From: Ming Lei <ming.lei@redhat.com>
To: John Garry <john.garry@huawei.com>
Cc: "axboe@kernel.dk" <axboe@kernel.dk>,
"linux-block@vger.kernel.org" <linux-block@vger.kernel.org>,
Christoph Hellwig <hch@infradead.org>
Subject: Re: [REPORT] BUG: KASAN: use-after-free in bt_iter+0x80/0xf8
Date: Wed, 19 Aug 2020 22:21:47 +0800 [thread overview]
Message-ID: <20200819142147.GA2795390@T590> (raw)
In-Reply-To: <83de2368-a122-3b9c-db15-63ea442eecd9@huawei.com>
On Wed, Aug 19, 2020 at 11:14:34AM +0100, John Garry wrote:
> On 19/08/2020 09:58, Ming Lei wrote:
> > > ah, right. I vaguely remember this. Well, if we didn't have a reliable
> > > reproducer before, we do now.
> > OK, that is great, please try the following patch:
> >
> > diff --git a/block/blk-mq-tag.c b/block/blk-mq-tag.c
> > index 32d82e23b095..f18632c524e9 100644
> > --- a/block/blk-mq-tag.c
> > +++ b/block/blk-mq-tag.c
> > @@ -185,19 +185,19 @@ static bool bt_iter(struct sbitmap *bitmap, unsigned int bitnr, void *data)
> > {
> > struct bt_iter_data *iter_data = data;
> > struct blk_mq_hw_ctx *hctx = iter_data->hctx;
> > - struct blk_mq_tags *tags = hctx->tags;
> > + struct blk_mq_tags *tags = hctx->sched_tags ?: hctx->tags;
> > bool reserved = iter_data->reserved;
> > struct request *rq;
> > if (!reserved)
> > bitnr += tags->nr_reserved_tags;
> > - rq = tags->rqs[bitnr];
> > + rq = tags->static_rqs[bitnr];
> > /*
> > * We can hit rq == NULL here, because the tagging functions
> > * test and set the bit before assigning ->rqs[].
> > */
> > - if (rq && rq->q == hctx->queue)
> > + if (rq && rq->tag >= 0 && rq->q == hctx->queue)
> > return iter_data->fn(hctx, rq, iter_data->data, reserved);
> > return true;
> > }
> > @@ -406,7 +406,7 @@ void blk_mq_queue_tag_busy_iter(struct request_queue *q, busy_iter_fn *fn,
> > return;
> > queue_for_each_hw_ctx(q, hctx, i) {
> > - struct blk_mq_tags *tags = hctx->tags;
> > + struct blk_mq_tags *tags = hctx->sched_tags ?: hctx->tags;
> > /*
> > * If no software queues are currently mapped to this
>
> I gave it a quick try and it looks to silence KASAN. I'll try to test more
> over the next day or so.
>
> BTW, I doubt KASAN is even right to complain about this. I'll check that
> thread you pointed me at to learn more about what was discussed on that.
I guess that elevator switch may have to be involved in your reproducer, stale
request which are freed before switching to new elevator can stay in tags->rqs[],
then these stale requests are retrieved when reading iostat before old request slots in
tags->rqs[] are reset.
The patch should fix this issue.
Thanks,
Ming
next prev parent reply other threads:[~2020-08-19 14:22 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-18 12:03 [REPORT] BUG: KASAN: use-after-free in bt_iter+0x80/0xf8 John Garry
2020-08-18 18:19 ` John Garry
2020-08-19 0:00 ` Ming Lei
2020-08-19 7:43 ` John Garry
2020-08-19 8:58 ` Ming Lei
2020-08-19 10:14 ` John Garry
2020-08-19 14:21 ` Ming Lei [this message]
2020-08-19 16:48 ` John Garry
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200819142147.GA2795390@T590 \
--to=ming.lei@redhat.com \
--cc=axboe@kernel.dk \
--cc=hch@infradead.org \
--cc=john.garry@huawei.com \
--cc=linux-block@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.