Re: move the bdi from the request_queue to the gendisk

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 




On 8/9/2021 10:17 AM, Christoph Hellwig wrote:
> Hi Jens,
> 
> this series moves the pointer to the bdi from the request_queue
> to the bdi, better matching the life time rules of the different
> objects.

Reverting this series fixed an use-after-free in bdev_evict_inode().

[ 3710.755078][    T1] BUG: KASAN: use-after-free in bdev_evict_inode+0x454/0x4d0
wb_put_many at /root/linux-next/./include/linux/backing-dev-defs.h:250
(inlined by) wb_put at /root/linux-next/./include/linux/backing-dev-defs.h:268
(inlined by) inode_detach_wb at /root/linux-next/./include/linux/writeback.h:251
(inlined by) bdev_evict_inode at /root/linux-next/fs/block_dev.c:832
[ 3710.762312][    T1] Read of size 8 at addr ffff000859ff6060 by task shutdown/1
[ 3710.769533][    T1] 
[ 3710.771721][    T1] CPU: 29 PID: 1 Comm: shutdown Not tainted 5.14.0-rc5-next-20210810+ #88
[ 3710.780073][    T1] Hardware name: MiTAC RAPTOR EV-883832-X3-0001/RAPTOR, BIOS 1.6 06/28/2020
[ 3710.788600][    T1] Call trace:
[ 3710.791741][    T1]  dump_backtrace+0x0/0x3b8
[ 3710.796103][    T1]  show_stack+0x20/0x30
[ 3710.800115][    T1]  dump_stack_lvl+0x8c/0xb8
[ 3710.804472][    T1]  print_address_description.constprop.0+0x74/0x3c8
[ 3710.810913][    T1]  kasan_report+0x1f0/0x208
[ 3710.815270][    T1]  __asan_report_load8_noabort+0x34/0x60
[ 3710.820755][    T1]  bdev_evict_inode+0x454/0x4d0
[ 3710.825459][    T1]  evict+0x20c/0x400
evict at /root/linux-next/fs/inode.c:595
[ 3710.829208][    T1]  iput.part.0+0x53c/0x7a8
[ 3710.833477][    T1]  iput+0x48/0x68
[ 3710.836964][    T1]  disk_release+0x168/0x1d8
[ 3710.841322][    T1]  device_release+0xec/0x1f0
[ 3710.845766][    T1]  kobject_release+0xe4/0x360
[ 3710.850299][    T1]  kobject_put+0x7c/0x138
[ 3710.854481][    T1]  put_device+0x1c/0x30
[ 3710.858489][    T1]  blk_cleanup_disk+0x64/0x88
[ 3710.863021][    T1]  cleanup_mapped_device+0x128/0x1e8 [dm_mod]
[ 3710.868974][    T1]  __dm_destroy+0x314/0x618 [dm_mod]
[ 3710.874140][    T1]  dm_destroy+0x1c/0x28 [dm_mod]
[ 3710.878955][    T1]  dev_remove+0x214/0x2f8 [dm_mod]
[ 3710.883947][    T1]  ctl_ioctl+0x490/0xb58 [dm_mod]
[ 3710.888850][    T1]  dm_ctl_ioctl+0x18/0x28 [dm_mod]
[ 3710.893842][    T1]  __arm64_sys_ioctl+0x114/0x180
[ 3710.898636][    T1]  invoke_syscall.constprop.0+0xdc/0x1d8
[ 3710.904123][    T1]  do_el0_svc+0xe4/0x2a8
[ 3710.908219][    T1]  el0_svc+0x64/0x130
[ 3710.912057][    T1]  el0t_64_sync_handler+0xb0/0xb8
[ 3710.916934][    T1]  el0t_64_sync+0x180/0x184
[ 3711.007417][    T1] 
[ 3711.009600][    T1] Freed by task 1:
[ 3711.013172][    T1]  kasan_save_stack+0x28/0x58
[ 3711.017702][    T1]  kasan_set_track+0x28/0x40
[ 3711.022144][    T1]  kasan_set_free_info+0x28/0x50
[ 3711.026933][    T1]  __kasan_slab_free+0xfc/0x150
[ 3711.031636][    T1]  slab_free_freelist_hook+0x108/0x208
[ 3711.036947][    T1]  kfree+0x154/0x3c8
[ 3711.040695][    T1]  release_bdi+0x80/0xc0
[ 3711.044790][    T1]  bdi_put+0x54/0xb0
[ 3711.048537][    T1]  disk_release+0x70/0x1d8
[ 3711.052807][    T1]  device_release+0xec/0x1f0
[ 3711.057251][    T1]  kobject_release+0xe4/0x360
[ 3711.061782][    T1]  kobject_put+0x7c/0x138
[ 3711.065964][    T1]  put_device+0x1c/0x30
[ 3711.069974][    T1]  blk_cleanup_disk+0x64/0x88
blk_cleanup_disk at /root/linux-next/block/genhd.c:1355
[ 3711.074503][    T1]  cleanup_mapped_device+0x128/0x1e8 [dm_mod]
[ 3711.080451][    T1]  __dm_destroy+0x314/0x618 [dm_mod]
[ 3711.085617][    T1]  dm_destroy+0x1c/0x28 [dm_mod]
[ 3711.090434][    T1]  dev_remove+0x214/0x2f8 [dm_mod]
[ 3711.095424][    T1]  ctl_ioctl+0x490/0xb58 [dm_mod]
