submitted for
    I/O. At this point, the buffer is stuck on the delwri queue as it
    cannot be submitted for I/O until it is unpinned. A log checkpoint
    I/O failure occurs sometime later, which aborts the bli. The unpin
    handler is called with the aborted log item, drops the bli reference
    count, the pin count, and falls into the I/O failure simulation
    path.
    
    The potential problem here is that once the pin count falls to zero
    in ->iop_unpin(), xfsaild is free to retry delwri submission of the
    buffer at any time, before the unpin handler even completes. If
    delwri queue submission wins the race to the buffer lock, it
    observes the shutdown state and simulates the I/O failure itself.
    This releases both the bli and delwri queue holds and frees the
    buffer while xfs_buf_item_unpin() sits on xfs_buf_lock() waiting to
    run through the same failure sequence. This problem is rare and
    requires many iterations of fstest generic/019 (which simulates disk
    I/O failures) to reproduce.
    
    To avoid this problem, grab a hold on the buffer before the log item
    is unpinned if the associated item has been aborted and will require
    a simulated I/O failure. The hold is already required for the
    simulated I/O failure, so the ordering simply guarantees the unpin
    handler access to the buffer before it is unpinned and thus
    processed by the AIL. This particular ordering is required so long
    as the AIL does not acquire a reference on the bli, which is the
    long term solution to this problem.
    Signed-off-by: NBrian Foster <bfoster@redhat.com>
    Reviewed-by: NDarrick J. Wong <djwong@kernel.org>
    Signed-off-by: NDarrick J. Wong <djwong@kernel.org>
    Signed-off-by: NGuo Xuenan <guoxuenan@huawei.com>
    Reviewed-by: NLihong Kou <koulihong@huawei.com>
    Signed-off-by: NZheng Zengkai <zhengzengkai@huawei.com>
    baa590d3
xfs_buf_item.c 27.1 KB