BUG: KASAN: use-after-free in bdev_free_inode+0x202/0x220 Read of size 8 at addr ffff88806e022148 by task systemd-udevd/8843 Call Trace: <IRQ> __dump_stack [inline] dump_stack_lvl+0xcd/0x134 print_address_description.constprop.0.cold+0x6c/0x2d6 __kasan_report [inline] kasan_report.cold+0x83/0xdf bdev_free_inode+0x202/0x220 i_callback+0x3f/0x70 rcu_do_batch [inline] rcu_core+0x7ab/0x1470 __do_softirq+0x29b/0x9c2 invoke_softirq [inline] __irq_exit_rcu+0x123/0x180 irq_exit_rcu+0x5/0x20 Allocated by task 15227: kasan_save_stack+0x1b/0x40 kasan_set_track [inline] set_alloc_info [inline] ____kasan_kmalloc [inline] ____kasan_kmalloc [inline] __kasan_kmalloc+0xa1/0xd0 kasan_kmalloc [inline] kmem_cache_alloc_node_trace+0x20b/0x5d0 kmalloc_node [inline] kzalloc_node [inline] __alloc_disk_node+0x77/0x580 __blk_mq_alloc_disk+0xed/0x160 loop_add+0x340/0x960 loop_control_get_free [inline] loop_control_ioctl+0x227/0x4a0 Freed by task 15227: kasan_save_stack+0x1b/0x40 kasan_set_track+0x1c/0x30 kasan_set_free_info+0x20/0x30 ____kasan_slab_free [inline] ____kasan_slab_free [inline] __kasan_slab_free+0xd1/0x110 kasan_slab_free [inline] __cache_free [inline] kfree+0x10a/0x2c0 __alloc_disk_node+0x474/0x580 __blk_mq_alloc_disk+0xed/0x160 loop_add+0x340/0x960 loop_control_get_free [inline] loop_control_ioctl+0x227/0x4a0 The xa_insert() may be return error in __alloc_disk_node(), and the disk object will be release, however there are two operations that will release it, kfree(disk) and iput(disk->part0->bd_inode), the iput operations will call call_rcu(), because the rcu callback executed is an asynchronous actionthe, so when free disk object in rcu callback, the disk object haven been released. solve it through a unified release action. Reported-by: syzbot+8281086e8a6fbfbd952a@xxxxxxxxxxxxxxxxxxxxxxxxx Signed-off-by: Zqiang <qiang.zhang1211@xxxxxxxxx> --- block/genhd.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/block/genhd.c b/block/genhd.c index 5e8aa0ab66c2..924b75d9dfa6 100644 --- a/block/genhd.c +++ b/block/genhd.c @@ -1269,11 +1269,13 @@ struct gendisk *__alloc_disk_node(struct request_queue *q, int node_id, out_destroy_part_tbl: xa_destroy(&disk->part_tbl); - iput(disk->part0->bd_inode); out_free_bdi: bdi_put(disk->bdi); out_free_disk: - kfree(disk); + if (disk->part0) + iput(disk->part0->bd_inode); + else + kfree(disk); out_put_queue: blk_put_queue(q); return NULL; -- 2.17.1