[ 3711.100328][    T1]  dm_ctl_ioctl+0x18/0x28 [dm_mod]
[ 3711.105317][    T1]  __arm64_sys_ioctl+0x114/0x180
[ 3711.110108][    T1]  invoke_syscall.constprop.0+0xdc/0x1d8
[ 3711.115594][    T1]  do_el0_svc+0xe4/0x2a8
[ 3711.119691][    T1]  el0_svc+0x64/0x130
[ 3711.123527][    T1]  el0t_64_sync_handler+0xb0/0xb8
[ 3711.128402][    T1]  el0t_64_sync+0x180/0x184
[ 3711.132759][    T1] 
[ 3711.134941][    T1] Last potentially related work creation:
[ 3711.140511][    T1]  kasan_save_stack+0x28/0x58
[ 3711.145041][    T1]  kasan_record_aux_stack+0xf4/0x128
[ 3711.150179][    T1]  insert_work+0x58/0x2c0
[ 3711.154361][    T1]  __queue_work+0x644/0x18d0
[ 3711.158802][    T1]  __queue_delayed_work+0x14c/0x228
[ 3711.163853][    T1]  mod_delayed_work_on+0xc0/0x128
[ 3711.168729][    T1]  wb_shutdown+0x174/0x230
[ 3711.172999][    T1]  bdi_unregister+0x158/0x480
[ 3711.177527][    T1]  del_gendisk+0x410/0x548
[ 3711.181797][    T1]  cleanup_mapped_device+0x190/0x1e8 [dm_mod]
[ 3711.187745][    T1]  __dm_destroy+0x314/0x618 [dm_mod]
[ 3711.192909][    T1]  dm_destroy+0x1c/0x28 [dm_mod]
[ 3711.197725][    T1]  dev_remove+0x214/0x2f8 [dm_mod]
[ 3711.202716][    T1]  ctl_ioctl+0x490/0xb58 [dm_mod]
[ 3711.207620][    T1]  dm_ctl_ioctl+0x18/0x28 [dm_mod]
[ 3711.212611][    T1]  __arm64_sys_ioctl+0x114/0x180
[ 3711.217402][    T1]  invoke_syscall.constprop.0+0xdc/0x1d8
[ 3711.222889][    T1]  do_el0_svc+0xe4/0x2a8
[ 3711.226985][    T1]  el0_svc+0x64/0x130
[ 3711.230823][    T1]  el0t_64_sync_handler+0xb0/0xb8
[ 3711.235699][    T1]  el0t_64_sync+0x180/0x184
[ 3711.240055][    T1] 
[ 3711.242237][    T1] Second to last potentially related work creation:
[ 3711.248673][    T1]  kasan_save_stack+0x28/0x58
[ 3711.253203][    T1]  kasan_record_aux_stack+0xf4/0x128
[ 3711.258340][    T1]  insert_work+0x58/0x2c0
[ 3711.262522][    T1]  __queue_work+0x644/0x18d0
[ 3711.266964][    T1]  delayed_work_timer_fn+0x6c/0xa0
[ 3711.271927][    T1]  call_timer_fn+0x224/0xbb0
[ 3711.276371][    T1]  __run_timers.part.0+0x548/0xb58
[ 3711.281336][    T1]  run_timer_softirq+0x80/0x118
[ 3711.286039][    T1]  _stext+0x2d4/0x11ac
[ 3711.289961][    T1] 
[ 3711.292142][    T1] The buggy address belongs to the object at ffff000859ff6000
[ 3711.292142][    T1]  which belongs to the cache kmalloc-4k of size 4096
[ 3711.306045][    T1] The buggy address is located 96 bytes inside of
[ 3711.306045][    T1]  4096-byte region [ffff000859ff6000, ffff000859ff7000)
[ 3711.319169][    T1] The buggy address belongs to the page:
[ 3711.324653][    T1] page:ffffffc002167e00 refcount:1 mapcount:0 mapping:0000000000000000 index:0xffff000859fd2000 pfn:0x8d9f8
[ 3711.335954][    T1] head:ffffffc002167e00 order:3 compound_mapcount:0 compound_pincount:0
[ 3711.344129][    T1] flags: 0x7ffff800010200(slab|head|node=0|zone=0|lastcpupid=0xfffff)
[ 3711.352137][    T1] raw: 007ffff800010200 ffffffc002168208 ffffffc002140e08 ffff000012911580
[ 3711.360574][    T1] raw: ffff000859fd2000 00000000002a0002 00000001ffffffff 0000000000000000
[ 3711.369008][    T1] page dumped because: kasan: bad access detected
[ 3711.375272][    T1] 
[ 3711.377454][    T1] Memory state around the buggy address:
[ 3711.382936][    T1]  ffff000859ff5f00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 3711.390848][    T1]  ffff000859ff5f80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc
[ 3711.398762][    T1] >ffff000859ff6000: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 3711.406674][    T1]                                                        ^
[ 3711.413719][    T1]  ffff000859ff6080: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 3711.421632][    T1]  ffff000859ff6100: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb

> 
> Diffstat:
>  block/bfq-iosched.c           |    4 ++--
>  block/blk-cgroup.c            |    7 +++----
>  block/blk-core.c              |   18 +++---------------
>  block/blk-mq.c                |    2 +-
>  block/blk-settings.c          |   22 ++++++++++++++--------
>  block/blk-sysfs.c             |   28 +++++++++++++---------------
>  block/blk-wbt.c               |   10 +++++-----
>  block/genhd.c                 |   23 ++++++++++++++---------
>  block/ioctl.c                 |    7 ++++---
>  drivers/block/drbd/drbd_nl.c  |    2 +-
>  drivers/block/drbd/drbd_req.c |    5 ++---
>  drivers/block/pktcdvd.c       |    8 +++-----
>  drivers/md/dm-table.c         |    2 +-
>  drivers/nvme/host/core.c      |    2 +-
>  fs/block_dev.c                |   13 +------------
>  fs/fat/fatent.c               |    1 +
>  fs/nilfs2/super.c             |    2 +-
>  fs/super.c                    |    2 +-
>  fs/xfs/xfs_buf.c              |    2 +-
>  include/linux/backing-dev.h   |    2 +-
>  include/linux/blk_types.h     |    1 -
>  include/linux/blkdev.h        |    6 ++----
>  include/linux/genhd.h         |    1 +
>  mm/backing-dev.c              |    3 +++
>  mm/page-writeback.c           |    2 --
>  25 files changed, 79 insertions(+), 96 deletions(-)
> 




[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Bugtraq]     [Linux OMAP]     [Linux MIPS]     [eCos]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux