Re: block: GPF in get_task_ioprio

[Omar Sandoval <osandov@osandov.com>]

On Thu, Jun 30, 2016 at 10:50:44AM +0200, Dmitry Vyukov wrote:
> Hello,
> 
> The following program triggers GPF in get_task_ioprio if run in a parallel loop:

Dmitry,

Could you please try the below?

diff --git a/block/ioprio.c b/block/ioprio.c
index cc7800e9eb44..01b8116298a1 100644
--- a/block/ioprio.c
+++ b/block/ioprio.c
@@ -150,8 +150,10 @@ static int get_task_ioprio(struct task_struct *p)
 	if (ret)
 		goto out;
 	ret = IOPRIO_PRIO_VALUE(IOPRIO_CLASS_NONE, IOPRIO_NORM);
+	task_lock(p);
 	if (p->io_context)
 		ret = p->io_context->ioprio;
+	task_unlock(p);
 out:
 	return ret;
 }

I'm having a hard time reproducing it but I can see how it could happen;
I think `p->io_context` is getting freed in exit_io_context() in between
the `if (p->io_context)` and `ret = p->io_context->ioprio`.

Thanks,
Omar

> 
> // autogenerated by syzkaller (http://github.com/google/syzkaller)
> #include <stdint.h>
> #include <string.h>
> #include <sys/syscall.h>
> #include <unistd.h>
> 
> int main()
> {
>   syscall(SYS_ioprio_set, 0x2ul, 0x0ul, 0x7ffful, 0, 0, 0);
>   syscall(SYS_ioprio_get, 0x3ul, 0x0ul, 0, 0, 0, 0);
>   return 0;
> }
> 
> This patch also seems to help to trigger it:
> 
>  int set_task_ioprio(struct task_struct *task, int ioprio)
>  {
> @@ -150,8 +151,10 @@ static int get_task_ioprio(struct task_struct *p)
>         if (ret)
>                 goto out;
>         ret = IOPRIO_PRIO_VALUE(IOPRIO_CLASS_NONE, IOPRIO_NORM);
> -       if (p->io_context)
> +       if (p->io_context) {
> +               ndelay(10000);
>                 ret = p->io_context->ioprio;
> +       }
>  out:
>         return ret;
>  }
> 
> kasan: GPF could be caused by NULL-ptr deref or user memory access
> general protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN
> Modules linked in:
> CPU: 2 PID: 8978 Comm: a.out Not tainted 4.7.0-rc5+ #22
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
> task: ffff8800612397c0 ti: ffff880062d08000 task.ti: ffff880062d08000
> RIP: 0010:[<ffffffff82c7fa2a>]
>   [<ffffffff82c7fa2a>] get_task_ioprio+0x9a/0xe0 block/ioprio.c:156
> RSP: 0018:ffff880062d0feb8  EFLAGS: 00010206
> RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000007605
> RDX: 0000000000000009 RSI: 0000002004a58c71 RDI: 0000000000000048
> RBP: ffff880062d0fed0 R08: 0000000000000002 R09: 0000000000000002
> R10: 0000000000000000 R11: 0000000000000001 R12: ffff8800647817c0
> R13: ffff8800647827b0 R14: ffffffff82c80ac2 R15: dffffc0000000000
> FS:  0000000001127880(0000) GS:ffff88006d400000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00000000004b20c0 CR3: 0000000061894000 CR4: 00000000000006e0
> Stack:
>  ffff8800647817c0 0000000000000000 ffffffff8813a660 ffff880062d0ff48
>  ffffffff82c80ec5 ffffffff82c80ac2 ffffffff880f8240 0000000362d0ff48
>  0000000000000000 000040037fff4003 fffffbfff101f048 ffffffff880f81e0
> Call Trace:
>  [<     inline     >] SYSC_ioprio_get block/ioprio.c:230
>  [<ffffffff82c80ec5>] SyS_ioprio_get+0x795/0x9c0 block/ioprio.c:182
>  [<ffffffff86a9b380>] entry_SYSCALL_64_fastpath+0x23/0xc1
> arch/x86/entry/entry_64.S:207
> Code: 00 fc ff df 48 c1 ea 03 80 3c 02 00 75 4f 49 8b 9c 24 f0 0f 00
> 00 48 b8 00 00 00 00 00 fc ff df 48 8d 7b 48 48 89 fa 48 c1 ea 03 <0f>
> b6 04 02 84 c0 74 04 3c 01 7e 12 0f b7 5b 48 e8 51 6f 91 fe
> RIP  [<ffffffff82c7fa2a>] get_task_ioprio+0x9a/0xe0 block/ioprio.c:156
>  RSP <ffff880062d0feb8>
> ---[ end trace 8b400ca760ff21a5 ]---
> 
> On commit 00bf377d19ad3d80cbc7a036521279a86e397bfb (Jun 29).
> --
> To unsubscribe from this list: send the line "unsubscribe linux-block" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

-- 
Omar