From: Jan Kara <jack@suse.cz>
To: Yu Kuai <yukuai1@huaweicloud.com>
Cc: jack@suse.cz, tj@kernel.org, josef@toxicpanda.com,
axboe@kernel.dk, paolo.valente@unimore.it,
mauro.andreolini@unimore.it, avanzini.arianna@gmail.com,
cgroups@vger.kernel.org, linux-block@vger.kernel.org,
linux-kernel@vger.kernel.org, yukuai3@huawei.com,
yi.zhang@huawei.com, yangerkun@huawei.com
Subject: Re: [PATCH for-6.12 1/4] block, bfq: fix possible UAF for bfqq->bic with merge chain
Date: Wed, 4 Sep 2024 13:51:48 +0200 [thread overview]
Message-ID: <20240904115148.ed46quqe7bavjeei@quack3> (raw)
In-Reply-To: <20240902130329.3787024-2-yukuai1@huaweicloud.com>
On Mon 02-09-24 21:03:26, Yu Kuai wrote:
> From: Yu Kuai <yukuai3@huawei.com>
>
> 1) initial state, three tasks:
>
> Process 1 Process 2 Process 3
> (BIC1) (BIC2) (BIC3)
> | Λ | Λ | Λ
> | | | | | |
> V | V | V |
> bfqq1 bfqq2 bfqq3
> process ref: 1 1 1
>
> 2) bfqq1 merged to bfqq2:
>
> Process 1 Process 2 Process 3
> (BIC1) (BIC2) (BIC3)
> | | | Λ
> \--------------\| | |
> V V |
> bfqq1--------->bfqq2 bfqq3
> process ref: 0 2 1
>
> 3) bfqq2 merged to bfqq3:
>
> Process 1 Process 2 Process 3
> (BIC1) (BIC2) (BIC3)
> here -> Λ | |
> \--------------\ \-------------\|
> V V
> bfqq1--------->bfqq2---------->bfqq3
> process ref: 0 1 3
>
> In this case, IO from Process 1 will get bfqq2 from BIC1 first, and then
> get bfqq3 through merge chain, and finially handle IO by bfqq3.
> Howerver, current code will think bfqq2 is owned by BIC1, like initial
> state, and set bfqq2->bic to BIC1.
>
> bfq_insert_request
> -> by Process 1
> bfqq = bfq_init_rq(rq)
> bfqq = bfq_get_bfqq_handle_split
> bfqq = bic_to_bfqq
> -> get bfqq2 from BIC1
> bfqq->ref++
> rq->elv.priv[0] = bic
> rq->elv.priv[1] = bfqq
> if (bfqq_process_refs(bfqq) == 1)
> bfqq->bic = bic
> -> record BIC1 to bfqq2
>
> __bfq_insert_request
> new_bfqq = bfq_setup_cooperator
> -> get bfqq3 from bfqq2->new_bfqq
> bfqq_request_freed(bfqq)
> new_bfqq->ref++
> rq->elv.priv[1] = new_bfqq
> -> handle IO by bfqq3
>
> Fix the problem by checking bfqq is from merge chain fist. And this
> might fix a following problem reported by our syzkaller(unreproducible):
>
> ==================================================================
> BUG: KASAN: slab-use-after-free in bfq_do_early_stable_merge block/bfq-iosched.c:5692 [inline]
> BUG: KASAN: slab-use-after-free in bfq_do_or_sched_stable_merge block/bfq-iosched.c:5805 [inline]
> BUG: KASAN: slab-use-after-free in bfq_get_queue+0x25b0/0x2610 block/bfq-iosched.c:5889
> Write of size 1 at addr ffff888123839eb8 by task kworker/0:1H/18595
>
> CPU: 0 PID: 18595 Comm: kworker/0:1H Tainted: G L 6.6.0-07439-gba2303cacfda #6
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.14.0-0-g155821a1990b-prebuilt.qemu.org 04/01/2014
> Workqueue: kblockd blk_mq_requeue_work
> Call Trace:
> <TASK>
> __dump_stack lib/dump_stack.c:88 [inline]
> dump_stack_lvl+0x91/0xf0 lib/dump_stack.c:106
> print_address_description mm/kasan/report.c:364 [inline]
> print_report+0x10d/0x610 mm/kasan/report.c:475
> kasan_report+0x8e/0xc0 mm/kasan/report.c:588
> bfq_do_early_stable_merge block/bfq-iosched.c:5692 [inline]
> bfq_do_or_sched_stable_merge block/bfq-iosched.c:5805 [inline]
> bfq_get_queue+0x25b0/0x2610 block/bfq-iosched.c:5889
> bfq_get_bfqq_handle_split+0x169/0x5d0 block/bfq-iosched.c:6757
> bfq_init_rq block/bfq-iosched.c:6876 [inline]
> bfq_insert_request block/bfq-iosched.c:6254 [inline]
> bfq_insert_requests+0x1112/0x5cf0 block/bfq-iosched.c:6304
> blk_mq_insert_request+0x290/0x8d0 block/blk-mq.c:2593
> blk_mq_requeue_work+0x6bc/0xa70 block/blk-mq.c:1502
> process_one_work kernel/workqueue.c:2627 [inline]
> process_scheduled_works+0x432/0x13f0 kernel/workqueue.c:2700
