Re: io_submit with slab free object overwritten

From: Qian Cai <cai@lca.pw>
To: Eric Sandeen <sandeen@sandeen.net>, hch@lst.de
Cc: axboe@kernel.dk, viro@zeniv.linux.org.uk, hare@suse.com,
	bcrl@kvack.org, linux-aio@kvack.org,
	Linux-MM <linux-mm@kvack.org>,
	jthumshirn@suse.de, linux-fsdevel@vger.kernel.org,
	Christoph Lameter <cl@linux.com>
Subject: Re: io_submit with slab free object overwritten
Date: Fri, 22 Feb 2019 17:06:56 -0500	[thread overview]
Message-ID: <fb8add28-41da-da16-8b3d-7c7f4d4b0b8a@lca.pw> (raw)
In-Reply-To: <aeeed9ef-357e-4702-1e4b-ed85cab7ae34@sandeen.net>

On 2/22/19 4:58 PM, Eric Sandeen wrote:
> On 2/22/19 3:48 PM, Qian Cai wrote:
>>
>>
>> On 2/22/19 4:42 PM, Eric Sandeen wrote:
>>> On 2/22/19 3:07 PM, Qian Cai wrote:
>>>> Reverted the commit 75374d062756 ("fs: add an iopoll method to struct
>>>> file_operations") fixed the problem. Christoph mentioned that the field can be
>>>> calculated by the offset (40 bytes).
>>>
>>> I'm a little confused, you can't revert just that patch, right, because others
>>> in the iopoll series depend on it.  Is the above commit really the culprit, or do
>>> you mean you backed out the whole series?
>>
>> No, I can revert that single commit on the top of linux-next (next-20190222)
>> just fine.
> 
> Sorry for being pedantic, but this commit is still in your tree?  How can this build
> with just 75374d062756 reverted?
> 
> (I'm confused about how simply changing the size of the 2 structures via
> 75374d062756 could cause memory corruption, so trying to really understand
> what got tested...)
> 
> commit 06eca8c02eb3e171dc5721ddca4218d41b09b3aa
> Author: Christoph Hellwig <hch@lst.de>
> Date:   Fri Nov 30 08:31:52 2018 -0700
> 
>     block: wire up block device iopoll method
>     
>     Just call blk_poll on the iocb cookie, we can derive the block device
>     from the inode trivially.
>     
>     Reviewed-by: Hannes Reinecke <hare@suse.com>
>     Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
>     Signed-off-by: Christoph Hellwig <hch@lst.de>
>     Signed-off-by: Jens Axboe <axboe@kernel.dk>
> 
> diff --git a/fs/block_dev.c b/fs/block_dev.c
> index 7758ade..d1277a1 100644
> --- a/fs/block_dev.c
> +++ b/fs/block_dev.c
> @@ -294,6 +294,14 @@ struct blkdev_dio {
>  
>  static struct bio_set blkdev_dio_pool;
>  
> +static int blkdev_iopoll(struct kiocb *kiocb, bool wait)
> +{
> +       struct block_device *bdev = I_BDEV(kiocb->ki_filp->f_mapping->host);
> +       struct request_queue *q = bdev_get_queue(bdev);
> +
> +       return blk_poll(q, READ_ONCE(kiocb->ki_cookie), wait);
> +}
> +
>  static void blkdev_bio_end_io(struct bio *bio)
>  {
>         struct blkdev_dio *dio = bio->bi_private;
> @@ -412,6 +420,7 @@ __blkdev_direct_IO(struct kiocb *iocb, struct iov_iter *iter, int nr_pages)
>                                 bio->bi_opf |= REQ_HIPRI;
>  
>                         qc = submit_bio(bio);
> +                       WRITE_ONCE(iocb->ki_cookie, qc);
>                         break;
>                 }
>  
> @@ -2078,6 +2087,7 @@ const struct file_operations def_blk_fops = {
>         .llseek         = block_llseek,
>         .read_iter      = blkdev_read_iter,
>         .write_iter     = blkdev_write_iter,
> +       .iopoll         = blkdev_iopoll,
>         .mmap           = generic_file_mmap,
>         .fsync          = blkdev_fsync,
>         .unlocked_ioctl = block_ioctl,
> 

Sorry, I had a copy-and-paste error here while looking at the surrounding
commits. I meant,

Reverted 06eca8c02eb3 (block: wire up block device iopoll method) fixed the problem.