On 12/7/21 15:51, George Kennedy wrote:
git bisect shows that commit 54a88eb838d3
("block: add single bio async direct IO helper")
causes the following UAF: KASAN: use-after-free Write in io_submit_one
Tried to root-cause the issue, but need the patch submitter's help in
coming up with a fix.
Hey George, thanks for the report. Do you have a reproducer?
One spot I don't like is how errors from bio_iov_iter_get_pages()
are handled, will test it.
diff --git a/block/fops.c b/block/fops.c
index ad732a36f9b3..211f44974d1e 100644
--- a/block/fops.c
+++ b/block/fops.c
@@ -342,7 +342,7 @@ static ssize_t __blkdev_direct_IO_async(struct kiocb *iocb,
if (unlikely(ret)) {
bio->bi_status = BLK_STS_IOERR;
bio_endio(bio);
- return ret;
+ return -EIOCBQUEUED;
}
}
dio->size = bio->bi_iter.bi_size;
--
Pavel Begunkov
