Re: move more work to disk_release

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 2/22/22 06:14, Christoph Hellwig wrote:

Git branch:

     git://git.infradead.org/users/hch/block.git freeze-5.18


A patch in or before this patch series may need some additional
work. This is what I see in the kernel log if I verify the above
kernel branch with blktests:

run blktests block/027 at 2022-02-26 03:54:57
[ ... ]
==================================================================
BUG: KASAN: use-after-free in sd_release+0x2a/0x100 [sd_mod]
Read of size 8 at addr ffff888115a0a000 by task fio/7217

CPU: 1 PID: 7217 Comm: fio Not tainted 5.17.0-rc2-dbg+ #8
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.15.0-0-g2dd4b9b-rebuilt.opensuse.org 04/01/2014
Call Trace:
sd 9:0:0:1: [sde] Synchronizing SCSI cache
 <TASK>
 show_stack+0x52/0x58
 dump_stack_lvl+0x5b/0x82
 print_address_description.constprop.0+0x24/0x160
 ? sd_release+0x2a/0x100 [sd_mod]
 kasan_report.cold+0x82/0xdb
 ? perf_trace_sched_numa_pair_template+0x340/0x350
 ? sd_release+0x2a/0x100 [sd_mod]
 __asan_load8+0x69/0x90
 sd_release+0x2a/0x100 [sd_mod]
 blkdev_put+0x15a/0x3b0
 blkdev_close+0x3c/0x50
 __fput+0x13d/0x430
 ____fput+0xe/0x10
 task_work_run+0x8e/0xe0
 do_exit+0x2b6/0x5e0
 do_group_exit+0x71/0x150
 __x64_sys_exit_group+0x31/0x40
 do_syscall_64+0x35/0x80
 entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7f8d243d0ed1
Code: Unable to access opcode bytes at RIP 0x7f8d243d0ea7.
RSP: 002b:00007ffe2c7aae48 EFLAGS: 00000206 ORIG_RAX: 00000000000000e7
RAX: ffffffffffffffda RBX: 0000000000000004 RCX: 00007f8d243d0ed1
RDX: 000000000000003c RSI: 00000000000000e7 RDI: 0000000000000013
RBP: 00007f8d1214ae90 R08: ffffffffffffe168 R09: a53fa94fea53fa95
R10: 0000000000000002 R11: 0000000000000206 R12: 00007f8d253d3c30
R13: 0000000000000000 R14: 0000000000000004 R15: 0000000000000000
 </TASK>

Allocated by task 5692:
 kasan_save_stack+0x26/0x50
 __kasan_kmalloc+0x88/0xa0
 kmem_cache_alloc_trace+0x1a3/0x2c0
 sd_probe+0x9a/0x700 [sd_mod]
 really_probe+0x141/0x5d0
 __driver_probe_device+0x1aa/0x240
 driver_probe_device+0x4e/0x110
 __device_attach_driver+0xf6/0x160
 bus_for_each_drv+0xfd/0x160
 __device_attach_async_helper+0x138/0x190
 async_run_entry_fn+0x63/0x240
 process_one_work+0x594/0xad0
 worker_thread+0x2de/0x6b0
 kthread+0x15f/0x190
 ret_from_fork+0x1f/0x30

Freed by task 6426:
 kasan_save_stack+0x26/0x50
 kasan_set_track+0x25/0x30
 kasan_set_free_info+0x24/0x40
 __kasan_slab_free+0x100/0x140
 kfree+0xd1/0x510
 scsi_disk_release+0x41/0x50 [sd_mod]
 device_release+0x60/0x100
 kobject_cleanup+0x7f/0x1c0
 kobject_put+0x76/0x90
 put_device+0x13/0x20
 sd_remove+0x63/0x70 [sd_mod]
 __device_release_driver+0x37e/0x390
 device_release_driver+0x2b/0x40
 bus_remove_device+0x1aa/0x270
 device_del+0x2d4/0x640
 __scsi_remove_device+0x168/0x1a0
 sdev_store_delete+0x75/0xe0
 dev_attr_store+0x3e/0x60
 sysfs_kf_write+0x87/0xa0
 kernfs_fop_write_iter+0x1c7/0x270
 new_sync_write+0x296/0x3c0
 vfs_write+0x43c/0x580
 ksys_write+0xd9/0x180
 __x64_sys_write+0x42/0x50
 do_syscall_64+0x35/0x80
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Last potentially related work creation:
 kasan_save_stack+0x26/0x50
 __kasan_record_aux_stack+0xa8/0xc0
 kasan_record_aux_stack_noalloc+0xb/0x10
 insert_work+0x3b/0x170
 __queue_work+0x32f/0x7d0
 queue_work_on+0x7e/0x90
 rpm_idle+0x432/0x460
 __pm_runtime_set_status+0x1da/0x520
 pm_runtime_remove+0xb3/0xc0
 device_pm_remove+0x108/0x190
 device_del+0x2dc/0x640
 __scsi_remove_device+0x168/0x1a0
 sdev_store_delete+0x75/0xe0
 dev_attr_store+0x3e/0x60
 sysfs_kf_write+0x87/0xa0
 kernfs_fop_write_iter+0x1c7/0x270
 new_sync_write+0x296/0x3c0
 vfs_write+0x43c/0x580
 ksys_write+0xd9/0x180
 __x64_sys_write+0x42/0x50
 do_syscall_64+0x35/0x80
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Second to last potentially related work creation:
 kasan_save_stack+0x26/0x50
 __kasan_record_aux_stack+0xa8/0xc0
 kasan_record_aux_stack_noalloc+0xb/0x10
 insert_work+0x3b/0x170
 __queue_work+0x32f/0x7d0
 queue_work_on+0x7e/0x90
 queue_release_one_tty+0xbf/0xd0
 release_tty+0x241/0x290
 tty_release_struct+0x92/0xb0
 tty_release+0x5b1/0x5f0
 __fput+0x13d/0x430
 ____fput+0xe/0x10
 task_work_run+0x8e/0xe0
 exit_to_user_mode_loop+0xee/0xf0
 exit_to_user_mode_prepare+0xd6/0x100
 syscall_exit_to_user_mode+0x1e/0x50
 do_syscall_64+0x42/0x80
 entry_SYSCALL_64_after_hwframe+0x44/0xae

The buggy address belongs to the object at ffff888115a0a000
 which belongs to the cache kmalloc-2k of size 2048
The buggy address is located 0 bytes inside of
 2048-byte region [ffff888115a0a000, ffff888115a0a800)
The buggy address belongs to the page:
page:00000000fac6ce95 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff888115a0f000 pfn:0x115a08
head:00000000fac6ce95 order:3 compound_mapcount:0 compound_pincount:0
flags: 0x2000000000010200(slab|head|node=0|zone=2)
raw: 2000000000010200 ffffea00041d5408 ffffea000407d808 ffff888100042f00
raw: ffff888115a0f000 0000000000080006 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
[Index of Archives]     [Linux RAID]     [Linux SCSI]     [Linux ATA RAID]     [IDE]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Device Mapper]

  Powered by Linux