> worker_thread+0x6f2/0x1160 kernel/workqueue.c:2781
> kthread+0x33c/0x440 kernel/kthread.c:388
> ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
> ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:305
> </TASK>
>
> Allocated by task 20776:
> kasan_save_stack+0x20/0x40 mm/kasan/common.c:45
> kasan_set_track+0x25/0x30 mm/kasan/common.c:52
> __kasan_slab_alloc+0x87/0x90 mm/kasan/common.c:328
> kasan_slab_alloc include/linux/kasan.h:188 [inline]
> slab_post_alloc_hook mm/slab.h:763 [inline]
> slab_alloc_node mm/slub.c:3458 [inline]
> kmem_cache_alloc_node+0x1a4/0x6f0 mm/slub.c:3503
> ioc_create_icq block/blk-ioc.c:370 [inline]
> ioc_find_get_icq+0x180/0xaa0 block/blk-ioc.c:436
> bfq_prepare_request+0x39/0xf0 block/bfq-iosched.c:6812
> blk_mq_rq_ctx_init.isra.7+0x6ac/0xa00 block/blk-mq.c:403
> __blk_mq_alloc_requests+0xcc0/0x1070 block/blk-mq.c:517
> blk_mq_get_new_requests block/blk-mq.c:2940 [inline]
> blk_mq_submit_bio+0x624/0x27c0 block/blk-mq.c:3042
> __submit_bio+0x331/0x6f0 block/blk-core.c:624
> __submit_bio_noacct_mq block/blk-core.c:703 [inline]
> submit_bio_noacct_nocheck+0x816/0xb40 block/blk-core.c:732
> submit_bio_noacct+0x7a6/0x1b50 block/blk-core.c:826
> xlog_write_iclog+0x7d5/0xa00 fs/xfs/xfs_log.c:1958
> xlog_state_release_iclog+0x3b8/0x720 fs/xfs/xfs_log.c:619
> xlog_cil_push_work+0x19c5/0x2270 fs/xfs/xfs_log_cil.c:1330
> process_one_work kernel/workqueue.c:2627 [inline]
> process_scheduled_works+0x432/0x13f0 kernel/workqueue.c:2700
> worker_thread+0x6f2/0x1160 kernel/workqueue.c:2781
> kthread+0x33c/0x440 kernel/kthread.c:388
> ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
> ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:305
>
> Freed by task 946:
> kasan_save_stack+0x20/0x40 mm/kasan/common.c:45
> kasan_set_track+0x25/0x30 mm/kasan/common.c:52
> kasan_save_free_info+0x2b/0x50 mm/kasan/generic.c:522
> ____kasan_slab_free mm/kasan/common.c:236 [inline]
> __kasan_slab_free+0x12c/0x1c0 mm/kasan/common.c:244
> kasan_slab_free include/linux/kasan.h:164 [inline]
> slab_free_hook mm/slub.c:1815 [inline]
> slab_free_freelist_hook mm/slub.c:1841 [inline]
> slab_free mm/slub.c:3786 [inline]
> kmem_cache_free+0x118/0x6f0 mm/slub.c:3808
> rcu_do_batch+0x35c/0xe30 kernel/rcu/tree.c:2189
> rcu_core+0x819/0xd90 kernel/rcu/tree.c:2462
> __do_softirq+0x1b0/0x7a2 kernel/softirq.c:553
>
> Last potentially related work creation:
> kasan_save_stack+0x20/0x40 mm/kasan/common.c:45
> __kasan_record_aux_stack+0xaf/0xc0 mm/kasan/generic.c:492
> __call_rcu_common kernel/rcu/tree.c:2712 [inline]
> call_rcu+0xce/0x1020 kernel/rcu/tree.c:2826
> ioc_destroy_icq+0x54c/0x830 block/blk-ioc.c:105
> ioc_release_fn+0xf0/0x360 block/blk-ioc.c:124
> process_one_work kernel/workqueue.c:2627 [inline]
> process_scheduled_works+0x432/0x13f0 kernel/workqueue.c:2700
> worker_thread+0x6f2/0x1160 kernel/workqueue.c:2781
> kthread+0x33c/0x440 kernel/kthread.c:388
> ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
> ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:305
>
> Second to last potentially related work creation:
> kasan_save_stack+0x20/0x40 mm/kasan/common.c:45
> __kasan_record_aux_stack+0xaf/0xc0 mm/kasan/generic.c:492
> __call_rcu_common kernel/rcu/tree.c:2712 [inline]
> call_rcu+0xce/0x1020 kernel/rcu/tree.c:2826
> ioc_destroy_icq+0x54c/0x830 block/blk-ioc.c:105
> ioc_release_fn+0xf0/0x360 block/blk-ioc.c:124
> process_one_work kernel/workqueue.c:2627 [inline]
> process_scheduled_works+0x432/0x13f0 kernel/workqueue.c:2700
> worker_thread+0x6f2/0x1160 kernel/workqueue.c:2781
> kthread+0x33c/0x440 kernel/kthread.c:388
> ret_from_fork+0x4d/0x80 arch/x86/kernel/process.c:147
> ret_from_fork_asm+0x1b/0x30 arch/x86/entry/entry_64.S:305
>
> The buggy address belongs to the object at ffff888123839d68
