Re: [bug report] BUG: KASAN: use-after-free in bic_set_bfqq

Shinichiro Kawasaki <shinichiro.kawasaki@xxxxxxx> · Fri, 13 Jan 2023 01:04:00 +0000

On Jan 12, 2023 / 22:18, Shin'ichiro Kawasaki wrote:
> On Jan 12, 2023 / 19:53, Yu Kuai wrote:
> > Hi,
> > 
> > 在 2023/01/12 19:47, Yu Kuai 写道:
> > > Thanks for the report, is the problem easy to reporduce? If so, can you
> > > try the following patch?
> > > 
> > > diff --git a/block/bfq-cgroup.c b/block/bfq-cgroup.c
> > > index 1b2829e99dad..81d2f401fa3f 100644
> > > --- a/block/bfq-cgroup.c
> > > +++ b/block/bfq-cgroup.c
> > > @@ -771,8 +771,8 @@ static void __bfq_bic_change_cgroup(struct bfq_data
> > > *bfqd,
> > >                                   * request from the old cgroup.
> > >                                   */
> > >                                  bfq_put_cooperator(sync_bfqq);
> > > -                               bfq_release_process_ref(bfqd, sync_bfqq);
> > >                                  bic_set_bfqq(bic, NULL, true);
> > > +                               bfq_release_process_ref(bfqd, sync_bfqq);
> > >                          }
> > >                  }
> > >          }
> > > 
> > Just in case you hit the problem in another place, please using the
> > following patch:
> > 
> > diff --git a/block/bfq-cgroup.c b/block/bfq-cgroup.c
> > index 1b2829e99dad..81d2f401fa3f 100644
> > --- a/block/bfq-cgroup.c
> > +++ b/block/bfq-cgroup.c
> > @@ -771,8 +771,8 @@ static void __bfq_bic_change_cgroup(struct bfq_data
> > *bfqd,
> >                                  * request from the old cgroup.
> >                                  */
> >                                 bfq_put_cooperator(sync_bfqq);
> > -                               bfq_release_process_ref(bfqd, sync_bfqq);
> >                                 bic_set_bfqq(bic, NULL, true);
> > +                               bfq_release_process_ref(bfqd, sync_bfqq);
> >                         }
> >                 }
> >         }
> > diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c
> > index 16f43bbc575a..687285612e57 100644
> > --- a/block/bfq-iosched.c
> > +++ b/block/bfq-iosched.c
> > @@ -5425,9 +5425,10 @@ static void bfq_check_ioprio_change(struct bfq_io_cq
> > *bic, struct bio *bio)
> > 
> >         bfqq = bic_to_bfqq(bic, false);
> >         if (bfqq) {
> > -               bfq_release_process_ref(bfqd, bfqq);
> > +               struct bfq_queue *old_bfqq = bfqq;
> >                 bfqq = bfq_get_queue(bfqd, bio, false, bic, true);
> >                 bic_set_bfqq(bic, bfqq, false);
> > +               bfq_release_process_ref(bfqd, old_bfqq);
> >         }
> > 
> >         bfqq = bic_to_bfqq(bic, true);
> > 
> 
> Ah, I've just noticed this e-mail. Will test this patch tomorrow.

This second trial patch also avoided the KASAN uaf message. I repeated the
system boot and ssh login 6 times and did not observe the failure. Looks good.

-- 
Shin'ichiro Kawasaki