From: "Paul E. McKenney" <paulmck@kernel.org>
To: Ming Lei <ming.lei@redhat.com>
Cc: Boqun Feng <boqun.feng@gmail.com>,
Hillf Danton <hdanton@sina.com>,
syzbot <syzbot+4f789823c1abc5accf13@syzkaller.appspotmail.com>,
Joel Fernandes <joel@joelfernandes.org>,
Lai Jiangshan <laijs@linux.alibaba.com>,
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com,
quic_neeraju@quicinc.com, frederic@kernel.org, urezki@gmail.com,
Jens Axboe <axboe@kernel.dk>
Subject: Re: [syzbot] KASAN: use-after-free Read in srcu_invoke_callbacks
Date: Fri, 14 Jan 2022 08:11:38 -0800 [thread overview]
Message-ID: <20220114161138.GW947480@paulmck-ThinkPad-P17-Gen-1> (raw)
In-Reply-To: <YeGdoAFYGhg3viPZ@T590>
On Fri, Jan 14, 2022 at 11:58:24PM +0800, Ming Lei wrote:
> On Fri, Jan 14, 2022 at 07:27:52AM -0800, Paul E. McKenney wrote:
> > On Fri, Jan 14, 2022 at 10:38:42PM +0800, Boqun Feng wrote:
> > > Hi,
> > >
> > > On Tue, Jan 11, 2022 at 11:05:00AM -0800, Paul E. McKenney wrote:
> > > [...]
> > > > > > The buggy address belongs to the object at ffff8880189b5c70
> > > > > > which belongs to the cache request_queue_srcu of size 3816
> > >
> > > This cache name drew my attention when I was trying to look into this,
> > > because I couldn't find it in v5.16, later on I realized the UAF was
> > > found in linux-next and the commit introducing the cache was merged into
> > > mainline if 5.17 merge window:
> > >
> > > 704b914f15fb blk-mq: move srcu from blk_mq_hw_ctx to request_queue
> > >
> > > I think the UAF is actually a bug introduced by the commit, because in
> > > that commit srcu structure was moved from blk_mq_hw_ctx to
> > > request_queue, and therefore the cleanup_srcu_struct() should be moved
> > > from blk_mq_hw_sysfs_release() to blk_release_queue(), however the above
> > > commit only deleted the one in blk_mq_hw_sysfs_release() but didn't add
> > > a new one in blk_release_queue(). As a result when a request queue is
> > > freed, the srcu structure is not fully clean up, therefore the UAF.
> > >
> > > IOW, something like below (untested) should fix this. Copy the auther
> > > and block maintainers.
> >
> > One question for the author and block maintainers... Why not simply have
> > a single srcu_struct for all of the queues? Or is there some situation
> > where you need one queue's reader to avoid blocking other queues' SRCU
> > grace periods?
>
> Because srcu_struct is too fat, and only few drivers need it, and
> most block drivers needn't it.
Fair points.
But would it make sense to dynamically allocate a single srcu_struct
when the first need arose, and only remove it when the last need passed?
Thanx, Paul
next prev parent reply other threads:[~2022-01-14 16:11 UTC|newest]
Thread overview: 13+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-11 11:03 [syzbot] KASAN: use-after-free Read in srcu_invoke_callbacks syzbot
[not found] ` <20220111134324.1727-1-hdanton@sina.com>
2022-01-11 19:05 ` Paul E. McKenney
2022-01-14 14:38 ` Boqun Feng
2022-01-14 15:27 ` Paul E. McKenney
2022-01-14 15:58 ` Ming Lei
2022-01-14 16:11 ` Paul E. McKenney [this message]
2022-01-14 16:15 ` Ming Lei
2022-01-14 15:54 ` Ming Lei
[not found] ` <20220112094352.1785-1-hdanton@sina.com>
2022-01-12 17:12 ` Paul E. McKenney
2022-01-12 18:05 ` Paul E. McKenney
[not found] ` <20220113044938.1881-1-hdanton@sina.com>
2022-01-13 5:14 ` Paul E. McKenney
[not found] ` <20220113131256.1941-1-hdanton@sina.com>
2022-01-13 14:59 ` Paul E. McKenney
2022-01-13 3:19 ` Ming Lei
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220114161138.GW947480@paulmck-ThinkPad-P17-Gen-1 \
--to=paulmck@kernel.org \
--cc=axboe@kernel.dk \
--cc=boqun.feng@gmail.com \
--cc=frederic@kernel.org \
--cc=hdanton@sina.com \
--cc=joel@joelfernandes.org \
--cc=laijs@linux.alibaba.com \
--cc=linux-kernel@vger.kernel.org \
--cc=ming.lei@redhat.com \
--cc=quic_neeraju@quicinc.com \
--cc=syzbot+4f789823c1abc5accf13@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=urezki@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.