Christoph Hellwig <[email protected]> writes: > From: Jan Kara <[email protected]> > > Currently we dropped freeze protection of aio writes just after IO was > submitted. Thus aio write could be in flight while the filesystem was > frozen and that could result in unexpected situation like aio completion > wanting to convert extent type on frozen filesystem. Testcase from > Dmitry triggering this is like: > > for ((i=0;i<60;i++));do fsfreeze -f /mnt ;sleep 1;fsfreeze -u /mnt;done & > fio --bs=4k --ioengine=libaio --iodepth=128 --size=1g --direct=1 \ > --runtime=60 --filename=/mnt/file --name=rand-write --rw=randwrite > > Fix the problem by dropping freeze protection only once IO is completed > in aio_complete(). > > [hch: The above was the changelog of the original patch from Jan. > It turns out that it fixes something even more important - a use > after free of the file structucture given that the direct I/O > code calls fput and potentially drops the last reference to it in > aio_complete. Together with two racing threads and a zero sized > I/O this seems easily exploitable] > > Reported-by: Dmitry Monakhov <[email protected]> > Signed-off-by: Jan Kara <[email protected]> > [hch: switch to use __sb_writers_acquired and file_inode(file), > updated changelog] > Signed-off-by: Christoph Hellwig <[email protected]>
Reviewed-by: Jeff Moyer <[email protected]>
