From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1750901AbcAaFB1 (ORCPT ); Sun, 31 Jan 2016 00:01:27 -0500 Received: from mx0a-00082601.pphosted.com ([67.231.145.42]:48134 "EHLO mx0a-00082601.pphosted.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750708AbcAaFBZ (ORCPT ); Sun, 31 Jan 2016 00:01:25 -0500 Subject: Re: [PATCH] block: fix use-after-free in dio_bio_complete To: Mike Krinkin References: <1454170199-21646-1-git-send-email-krinkin.m.u@gmail.com> CC: , , From: Jens Axboe Message-ID: <56AD951C.7080406@fb.com> Date: Sat, 30 Jan 2016 22:01:16 -0700 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.5.1 MIME-Version: 1.0 In-Reply-To: <1454170199-21646-1-git-send-email-krinkin.m.u@gmail.com> Content-Type: text/plain; charset="windows-1252"; format=flowed Content-Transfer-Encoding: 7bit X-Originating-IP: [192.168.54.13] X-Proofpoint-Spam-Reason: safe X-FB-Internal: Safe X-Proofpoint-Virus-Version: vendor=fsecure engine=2.50.10432:,, definitions=2016-01-31_03:,, signatures=0 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 01/30/2016 09:09 AM, Mike Krinkin wrote: > kasan reported the following error when i ran xfstest: > > [ 701.826854] ================================================================== > [ 701.826864] BUG: KASAN: use-after-free in dio_bio_complete+0x41a/0x600 at addr ffff880080b95f94 > [ 701.826870] Read of size 4 by task loop2/3874 > [ 701.826879] page:ffffea000202e540 count:0 mapcount:0 mapping: (null) index:0x0 > [ 701.826890] flags: 0x100000000000000() > [ 701.826895] page dumped because: kasan: bad access detected > [ 701.826904] CPU: 3 PID: 3874 Comm: loop2 Tainted: G B W L 4.5.0-rc1-next-20160129 #83 > [ 701.826910] Hardware name: LENOVO 23205NG/23205NG, BIOS G2ET95WW (2.55 ) 07/09/2013 > [ 701.826917] ffff88008fadf800 ffff88008fadf758 ffffffff81ca67bb 0000000041b58ab3 > [ 701.826941] ffffffff830d1e74 ffffffff81ca6724 ffff88008fadf748 ffffffff8161c05c > [ 701.826963] 0000000000000282 ffff88008fadf800 ffffed0010172bf2 ffffea000202e540 > [ 701.826987] Call Trace: > [ 701.826997] [] dump_stack+0x97/0xdc > [ 701.827005] [] ? _atomic_dec_and_lock+0xc4/0xc4 > [ 701.827014] [] ? __dump_page+0x32c/0x490 > [ 701.827023] [] kasan_report_error+0x5f3/0x8b0 > [ 701.827033] [] ? dio_bio_complete+0x41a/0x600 > [ 701.827040] [] __asan_report_load4_noabort+0x59/0x80 > [ 701.827048] [] ? dio_bio_complete+0x41a/0x600 > [ 701.827053] [] dio_bio_complete+0x41a/0x600 > [ 701.827057] [] ? blk_queue_exit+0x108/0x270 > [ 701.827060] [] dio_bio_end_aio+0xa0/0x4d0 > [ 701.827063] [] ? dio_bio_complete+0x600/0x600 > [ 701.827067] [] ? blk_account_io_completion+0x316/0x5d0 > [ 701.827070] [] bio_endio+0x79/0x200 > [ 701.827074] [] blk_update_request+0x1df/0xc50 > [ 701.827078] [] blk_mq_end_request+0x57/0x120 > [ 701.827081] [] __blk_mq_complete_request+0x310/0x590 > [ 701.827084] [] ? set_next_entity+0x2f8/0x2ed0 > [ 701.827088] [] ? put_prev_entity+0x22d/0x2a70 > [ 701.827091] [] blk_mq_complete_request+0x5b/0x80 > [ 701.827094] [] loop_queue_work+0x273/0x19d0 > [ 701.827098] [] ? finish_task_switch+0x1c8/0x8e0 > [ 701.827101] [] ? trace_hardirqs_on_caller+0x18/0x6c0 > [ 701.827104] [] ? lo_read_simple+0x890/0x890 > [ 701.827108] [] ? debug_check_no_locks_freed+0x350/0x350 > [ 701.827111] [] ? __hrtick_start+0x130/0x130 > [ 701.827115] [] ? __schedule+0x936/0x20b0 > [ 701.827118] [] ? kthread_worker_fn+0x3ed/0x8d0 > [ 701.827121] [] ? kthread_worker_fn+0x21d/0x8d0 > [ 701.827125] [] ? trace_hardirqs_on_caller+0x18/0x6c0 > [ 701.827128] [] kthread_worker_fn+0x2af/0x8d0 > [ 701.827132] [] ? __init_kthread_worker+0x170/0x170 > [ 701.827135] [] ? _raw_spin_unlock_irqrestore+0x36/0x60 > [ 701.827138] [] ? __init_kthread_worker+0x170/0x170 > [ 701.827141] [] ? __init_kthread_worker+0x170/0x170 > [ 701.827144] [] kthread+0x24b/0x3a0 > [ 701.827148] [] ? kthread_create_on_node+0x4c0/0x4c0 > [ 701.827151] [] ? trace_hardirqs_on+0xd/0x10 > [ 701.827155] [] ? do_group_exit+0xdd/0x350 > [ 701.827158] [] ? kthread_create_on_node+0x4c0/0x4c0 > [ 701.827161] [] ret_from_fork+0x3f/0x70 > [ 701.827165] [] ? kthread_create_on_node+0x4c0/0x4c0 > [ 701.827167] Memory state around the buggy address: > [ 701.827170] ffff880080b95e80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff > [ 701.827172] ffff880080b95f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff > [ 701.827175] >ffff880080b95f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff > [ 701.827177] ^ > [ 701.827179] ffff880080b96000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff > [ 701.827182] ffff880080b96080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff > [ 701.827183] ================================================================== > > The problem is that bio_check_pages_dirty calls bio_put, so we must > not access bio fields after bio_check_pages_dirty. Thanks, patch is correct, I have added it. -- Jens Axboe