Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Linux: Fix zfs_prune panics #16770

Merged
merged 1 commit into from
Nov 21, 2024
Merged

Linux: Fix zfs_prune panics #16770

merged 1 commit into from
Nov 21, 2024

Conversation

snajpa
Copy link
Contributor

@snajpa snajpa commented Nov 16, 2024

Motivation and Context

Linux: Fix zfs_prune panics:
#16324

Description

Linux: Fix zfs_prune panics

by protecting against sb->s_shrink eviction on umount with newer kernels

deactivate_locked_super calls shrinker_free and only then
sops->kill_sb cb, resulting in UAF on umount when trying
to reach for the shrinker functions in zpl_prune_sb of
in-umount dataset

How Has This Been Tested?

Low memory scenario docker pull with zfs as storage backend, now passes. Template build at vpsFree, also passes.

Types of changes

  • Bug fix (non-breaking change which fixes an issue)
  • New feature (non-breaking change which adds functionality)
  • Performance enhancement (non-breaking change which improves efficiency)
  • Code cleanup (non-breaking change which makes code smaller or more readable)
  • Breaking change (fix or feature that would cause existing functionality to change)
  • Library ABI change (libzfs, libzfs_core, libnvpair, libuutil and libzfsbootenv)
  • Documentation (a change to man pages or other documentation)

Checklist:

@github-actions github-actions bot added the Status: Work in Progress Not yet ready for general review label Nov 16, 2024
@snajpa snajpa marked this pull request as ready for review November 16, 2024 15:00
@github-actions github-actions bot added Status: Code Review Needed Ready for review and testing and removed Status: Work in Progress Not yet ready for general review labels Nov 16, 2024
@satmandu
Copy link
Contributor

@behlendorf Any chance of getting this reviewed for #16760 2.3.0-rc4?
(I'm biased as someone who makes heavy use of docker.)

@behlendorf behlendorf self-requested a review November 19, 2024 18:06
module/os/linux/zfs/zpl_super.c Show resolved Hide resolved
@snajpa snajpa force-pushed the fix-lowmem branch 2 times, most recently from 38893b6 to 649c441 Compare November 20, 2024 15:26
Copy link
Contributor

@behlendorf behlendorf left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The free_inode change makes sense, thanks for spotting it. Could you just move it in to it's own PR.

module/os/linux/zfs/zpl_super.c Show resolved Hide resolved
@snajpa
Copy link
Contributor Author

snajpa commented Nov 20, 2024

The free_inode change makes sense, thanks for spotting it. Could you just move it in to it's own PR.

#16788

@snajpa snajpa changed the title Linux: fix 2 lowmem bugs Linux: Fix zfs_prune panics Nov 20, 2024
by protecting against sb->s_shrink eviction on umount with newer kernels

deactivate_locked_super calls shrinker_free and only then
sops->kill_sb cb, resulting in UAF on umount when trying
to reach for the shrinker functions in zpl_prune_sb of
in-umount dataset

Signed-off-by: Pavel Snajdr <[email protected]>
@behlendorf behlendorf added Status: Accepted Ready to integrate (reviewed, tested) and removed Status: Code Review Needed Ready for review and testing labels Nov 21, 2024
@AllKind
Copy link
Contributor

AllKind commented Nov 21, 2024

@tonyhutter Maybe it'd be good to have this fix in 2.2.7?

@behlendorf behlendorf merged commit 38c0324 into openzfs:master Nov 21, 2024
23 checks passed
@satmandu satmandu mentioned this pull request Nov 22, 2024
7 tasks
behlendorf pushed a commit to behlendorf/zfs that referenced this pull request Nov 23, 2024
by protecting against sb->s_shrink eviction on umount with newer kernels

deactivate_locked_super calls shrinker_free and only then
sops->kill_sb cb, resulting in UAF on umount when trying
to reach for the shrinker functions in zpl_prune_sb of
in-umount dataset

Reviewed-by: Brian Behlendorf <[email protected]>
Reviewed-by: Adam Moss <[email protected]>
Signed-off-by: Pavel Snajdr <[email protected]>
Closes openzfs#16770
ixhamza pushed a commit to truenas/zfs that referenced this pull request Dec 2, 2024
by protecting against sb->s_shrink eviction on umount with newer kernels

deactivate_locked_super calls shrinker_free and only then
sops->kill_sb cb, resulting in UAF on umount when trying
to reach for the shrinker functions in zpl_prune_sb of
in-umount dataset

Reviewed-by: Brian Behlendorf <[email protected]>
Reviewed-by: Adam Moss <[email protected]>
Signed-off-by: Pavel Snajdr <[email protected]>
Closes openzfs#16770
behlendorf pushed a commit to behlendorf/zfs that referenced this pull request Dec 3, 2024
by protecting against sb->s_shrink eviction on umount with newer kernels

deactivate_locked_super calls shrinker_free and only then
sops->kill_sb cb, resulting in UAF on umount when trying
to reach for the shrinker functions in zpl_prune_sb of
in-umount dataset

Reviewed-by: Brian Behlendorf <[email protected]>
Reviewed-by: Adam Moss <[email protected]>
Signed-off-by: Pavel Snajdr <[email protected]>
Closes openzfs#16770
arter97 pushed a commit to arter97/zfs that referenced this pull request Dec 9, 2024
by protecting against sb->s_shrink eviction on umount with newer kernels

deactivate_locked_super calls shrinker_free and only then
sops->kill_sb cb, resulting in UAF on umount when trying
to reach for the shrinker functions in zpl_prune_sb of
in-umount dataset

Reviewed-by: Brian Behlendorf <[email protected]>
Reviewed-by: Adam Moss <[email protected]>
Signed-off-by: Pavel Snajdr <[email protected]>
Closes openzfs#16770
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Status: Accepted Ready to integrate (reviewed, tested)
Projects
None yet
Development

Successfully merging this pull request may close these issues.

5 participants