Re: [REPORT] BUG: KASAN: use-after-free in bt_iter+0x80/0xf8

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On Wed, Aug 19, 2020 at 11:14:34AM +0100, John Garry wrote:
> On 19/08/2020 09:58, Ming Lei wrote:
> > > ah, right. I vaguely remember this. Well, if we didn't have a reliable
> > > reproducer before, we do now.
> > OK, that is great, please try the following patch:
> > 
> > diff --git a/block/blk-mq-tag.c b/block/blk-mq-tag.c
> > index 32d82e23b095..f18632c524e9 100644
> > --- a/block/blk-mq-tag.c
> > +++ b/block/blk-mq-tag.c
> > @@ -185,19 +185,19 @@ static bool bt_iter(struct sbitmap *bitmap, unsigned int bitnr, void *data)
> >   {
> >   	struct bt_iter_data *iter_data = data;
> >   	struct blk_mq_hw_ctx *hctx = iter_data->hctx;
> > -	struct blk_mq_tags *tags = hctx->tags;
> > +	struct blk_mq_tags *tags = hctx->sched_tags ?: hctx->tags;
> >   	bool reserved = iter_data->reserved;
> >   	struct request *rq;
> >   	if (!reserved)
> >   		bitnr += tags->nr_reserved_tags;
> > -	rq = tags->rqs[bitnr];
> > +	rq = tags->static_rqs[bitnr];
> >   	/*
> >   	 * We can hit rq == NULL here, because the tagging functions
> >   	 * test and set the bit before assigning ->rqs[].
> >   	 */
> > -	if (rq && rq->q == hctx->queue)
> > +	if (rq && rq->tag >= 0 && rq->q == hctx->queue)
> >   		return iter_data->fn(hctx, rq, iter_data->data, reserved);
> >   	return true;
> >   }
> > @@ -406,7 +406,7 @@ void blk_mq_queue_tag_busy_iter(struct request_queue *q, busy_iter_fn *fn,
> >   		return;
> >   	queue_for_each_hw_ctx(q, hctx, i) {
> > -		struct blk_mq_tags *tags = hctx->tags;
> > +		struct blk_mq_tags *tags = hctx->sched_tags ?: hctx->tags;
> >   		/*
> >   		 * If no software queues are currently mapped to this
> 
> I gave it a quick try and it looks to silence KASAN. I'll try to test more
> over the next day or so.
> 
> BTW, I doubt KASAN is even right to complain about this. I'll check that
> thread you pointed me at to learn more about what was discussed on that.

I guess that elevator switch may have to be involved in your reproducer, stale
request which are freed before switching to new elevator can stay in tags->rqs[],
then these stale requests are retrieved when reading iostat before old request slots in
tags->rqs[] are reset.

The patch should fix this issue.

Thanks,
Ming
[Index of Archives]     [Linux RAID]     [Linux SCSI]     [Linux ATA RAID]     [IDE]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Device Mapper]

  Powered by Linux