> which belongs to the cache bfq_io_cq of size 1360
> The buggy address is located 336 bytes inside of
> freed 1360-byte region [ffff888123839d68, ffff88812383a2b8)
>
> The buggy address belongs to the physical page:
> page:ffffea00048e0e00 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff88812383f588 pfn:0x123838
> head:ffffea00048e0e00 order:3 entire_mapcount:0 nr_pages_mapped:0 pincount:0
> flags: 0x17ffffc0000a40(workingset|slab|head|node=0|zone=2|lastcpupid=0x1fffff)
> page_type: 0xffffffff()
> raw: 0017ffffc0000a40 ffff88810588c200 ffffea00048ffa10 ffff888105889488
> raw: ffff88812383f588 0000000000150006 00000001ffffffff 0000000000000000
> page dumped because: kasan: bad access detected
>
> Memory state around the buggy address:
> ffff888123839d80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff888123839e00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> >ffff888123839e80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ^
> ffff888123839f00: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff888123839f80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ==================================================================
>
> Fixes: 36eca8948323 ("block, bfq: add Early Queue Merge (EQM)")
> Signed-off-by: Yu Kuai <yukuai3@huawei.com>
Looks good. Feel free to add:
Reviewed-by: Jan Kara <jack@suse.cz>
Honza
> ---
> block/bfq-iosched.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c
> index 36a4998c4b37..83adac3e71db 100644
> --- a/block/bfq-iosched.c
> +++ b/block/bfq-iosched.c
> @@ -6934,7 +6934,8 @@ static struct bfq_queue *bfq_init_rq(struct request *rq)
> * addition, if the queue has also just been split, we have to
> * resume its state.
> */
> - if (likely(bfqq != &bfqd->oom_bfqq) && bfqq_process_refs(bfqq) == 1) {
> + if (likely(bfqq != &bfqd->oom_bfqq) && !bfqq->new_bfqq &&
> + bfqq_process_refs(bfqq) == 1) {
> bfqq->bic = bic;
> if (split) {
> /*
> --
> 2.39.2
>
--
Jan Kara <jack@suse.com>
SUSE Labs, CR
next prev parent reply other threads:[~2024-09-04 11:51 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-09-02 13:03 [PATCH for-6.12 0/4] block, bfq: fix corner cases related to bfqq merging Yu Kuai
2024-09-02 13:03 ` [PATCH for-6.12 1/4] block, bfq: fix possible UAF for bfqq->bic with merge chain Yu Kuai
2024-09-04 11:51 ` Jan Kara [this message]
2024-09-02 13:03 ` [PATCH for-6.12 2/4] block, bfq: choose the last bfqq from merge chain in bfq_setup_cooperator() Yu Kuai
2024-09-04 12:17 ` Jan Kara
2024-09-02 13:03 ` [PATCH for-6.12 3/4] block, bfq: don't break merge chain in bfq_split_bfqq() Yu Kuai
2024-09-04 12:20 ` Jan Kara
2024-09-02 13:03 ` [PATCH for-6.12 4/4] block, bfq: use bfq_reassign_last_bfqq() in bfq_bfqq_move() Yu Kuai
2024-09-04 12:22 ` Jan Kara
2024-09-03 15:51 ` [PATCH for-6.12 0/4] block, bfq: fix corner cases related to bfqq merging Jens Axboe
2024-09-04 1:32 ` Yu Kuai
2024-09-04 2:28 ` Bart Van Assche
2024-09-04 2:45 ` Yu Kuai
2024-09-04 13:55 ` Jens Axboe
2024-09-04 17:17 ` Bart Van Assche
2024-09-05 1:48 ` Yu Kuai
2024-09-04 4:38 ` Ming Lei
2024-09-04 12:29 ` Jan Kara
2024-09-04 13:49 ` Jens Axboe
2024-09-04 13:53 ` Jens Axboe
2024-09-03 15:56 ` Jens Axboe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240904115148.ed46quqe7bavjeei@quack3 \
--to=jack@suse.cz \
--cc=avanzini.arianna@gmail.com \
--cc=axboe@kernel.dk \
--cc=cgroups@vger.kernel.org \
--cc=josef@toxicpanda.com \
--cc=linux-block@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=mauro.andreolini@unimore.it \
--cc=paolo.valente@unimore.it \
--cc=tj@kernel.org \
--cc=yangerkun@huawei.com \
--cc=yi.zhang@huawei.com \
--cc=yukuai1@huaweicloud.com \
--cc=yukuai3@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox