From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Hongyu Jin <hongyu.jin@unisoc.com>,
Gao Xiang <hsiangkao@linux.alibaba.com>,
Chao Yu <chao@kernel.org>, Sasha Levin <sashal@kernel.org>,
xiang@kernel.org, linux-erofs@lists.ozlabs.org
Subject: [PATCH AUTOSEL 5.17 13/22] erofs: fix use-after-free of on-stack io[]
Date: Tue, 26 Apr 2022 15:01:36 -0400 [thread overview]
Message-ID: <20220426190145.2351135-13-sashal@kernel.org> (raw)
In-Reply-To: <20220426190145.2351135-1-sashal@kernel.org>
From: Hongyu Jin <hongyu.jin@unisoc.com>
[ Upstream commit 60b30050116c0351b90154044345c1b53ae1f323 ]
The root cause is the race as follows:
Thread #1 Thread #2(irq ctx)
z_erofs_runqueue()
struct z_erofs_decompressqueue io_A[];
submit bio A
z_erofs_decompress_kickoff(,,1)
z_erofs_decompressqueue_endio(bio A)
z_erofs_decompress_kickoff(,,-1)
spin_lock_irqsave()
atomic_add_return()
io_wait_event() -> pending_bios is already 0
[end of function]
wake_up_locked(io_A[]) // crash
Referenced backtrace in kernel 5.4:
[ 10.129422] Unable to handle kernel paging request at virtual address eb0454a4
[ 10.364157] CPU: 0 PID: 709 Comm: getprop Tainted: G WC O 5.4.147-ab09225 #1
[ 11.556325] [<c01b33b8>] (__wake_up_common) from [<c01b3300>] (__wake_up_locked+0x40/0x48)
[ 11.565487] [<c01b3300>] (__wake_up_locked) from [<c044c8d0>] (z_erofs_vle_unzip_kickoff+0x6c/0xc0)
[ 11.575438] [<c044c8d0>] (z_erofs_vle_unzip_kickoff) from [<c044c854>] (z_erofs_vle_read_endio+0x16c/0x17c)
[ 11.586082] [<c044c854>] (z_erofs_vle_read_endio) from [<c06a80e8>] (clone_endio+0xb4/0x1d0)
[ 11.595428] [<c06a80e8>] (clone_endio) from [<c04a1280>] (blk_update_request+0x150/0x4dc)
[ 11.604516] [<c04a1280>] (blk_update_request) from [<c06dea28>] (mmc_blk_cqe_complete_rq+0x144/0x15c)
[ 11.614640] [<c06dea28>] (mmc_blk_cqe_complete_rq) from [<c04a5d90>] (blk_done_softirq+0xb0/0xcc)
[ 11.624419] [<c04a5d90>] (blk_done_softirq) from [<c010242c>] (__do_softirq+0x184/0x56c)
[ 11.633419] [<c010242c>] (__do_softirq) from [<c01051e8>] (irq_exit+0xd4/0x138)
[ 11.641640] [<c01051e8>] (irq_exit) from [<c010c314>] (__handle_domain_irq+0x94/0xd0)
[ 11.650381] [<c010c314>] (__handle_domain_irq) from [<c04fde70>] (gic_handle_irq+0x50/0xd4)
[ 11.659641] [<c04fde70>] (gic_handle_irq) from [<c0101b70>] (__irq_svc+0x70/0xb0)
Signed-off-by: Hongyu Jin <hongyu.jin@unisoc.com>
Reviewed-by: Gao Xiang <hsiangkao@linux.alibaba.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Link: https://lore.kernel.org/r/20220401115527.4935-1-hongyu.jin.cn@gmail.com
Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/erofs/zdata.c | 12 ++++--------
fs/erofs/zdata.h | 2 +-
2 files changed, 5 insertions(+), 9 deletions(-)
diff --git a/fs/erofs/zdata.c b/fs/erofs/zdata.c
index 423bc1a61da5..a1b48bcafe63 100644
--- a/fs/erofs/zdata.c
+++ b/fs/erofs/zdata.c
@@ -1073,12 +1073,9 @@ static void z_erofs_decompress_kickoff(struct z_erofs_decompressqueue *io,
/* wake up the caller thread for sync decompression */
if (sync) {
- unsigned long flags;
-
- spin_lock_irqsave(&io->u.wait.lock, flags);
if (!atomic_add_return(bios, &io->pending_bios))
- wake_up_locked(&io->u.wait);
- spin_unlock_irqrestore(&io->u.wait.lock, flags);
+ complete(&io->u.done);
+
return;
}
@@ -1224,7 +1221,7 @@ jobqueue_init(struct super_block *sb,
} else {
fg_out:
q = fgq;
- init_waitqueue_head(&fgq->u.wait);
+ init_completion(&fgq->u.done);
atomic_set(&fgq->pending_bios, 0);
}
q->sb = sb;
@@ -1428,8 +1425,7 @@ static void z_erofs_runqueue(struct super_block *sb,
return;
/* wait until all bios are completed */
- io_wait_event(io[JQ_SUBMIT].u.wait,
- !atomic_read(&io[JQ_SUBMIT].pending_bios));
+ wait_for_completion_io(&io[JQ_SUBMIT].u.done);
/* handle synchronous decompress queue in the caller context */
z_erofs_decompress_queue(&io[JQ_SUBMIT], pagepool);
diff --git a/fs/erofs/zdata.h b/fs/erofs/zdata.h
index e043216b545f..800b11c53f57 100644
--- a/fs/erofs/zdata.h
+++ b/fs/erofs/zdata.h
@@ -97,7 +97,7 @@ struct z_erofs_decompressqueue {
z_erofs_next_pcluster_t head;
union {
- wait_queue_head_t wait;
+ struct completion done;
struct work_struct work;
} u;
};
--
2.35.1
next prev parent reply other threads:[~2022-04-26 19:02 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-04-26 19:01 [PATCH AUTOSEL 5.17 01/22] ASoC: soc-pcm: use GFP_KERNEL when the code is sleepable Sasha Levin
2022-04-26 19:01 ` [PATCH AUTOSEL 5.17 02/22] ASoC: cs35l41: Fix a shift-out-of-bounds warning found by UBSAN Sasha Levin
2022-04-26 19:01 ` [PATCH AUTOSEL 5.17 03/22] ASoC: rt711/5682: check if bus is active before deferred jack detection Sasha Levin
2022-04-26 19:01 ` [PATCH AUTOSEL 5.17 04/22] ASoC: Intel: soc-acpi: correct device endpoints for max98373 Sasha Levin
2022-04-26 19:01 ` [PATCH AUTOSEL 5.17 05/22] ASoC: wm8731: Disable the regulator when probing fails Sasha Levin
2022-04-26 19:01 ` [PATCH AUTOSEL 5.17 06/22] ASoC: Intel: sof_es8336: Add a quirk for Huawei Matebook D15 Sasha Levin
2022-04-27 11:28 ` Mark Brown
2022-05-01 19:32 ` Sasha Levin
2022-05-02 14:01 ` Pierre-Louis Bossart
2022-04-26 19:01 ` [PATCH AUTOSEL 5.17 07/22] Input: cypress-sf - register a callback to disable the regulators Sasha Levin
2022-04-26 19:01 ` [PATCH AUTOSEL 5.17 08/22] ext4: fix bug_on in start_this_handle during umount filesystem Sasha Levin
2022-04-26 19:01 ` [PATCH AUTOSEL 5.17 09/22] arch: xtensa: platforms: Fix deadlock in rs_close() Sasha Levin
2022-04-26 19:01 ` [PATCH AUTOSEL 5.17 10/22] ksmbd: increment reference count of parent fp Sasha Levin
2022-04-26 19:01 ` [PATCH AUTOSEL 5.17 11/22] ksmbd: set fixed sector size to FS_SECTOR_SIZE_INFORMATION Sasha Levin
2022-04-26 19:01 ` [PATCH AUTOSEL 5.17 12/22] ip6_gre: Avoid updating tunnel->tun_hlen in __gre6_xmit() Sasha Levin
2022-04-26 19:01 ` Sasha Levin [this message]
2022-04-26 19:01 ` [PATCH AUTOSEL 5.17 14/22] bonding: do not discard lowest hash bit for non layer3+4 hashing Sasha Levin
2022-04-26 19:01 ` [PATCH AUTOSEL 5.17 15/22] x86: __memcpy_flushcache: fix wrong alignment if size > 2^32 Sasha Levin
2022-04-26 19:01 ` [PATCH AUTOSEL 5.17 16/22] cifs: destage any unwritten data to the server before calling copychunk_write Sasha Levin
2022-04-26 19:01 ` [PATCH AUTOSEL 5.17 17/22] drivers: net: hippi: Fix deadlock in rr_close() Sasha Levin
2022-04-26 19:01 ` [PATCH AUTOSEL 5.17 18/22] powerpc/perf: Fix 32bit compile Sasha Levin
2022-04-26 19:01 ` [PATCH AUTOSEL 5.17 19/22] ALSA: hda: intel-dsp-config: Add RaptorLake PCI IDs Sasha Levin
2022-04-26 19:01 ` [PATCH AUTOSEL 5.17 20/22] ata: pata_marvell: Check the 'bmdma_addr' beforing reading Sasha Levin
2022-04-26 19:01 ` [PATCH AUTOSEL 5.17 21/22] selftest/vm: verify mmap addr in mremap_test Sasha Levin
2022-04-26 19:01 ` [PATCH AUTOSEL 5.17 22/22] selftest/vm: verify remap destination address " Sasha Levin
2022-04-26 19:32 ` [PATCH AUTOSEL 5.17 01/22] ASoC: soc-pcm: use GFP_KERNEL when the code is sleepable Marion & Christophe JAILLET
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220426190145.2351135-13-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=chao@kernel.org \
--cc=hongyu.jin@unisoc.com \
--cc=hsiangkao@linux.alibaba.com \
--cc=linux-erofs@lists.ozlabs.org \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=xiang@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox