* [dm-devel] dm: Fix use-after-free in dm_cleanup_zoned_dev()
@ 2022-01-31 16:20 Kirill Tkhai
2022-01-31 23:37 ` Damien Le Moal
0 siblings, 1 reply; 13+ messages in thread
From: Kirill Tkhai @ 2022-01-31 16:20 UTC (permalink / raw)
To: agk, snitzer, damien.lemoal, ktkhai, dm-devel
dm_cleanup_zoned_dev() uses queue, so it must be called before blk_cleanup_disk() starts its killing:
blk_cleanup_disk->blk_cleanup_queue()->kobject_put()->blk_release_queue()->...RCU...->blk_free_queue_rcu()->kmem_cache_free()
Otherwise, RCU callback may be executed first, and dm_cleanup_zoned_dev() touches freed memory:
[ 85.074005] BUG: KASAN: use-after-free in dm_cleanup_zoned_dev+0x33/0xd0
[ 85.075448] Read of size 8 at addr ffff88805ac6e430 by task dmsetup/681
[ 85.076102] CPU: 4 PID: 681 Comm: dmsetup Not tainted 5.17.0-rc2+ #6
[ 85.076570] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014
[ 85.077150] Call Trace:
[ 85.077332] <TASK>
[ 85.077478] dump_stack_lvl+0x57/0x7d
[ 85.077763] print_address_description.constprop.0+0x1f/0x150
[ 85.078229] ? dm_cleanup_zoned_dev+0x33/0xd0
[ 85.078579] kasan_report.cold+0x7f/0x11b
[ 85.078910] ? dm_cleanup_zoned_dev+0x33/0xd0
[ 85.079219] dm_cleanup_zoned_dev+0x33/0xd0
[ 85.079499] __dm_destroy+0x26a/0x400
[ 85.079781] ? dm_blk_ioctl+0x230/0x230
[ 85.080090] ? up_write+0xd8/0x270
[ 85.080364] dev_remove+0x156/0x1d0
[ 85.080639] ctl_ioctl+0x269/0x530
[ 85.080910] ? table_clear+0x140/0x140
[ 85.081209] ? lock_release+0xb2/0x750
[ 85.081518] ? remove_all+0x40/0x40
[ 85.081796] ? rcu_read_lock_sched_held+0x12/0x70
[ 85.082166] ? lock_downgrade+0x3c0/0x3c0
[ 85.082468] ? rcu_read_lock_sched_held+0x12/0x70
[ 85.082833] dm_ctl_ioctl+0xa/0x10
[ 85.083094] __x64_sys_ioctl+0xb9/0xf0
[ 85.083350] do_syscall_64+0x3b/0x90
[ 85.083595] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 85.083955] RIP: 0033:0x7fb6dfa95c27
[ 85.084277] Code: 00 00 00 48 8b 05 69 92 0c 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 39 92 0c 00 f7 d8 64 89 01 48
[ 85.086009] RSP: 002b:00007fff882c6c28 EFLAGS: 00000206 ORIG_RAX: 0000000000000010
[ 85.086914] RAX: ffffffffffffffda RBX: 00007fb6dfb73a8e RCX: 00007fb6dfa95c27
[ 85.087607] RDX: 00007fb6e01d7ca0 RSI: 00000000c138fd04 RDI: 0000000000000003
[ 85.088272] RBP: 00007fff882c6ce0 R08: 00007fb6dfbc3558 R09: 00007fff882c6a90
[ 85.088956] R10: 00007fb6dfbc28a2 R11: 0000000000000206 R12: 00007fb6dfbc28a2
[ 85.089477] R13: 00007fb6dfbc28a2 R14: 00007fb6dfbc28a2 R15: 00007fb6dfbc28a2
[ 85.090038] </TASK>
[ 85.090348] Allocated by task 673:
[ 85.090625] kasan_save_stack+0x1e/0x40
[ 85.090978] __kasan_slab_alloc+0x66/0x80
[ 85.091336] kmem_cache_alloc_node+0x1ca/0x460
[ 85.091742] blk_alloc_queue+0x33/0x4e0
[ 85.092112] __blk_alloc_disk+0x1b/0x60
[ 85.092464] dm_create+0x368/0xa20
[ 85.092764] dev_create+0xb9/0x170
[ 85.093118] ctl_ioctl+0x269/0x530
[ 85.093521] dm_ctl_ioctl+0xa/0x10
[ 85.093921] __x64_sys_ioctl+0xb9/0xf0
[ 85.094177] do_syscall_64+0x3b/0x90
[ 85.094420] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 85.094868] Freed by task 0:
[ 85.095062] kasan_save_stack+0x1e/0x40
[ 85.095319] kasan_set_track+0x21/0x30
[ 85.095569] kasan_set_free_info+0x20/0x30
[ 85.095858] __kasan_slab_free+0xfb/0x130
[ 85.096141] slab_free_freelist_hook+0x7d/0x150
[ 85.096502] kmem_cache_free+0x13c/0x340
[ 85.096778] rcu_do_batch+0x2d9/0x820
[ 85.097049] rcu_core+0x3b8/0x570
[ 85.097330] __do_softirq+0x1c4/0x63d
[ 85.097792] Last potentially related work creation:
[ 85.098226] kasan_save_stack+0x1e/0x40
[ 85.098549] __kasan_record_aux_stack+0x96/0xa0
[ 85.098951] call_rcu+0xc4/0x8f0
[ 85.099220] kobject_put+0xd9/0x270
[ 85.099557] disk_release+0xee/0x120
[ 85.099864] device_release+0x59/0xf0
[ 85.100208] kobject_put+0xd9/0x270
[ 85.100509] cleanup_mapped_device+0x12b/0x1b0
[ 85.100910] __dm_destroy+0x26a/0x400
[ 85.101247] dev_remove+0x156/0x1d0
[ 85.101555] ctl_ioctl+0x269/0x530
[ 85.101859] dm_ctl_ioctl+0xa/0x10
[ 85.102198] __x64_sys_ioctl+0xb9/0xf0
[ 85.102527] do_syscall_64+0x3b/0x90
[ 85.102811] entry_SYSCALL_64_after_hwframe+0x44/0xae
[ 85.103347] The buggy address belongs to the object at ffff88805ac6e180
which belongs to the cache request_queue of size 2992
[ 85.104338] The buggy address is located 688 bytes inside of
2992-byte region [ffff88805ac6e180, ffff88805ac6ed30)
[ 85.105255] The buggy address belongs to the page:
[ 85.105633] page:000000000837df3c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5ac68
[ 85.106363] head:000000000837df3c order:3 compound_mapcount:0 compound_pincount:0
[ 85.106948] flags: 0xfffffc0010200(slab|head|node=0|zone=1|lastcpupid=0x1fffff)
[ 85.107494] raw: 000fffffc0010200 0000000000000000 dead000000000122 ffff888001e58280
[ 85.108091] raw: 0000000000000000 00000000800a000a 00000001ffffffff 0000000000000000
[ 85.108695] page dumped because: kasan: bad access detected
[ 85.109257] Memory state around the buggy address:
[ 85.109625] ffff88805ac6e300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 85.110178] ffff88805ac6e380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 85.110973] >ffff88805ac6e400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 85.111891] ^
[ 85.112353] ffff88805ac6e480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 85.113036] ffff88805ac6e500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 85.113800] ==================================================================
Fixes: bb37d77239af "dm: introduce zone append emulation"
Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com>
diff --git a/drivers/md/dm.c b/drivers/md/dm.c
index dcbd6d201619..d472fe5dbc1d 100644
--- a/drivers/md/dm.c
+++ b/drivers/md/dm.c
@@ -1607,6 +1607,7 @@ static void cleanup_mapped_device(struct mapped_device *md)
md->dax_dev = NULL;
}
+ dm_cleanup_zoned_dev(md);
if (md->disk) {
spin_lock(&_minor_lock);
md->disk->private_data = NULL;
@@ -1627,7 +1628,6 @@ static void cleanup_mapped_device(struct mapped_device *md)
mutex_destroy(&md->swap_bios_lock);
dm_mq_cleanup_mapped_device(md);
- dm_cleanup_zoned_dev(md);
}
/*
--
dm-devel mailing list
dm-devel@redhat.com
https://listman.redhat.com/mailman/listinfo/dm-devel
^ permalink raw reply related [flat|nested] 13+ messages in thread
* Re: [dm-devel] dm: Fix use-after-free in dm_cleanup_zoned_dev()
2022-01-31 16:20 [dm-devel] dm: Fix use-after-free in dm_cleanup_zoned_dev() Kirill Tkhai
@ 2022-01-31 23:37 ` Damien Le Moal
2022-02-01 8:12 ` Kirill Tkhai
0 siblings, 1 reply; 13+ messages in thread
From: Damien Le Moal @ 2022-01-31 23:37 UTC (permalink / raw)
To: Kirill Tkhai, agk, snitzer, dm-devel
On 2022/02/01 1:21, Kirill Tkhai wrote:
> dm_cleanup_zoned_dev() uses queue, so it must be called before blk_cleanup_disk() starts its killing:
>
> blk_cleanup_disk->blk_cleanup_queue()->kobject_put()->blk_release_queue()->...RCU...->blk_free_queue_rcu()->kmem_cache_free()
>
> Otherwise, RCU callback may be executed first, and dm_cleanup_zoned_dev() touches freed memory:
>
> [ 85.074005] BUG: KASAN: use-after-free in dm_cleanup_zoned_dev+0x33/0xd0
> [ 85.075448] Read of size 8 at addr ffff88805ac6e430 by task dmsetup/681
>
> [ 85.076102] CPU: 4 PID: 681 Comm: dmsetup Not tainted 5.17.0-rc2+ #6
> [ 85.076570] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014
> [ 85.077150] Call Trace:
> [ 85.077332] <TASK>
> [ 85.077478] dump_stack_lvl+0x57/0x7d
> [ 85.077763] print_address_description.constprop.0+0x1f/0x150
> [ 85.078229] ? dm_cleanup_zoned_dev+0x33/0xd0
> [ 85.078579] kasan_report.cold+0x7f/0x11b
> [ 85.078910] ? dm_cleanup_zoned_dev+0x33/0xd0
> [ 85.079219] dm_cleanup_zoned_dev+0x33/0xd0
> [ 85.079499] __dm_destroy+0x26a/0x400
> [ 85.079781] ? dm_blk_ioctl+0x230/0x230
> [ 85.080090] ? up_write+0xd8/0x270
> [ 85.080364] dev_remove+0x156/0x1d0
> [ 85.080639] ctl_ioctl+0x269/0x530
> [ 85.080910] ? table_clear+0x140/0x140
> [ 85.081209] ? lock_release+0xb2/0x750
> [ 85.081518] ? remove_all+0x40/0x40
> [ 85.081796] ? rcu_read_lock_sched_held+0x12/0x70
> [ 85.082166] ? lock_downgrade+0x3c0/0x3c0
> [ 85.082468] ? rcu_read_lock_sched_held+0x12/0x70
> [ 85.082833] dm_ctl_ioctl+0xa/0x10
> [ 85.083094] __x64_sys_ioctl+0xb9/0xf0
> [ 85.083350] do_syscall_64+0x3b/0x90
> [ 85.083595] entry_SYSCALL_64_after_hwframe+0x44/0xae
> [ 85.083955] RIP: 0033:0x7fb6dfa95c27
> [ 85.084277] Code: 00 00 00 48 8b 05 69 92 0c 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 39 92 0c 00 f7 d8 64 89 01 48
> [ 85.086009] RSP: 002b:00007fff882c6c28 EFLAGS: 00000206 ORIG_RAX: 0000000000000010
> [ 85.086914] RAX: ffffffffffffffda RBX: 00007fb6dfb73a8e RCX: 00007fb6dfa95c27
> [ 85.087607] RDX: 00007fb6e01d7ca0 RSI: 00000000c138fd04 RDI: 0000000000000003
> [ 85.088272] RBP: 00007fff882c6ce0 R08: 00007fb6dfbc3558 R09: 00007fff882c6a90
> [ 85.088956] R10: 00007fb6dfbc28a2 R11: 0000000000000206 R12: 00007fb6dfbc28a2
> [ 85.089477] R13: 00007fb6dfbc28a2 R14: 00007fb6dfbc28a2 R15: 00007fb6dfbc28a2
> [ 85.090038] </TASK>
>
> [ 85.090348] Allocated by task 673:
> [ 85.090625] kasan_save_stack+0x1e/0x40
> [ 85.090978] __kasan_slab_alloc+0x66/0x80
> [ 85.091336] kmem_cache_alloc_node+0x1ca/0x460
> [ 85.091742] blk_alloc_queue+0x33/0x4e0
> [ 85.092112] __blk_alloc_disk+0x1b/0x60
> [ 85.092464] dm_create+0x368/0xa20
> [ 85.092764] dev_create+0xb9/0x170
> [ 85.093118] ctl_ioctl+0x269/0x530
> [ 85.093521] dm_ctl_ioctl+0xa/0x10
> [ 85.093921] __x64_sys_ioctl+0xb9/0xf0
> [ 85.094177] do_syscall_64+0x3b/0x90
> [ 85.094420] entry_SYSCALL_64_after_hwframe+0x44/0xae
>
> [ 85.094868] Freed by task 0:
> [ 85.095062] kasan_save_stack+0x1e/0x40
> [ 85.095319] kasan_set_track+0x21/0x30
> [ 85.095569] kasan_set_free_info+0x20/0x30
> [ 85.095858] __kasan_slab_free+0xfb/0x130
> [ 85.096141] slab_free_freelist_hook+0x7d/0x150
> [ 85.096502] kmem_cache_free+0x13c/0x340
> [ 85.096778] rcu_do_batch+0x2d9/0x820
> [ 85.097049] rcu_core+0x3b8/0x570
> [ 85.097330] __do_softirq+0x1c4/0x63d
>
> [ 85.097792] Last potentially related work creation:
> [ 85.098226] kasan_save_stack+0x1e/0x40
> [ 85.098549] __kasan_record_aux_stack+0x96/0xa0
> [ 85.098951] call_rcu+0xc4/0x8f0
> [ 85.099220] kobject_put+0xd9/0x270
> [ 85.099557] disk_release+0xee/0x120
> [ 85.099864] device_release+0x59/0xf0
> [ 85.100208] kobject_put+0xd9/0x270
> [ 85.100509] cleanup_mapped_device+0x12b/0x1b0
> [ 85.100910] __dm_destroy+0x26a/0x400
> [ 85.101247] dev_remove+0x156/0x1d0
> [ 85.101555] ctl_ioctl+0x269/0x530
> [ 85.101859] dm_ctl_ioctl+0xa/0x10
> [ 85.102198] __x64_sys_ioctl+0xb9/0xf0
> [ 85.102527] do_syscall_64+0x3b/0x90
> [ 85.102811] entry_SYSCALL_64_after_hwframe+0x44/0xae
>
> [ 85.103347] The buggy address belongs to the object at ffff88805ac6e180
> which belongs to the cache request_queue of size 2992
> [ 85.104338] The buggy address is located 688 bytes inside of
> 2992-byte region [ffff88805ac6e180, ffff88805ac6ed30)
> [ 85.105255] The buggy address belongs to the page:
> [ 85.105633] page:000000000837df3c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5ac68
> [ 85.106363] head:000000000837df3c order:3 compound_mapcount:0 compound_pincount:0
> [ 85.106948] flags: 0xfffffc0010200(slab|head|node=0|zone=1|lastcpupid=0x1fffff)
> [ 85.107494] raw: 000fffffc0010200 0000000000000000 dead000000000122 ffff888001e58280
> [ 85.108091] raw: 0000000000000000 00000000800a000a 00000001ffffffff 0000000000000000
> [ 85.108695] page dumped because: kasan: bad access detected
>
> [ 85.109257] Memory state around the buggy address:
> [ 85.109625] ffff88805ac6e300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> [ 85.110178] ffff88805ac6e380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> [ 85.110973] >ffff88805ac6e400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> [ 85.111891] ^
> [ 85.112353] ffff88805ac6e480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> [ 85.113036] ffff88805ac6e500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> [ 85.113800] ==================================================================
>
> Fixes: bb37d77239af "dm: introduce zone append emulation"
> Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com>
>
> diff --git a/drivers/md/dm.c b/drivers/md/dm.c
> index dcbd6d201619..d472fe5dbc1d 100644
> --- a/drivers/md/dm.c
> +++ b/drivers/md/dm.c
> @@ -1607,6 +1607,7 @@ static void cleanup_mapped_device(struct mapped_device *md)
> md->dax_dev = NULL;
> }
>
> + dm_cleanup_zoned_dev(md);
> if (md->disk) {
> spin_lock(&_minor_lock);
> md->disk->private_data = NULL;
> @@ -1627,7 +1628,6 @@ static void cleanup_mapped_device(struct mapped_device *md)
> mutex_destroy(&md->swap_bios_lock);
>
> dm_mq_cleanup_mapped_device(md);
> - dm_cleanup_zoned_dev(md);
> }
>
> /*
>
The commit message format is strange (long lines).
Apart from that, the fix looks good to me.
Reviewed-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
--
Damien Le Moal
Western Digital Research
--
dm-devel mailing list
dm-devel@redhat.com
https://listman.redhat.com/mailman/listinfo/dm-devel
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [dm-devel] dm: Fix use-after-free in dm_cleanup_zoned_dev()
2022-01-31 23:37 ` Damien Le Moal
@ 2022-02-01 8:12 ` Kirill Tkhai
2022-02-01 8:26 ` Damien Le Moal
0 siblings, 1 reply; 13+ messages in thread
From: Kirill Tkhai @ 2022-02-01 8:12 UTC (permalink / raw)
To: Damien Le Moal, agk, snitzer, dm-devel
On 01.02.2022 02:37, Damien Le Moal wrote:
> On 2022/02/01 1:21, Kirill Tkhai wrote:
>> dm_cleanup_zoned_dev() uses queue, so it must be called before blk_cleanup_disk() starts its killing:
>>
>> blk_cleanup_disk->blk_cleanup_queue()->kobject_put()->blk_release_queue()->...RCU...->blk_free_queue_rcu()->kmem_cache_free()
>>
>> Otherwise, RCU callback may be executed first, and dm_cleanup_zoned_dev() touches freed memory:
>>
>> [ 85.074005] BUG: KASAN: use-after-free in dm_cleanup_zoned_dev+0x33/0xd0
>> [ 85.075448] Read of size 8 at addr ffff88805ac6e430 by task dmsetup/681
>>
>> [ 85.076102] CPU: 4 PID: 681 Comm: dmsetup Not tainted 5.17.0-rc2+ #6
>> [ 85.076570] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014
>> [ 85.077150] Call Trace:
>> [ 85.077332] <TASK>
>> [ 85.077478] dump_stack_lvl+0x57/0x7d
>> [ 85.077763] print_address_description.constprop.0+0x1f/0x150
>> [ 85.078229] ? dm_cleanup_zoned_dev+0x33/0xd0
>> [ 85.078579] kasan_report.cold+0x7f/0x11b
>> [ 85.078910] ? dm_cleanup_zoned_dev+0x33/0xd0
>> [ 85.079219] dm_cleanup_zoned_dev+0x33/0xd0
>> [ 85.079499] __dm_destroy+0x26a/0x400
>> [ 85.079781] ? dm_blk_ioctl+0x230/0x230
>> [ 85.080090] ? up_write+0xd8/0x270
>> [ 85.080364] dev_remove+0x156/0x1d0
>> [ 85.080639] ctl_ioctl+0x269/0x530
>> [ 85.080910] ? table_clear+0x140/0x140
>> [ 85.081209] ? lock_release+0xb2/0x750
>> [ 85.081518] ? remove_all+0x40/0x40
>> [ 85.081796] ? rcu_read_lock_sched_held+0x12/0x70
>> [ 85.082166] ? lock_downgrade+0x3c0/0x3c0
>> [ 85.082468] ? rcu_read_lock_sched_held+0x12/0x70
>> [ 85.082833] dm_ctl_ioctl+0xa/0x10
>> [ 85.083094] __x64_sys_ioctl+0xb9/0xf0
>> [ 85.083350] do_syscall_64+0x3b/0x90
>> [ 85.083595] entry_SYSCALL_64_after_hwframe+0x44/0xae
>> [ 85.083955] RIP: 0033:0x7fb6dfa95c27
>> [ 85.084277] Code: 00 00 00 48 8b 05 69 92 0c 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 39 92 0c 00 f7 d8 64 89 01 48
>> [ 85.086009] RSP: 002b:00007fff882c6c28 EFLAGS: 00000206 ORIG_RAX: 0000000000000010
>> [ 85.086914] RAX: ffffffffffffffda RBX: 00007fb6dfb73a8e RCX: 00007fb6dfa95c27
>> [ 85.087607] RDX: 00007fb6e01d7ca0 RSI: 00000000c138fd04 RDI: 0000000000000003
>> [ 85.088272] RBP: 00007fff882c6ce0 R08: 00007fb6dfbc3558 R09: 00007fff882c6a90
>> [ 85.088956] R10: 00007fb6dfbc28a2 R11: 0000000000000206 R12: 00007fb6dfbc28a2
>> [ 85.089477] R13: 00007fb6dfbc28a2 R14: 00007fb6dfbc28a2 R15: 00007fb6dfbc28a2
>> [ 85.090038] </TASK>
>>
>> [ 85.090348] Allocated by task 673:
>> [ 85.090625] kasan_save_stack+0x1e/0x40
>> [ 85.090978] __kasan_slab_alloc+0x66/0x80
>> [ 85.091336] kmem_cache_alloc_node+0x1ca/0x460
>> [ 85.091742] blk_alloc_queue+0x33/0x4e0
>> [ 85.092112] __blk_alloc_disk+0x1b/0x60
>> [ 85.092464] dm_create+0x368/0xa20
>> [ 85.092764] dev_create+0xb9/0x170
>> [ 85.093118] ctl_ioctl+0x269/0x530
>> [ 85.093521] dm_ctl_ioctl+0xa/0x10
>> [ 85.093921] __x64_sys_ioctl+0xb9/0xf0
>> [ 85.094177] do_syscall_64+0x3b/0x90
>> [ 85.094420] entry_SYSCALL_64_after_hwframe+0x44/0xae
>>
>> [ 85.094868] Freed by task 0:
>> [ 85.095062] kasan_save_stack+0x1e/0x40
>> [ 85.095319] kasan_set_track+0x21/0x30
>> [ 85.095569] kasan_set_free_info+0x20/0x30
>> [ 85.095858] __kasan_slab_free+0xfb/0x130
>> [ 85.096141] slab_free_freelist_hook+0x7d/0x150
>> [ 85.096502] kmem_cache_free+0x13c/0x340
>> [ 85.096778] rcu_do_batch+0x2d9/0x820
>> [ 85.097049] rcu_core+0x3b8/0x570
>> [ 85.097330] __do_softirq+0x1c4/0x63d
>>
>> [ 85.097792] Last potentially related work creation:
>> [ 85.098226] kasan_save_stack+0x1e/0x40
>> [ 85.098549] __kasan_record_aux_stack+0x96/0xa0
>> [ 85.098951] call_rcu+0xc4/0x8f0
>> [ 85.099220] kobject_put+0xd9/0x270
>> [ 85.099557] disk_release+0xee/0x120
>> [ 85.099864] device_release+0x59/0xf0
>> [ 85.100208] kobject_put+0xd9/0x270
>> [ 85.100509] cleanup_mapped_device+0x12b/0x1b0
>> [ 85.100910] __dm_destroy+0x26a/0x400
>> [ 85.101247] dev_remove+0x156/0x1d0
>> [ 85.101555] ctl_ioctl+0x269/0x530
>> [ 85.101859] dm_ctl_ioctl+0xa/0x10
>> [ 85.102198] __x64_sys_ioctl+0xb9/0xf0
>> [ 85.102527] do_syscall_64+0x3b/0x90
>> [ 85.102811] entry_SYSCALL_64_after_hwframe+0x44/0xae
>>
>> [ 85.103347] The buggy address belongs to the object at ffff88805ac6e180
>> which belongs to the cache request_queue of size 2992
>> [ 85.104338] The buggy address is located 688 bytes inside of
>> 2992-byte region [ffff88805ac6e180, ffff88805ac6ed30)
>> [ 85.105255] The buggy address belongs to the page:
>> [ 85.105633] page:000000000837df3c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5ac68
>> [ 85.106363] head:000000000837df3c order:3 compound_mapcount:0 compound_pincount:0
>> [ 85.106948] flags: 0xfffffc0010200(slab|head|node=0|zone=1|lastcpupid=0x1fffff)
>> [ 85.107494] raw: 000fffffc0010200 0000000000000000 dead000000000122 ffff888001e58280
>> [ 85.108091] raw: 0000000000000000 00000000800a000a 00000001ffffffff 0000000000000000
>> [ 85.108695] page dumped because: kasan: bad access detected
>>
>> [ 85.109257] Memory state around the buggy address:
>> [ 85.109625] ffff88805ac6e300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>> [ 85.110178] ffff88805ac6e380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>> [ 85.110973] >ffff88805ac6e400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>> [ 85.111891] ^
>> [ 85.112353] ffff88805ac6e480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>> [ 85.113036] ffff88805ac6e500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>> [ 85.113800] ==================================================================
>>
>> Fixes: bb37d77239af "dm: introduce zone append emulation"
>> Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com>
>>
>> diff --git a/drivers/md/dm.c b/drivers/md/dm.c
>> index dcbd6d201619..d472fe5dbc1d 100644
>> --- a/drivers/md/dm.c
>> +++ b/drivers/md/dm.c
>> @@ -1607,6 +1607,7 @@ static void cleanup_mapped_device(struct mapped_device *md)
>> md->dax_dev = NULL;
>> }
>>
>> + dm_cleanup_zoned_dev(md);
>> if (md->disk) {
>> spin_lock(&_minor_lock);
>> md->disk->private_data = NULL;
>> @@ -1627,7 +1628,6 @@ static void cleanup_mapped_device(struct mapped_device *md)
>> mutex_destroy(&md->swap_bios_lock);
>>
>> dm_mq_cleanup_mapped_device(md);
>> - dm_cleanup_zoned_dev(md);
>> }
>>
>> /*
>>
>
> The commit message format is strange (long lines).
> Apart from that, the fix looks good to me.
>
> Reviewed-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
This is for a reviewer convenience. All KASAN trace may be cut on commit if not needed.
--
dm-devel mailing list
dm-devel@redhat.com
https://listman.redhat.com/mailman/listinfo/dm-devel
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [dm-devel] dm: Fix use-after-free in dm_cleanup_zoned_dev()
2022-02-01 8:12 ` Kirill Tkhai
@ 2022-02-01 8:26 ` Damien Le Moal
2022-02-01 8:39 ` [dm-devel] [PATCH v2] " Kirill Tkhai
0 siblings, 1 reply; 13+ messages in thread
From: Damien Le Moal @ 2022-02-01 8:26 UTC (permalink / raw)
To: Kirill Tkhai, agk, snitzer, dm-devel
On 2022/02/01 17:12, Kirill Tkhai wrote:
> On 01.02.2022 02:37, Damien Le Moal wrote:
>> On 2022/02/01 1:21, Kirill Tkhai wrote:
>>> dm_cleanup_zoned_dev() uses queue, so it must be called before blk_cleanup_disk() starts its killing:
>>>
>>> blk_cleanup_disk->blk_cleanup_queue()->kobject_put()->blk_release_queue()->...RCU...->blk_free_queue_rcu()->kmem_cache_free()
>>>
>>> Otherwise, RCU callback may be executed first, and dm_cleanup_zoned_dev() touches freed memory:
>>>
>>> [ 85.074005] BUG: KASAN: use-after-free in dm_cleanup_zoned_dev+0x33/0xd0
>>> [ 85.075448] Read of size 8 at addr ffff88805ac6e430 by task dmsetup/681
>>>
>>> [ 85.076102] CPU: 4 PID: 681 Comm: dmsetup Not tainted 5.17.0-rc2+ #6
>>> [ 85.076570] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014
>>> [ 85.077150] Call Trace:
>>> [ 85.077332] <TASK>
>>> [ 85.077478] dump_stack_lvl+0x57/0x7d
>>> [ 85.077763] print_address_description.constprop.0+0x1f/0x150
>>> [ 85.078229] ? dm_cleanup_zoned_dev+0x33/0xd0
>>> [ 85.078579] kasan_report.cold+0x7f/0x11b
>>> [ 85.078910] ? dm_cleanup_zoned_dev+0x33/0xd0
>>> [ 85.079219] dm_cleanup_zoned_dev+0x33/0xd0
>>> [ 85.079499] __dm_destroy+0x26a/0x400
>>> [ 85.079781] ? dm_blk_ioctl+0x230/0x230
>>> [ 85.080090] ? up_write+0xd8/0x270
>>> [ 85.080364] dev_remove+0x156/0x1d0
>>> [ 85.080639] ctl_ioctl+0x269/0x530
>>> [ 85.080910] ? table_clear+0x140/0x140
>>> [ 85.081209] ? lock_release+0xb2/0x750
>>> [ 85.081518] ? remove_all+0x40/0x40
>>> [ 85.081796] ? rcu_read_lock_sched_held+0x12/0x70
>>> [ 85.082166] ? lock_downgrade+0x3c0/0x3c0
>>> [ 85.082468] ? rcu_read_lock_sched_held+0x12/0x70
>>> [ 85.082833] dm_ctl_ioctl+0xa/0x10
>>> [ 85.083094] __x64_sys_ioctl+0xb9/0xf0
>>> [ 85.083350] do_syscall_64+0x3b/0x90
>>> [ 85.083595] entry_SYSCALL_64_after_hwframe+0x44/0xae
>>> [ 85.083955] RIP: 0033:0x7fb6dfa95c27
>>> [ 85.084277] Code: 00 00 00 48 8b 05 69 92 0c 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 39 92 0c 00 f7 d8 64 89 01 48
>>> [ 85.086009] RSP: 002b:00007fff882c6c28 EFLAGS: 00000206 ORIG_RAX: 0000000000000010
>>> [ 85.086914] RAX: ffffffffffffffda RBX: 00007fb6dfb73a8e RCX: 00007fb6dfa95c27
>>> [ 85.087607] RDX: 00007fb6e01d7ca0 RSI: 00000000c138fd04 RDI: 0000000000000003
>>> [ 85.088272] RBP: 00007fff882c6ce0 R08: 00007fb6dfbc3558 R09: 00007fff882c6a90
>>> [ 85.088956] R10: 00007fb6dfbc28a2 R11: 0000000000000206 R12: 00007fb6dfbc28a2
>>> [ 85.089477] R13: 00007fb6dfbc28a2 R14: 00007fb6dfbc28a2 R15: 00007fb6dfbc28a2
>>> [ 85.090038] </TASK>
>>>
>>> [ 85.090348] Allocated by task 673:
>>> [ 85.090625] kasan_save_stack+0x1e/0x40
>>> [ 85.090978] __kasan_slab_alloc+0x66/0x80
>>> [ 85.091336] kmem_cache_alloc_node+0x1ca/0x460
>>> [ 85.091742] blk_alloc_queue+0x33/0x4e0
>>> [ 85.092112] __blk_alloc_disk+0x1b/0x60
>>> [ 85.092464] dm_create+0x368/0xa20
>>> [ 85.092764] dev_create+0xb9/0x170
>>> [ 85.093118] ctl_ioctl+0x269/0x530
>>> [ 85.093521] dm_ctl_ioctl+0xa/0x10
>>> [ 85.093921] __x64_sys_ioctl+0xb9/0xf0
>>> [ 85.094177] do_syscall_64+0x3b/0x90
>>> [ 85.094420] entry_SYSCALL_64_after_hwframe+0x44/0xae
>>>
>>> [ 85.094868] Freed by task 0:
>>> [ 85.095062] kasan_save_stack+0x1e/0x40
>>> [ 85.095319] kasan_set_track+0x21/0x30
>>> [ 85.095569] kasan_set_free_info+0x20/0x30
>>> [ 85.095858] __kasan_slab_free+0xfb/0x130
>>> [ 85.096141] slab_free_freelist_hook+0x7d/0x150
>>> [ 85.096502] kmem_cache_free+0x13c/0x340
>>> [ 85.096778] rcu_do_batch+0x2d9/0x820
>>> [ 85.097049] rcu_core+0x3b8/0x570
>>> [ 85.097330] __do_softirq+0x1c4/0x63d
>>>
>>> [ 85.097792] Last potentially related work creation:
>>> [ 85.098226] kasan_save_stack+0x1e/0x40
>>> [ 85.098549] __kasan_record_aux_stack+0x96/0xa0
>>> [ 85.098951] call_rcu+0xc4/0x8f0
>>> [ 85.099220] kobject_put+0xd9/0x270
>>> [ 85.099557] disk_release+0xee/0x120
>>> [ 85.099864] device_release+0x59/0xf0
>>> [ 85.100208] kobject_put+0xd9/0x270
>>> [ 85.100509] cleanup_mapped_device+0x12b/0x1b0
>>> [ 85.100910] __dm_destroy+0x26a/0x400
>>> [ 85.101247] dev_remove+0x156/0x1d0
>>> [ 85.101555] ctl_ioctl+0x269/0x530
>>> [ 85.101859] dm_ctl_ioctl+0xa/0x10
>>> [ 85.102198] __x64_sys_ioctl+0xb9/0xf0
>>> [ 85.102527] do_syscall_64+0x3b/0x90
>>> [ 85.102811] entry_SYSCALL_64_after_hwframe+0x44/0xae
>>>
>>> [ 85.103347] The buggy address belongs to the object at ffff88805ac6e180
>>> which belongs to the cache request_queue of size 2992
>>> [ 85.104338] The buggy address is located 688 bytes inside of
>>> 2992-byte region [ffff88805ac6e180, ffff88805ac6ed30)
>>> [ 85.105255] The buggy address belongs to the page:
>>> [ 85.105633] page:000000000837df3c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5ac68
>>> [ 85.106363] head:000000000837df3c order:3 compound_mapcount:0 compound_pincount:0
>>> [ 85.106948] flags: 0xfffffc0010200(slab|head|node=0|zone=1|lastcpupid=0x1fffff)
>>> [ 85.107494] raw: 000fffffc0010200 0000000000000000 dead000000000122 ffff888001e58280
>>> [ 85.108091] raw: 0000000000000000 00000000800a000a 00000001ffffffff 0000000000000000
>>> [ 85.108695] page dumped because: kasan: bad access detected
>>>
>>> [ 85.109257] Memory state around the buggy address:
>>> [ 85.109625] ffff88805ac6e300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>>> [ 85.110178] ffff88805ac6e380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>>> [ 85.110973] >ffff88805ac6e400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>>> [ 85.111891] ^
>>> [ 85.112353] ffff88805ac6e480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>>> [ 85.113036] ffff88805ac6e500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>>> [ 85.113800] ==================================================================
>>>
>>> Fixes: bb37d77239af "dm: introduce zone append emulation"
>>> Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com>
>>>
>>> diff --git a/drivers/md/dm.c b/drivers/md/dm.c
>>> index dcbd6d201619..d472fe5dbc1d 100644
>>> --- a/drivers/md/dm.c
>>> +++ b/drivers/md/dm.c
>>> @@ -1607,6 +1607,7 @@ static void cleanup_mapped_device(struct mapped_device *md)
>>> md->dax_dev = NULL;
>>> }
>>>
>>> + dm_cleanup_zoned_dev(md);
>>> if (md->disk) {
>>> spin_lock(&_minor_lock);
>>> md->disk->private_data = NULL;
>>> @@ -1627,7 +1628,6 @@ static void cleanup_mapped_device(struct mapped_device *md)
>>> mutex_destroy(&md->swap_bios_lock);
>>>
>>> dm_mq_cleanup_mapped_device(md);
>>> - dm_cleanup_zoned_dev(md);
>>> }
>>>
>>> /*
>>>
>>
>> The commit message format is strange (long lines).
>> Apart from that, the fix looks good to me.
>>
>> Reviewed-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
>
> This is for a reviewer convenience. All KASAN trace may be cut on commit if not needed.
My comment was about the commit message text you wrote at the beginning, not the
copy-paste of the kasan splat. The lines are too long.
--
Damien Le Moal
Western Digital Research
--
dm-devel mailing list
dm-devel@redhat.com
https://listman.redhat.com/mailman/listinfo/dm-devel
^ permalink raw reply [flat|nested] 13+ messages in thread
* [dm-devel] [PATCH v2] dm: Fix use-after-free in dm_cleanup_zoned_dev()
2022-02-01 8:26 ` Damien Le Moal
@ 2022-02-01 8:39 ` Kirill Tkhai
2022-02-17 10:13 ` [dm-devel] " Kirill Tkhai
0 siblings, 1 reply; 13+ messages in thread
From: Kirill Tkhai @ 2022-02-01 8:39 UTC (permalink / raw)
To: Damien Le Moal, agk, snitzer, dm-devel
dm_cleanup_zoned_dev() uses queue, so it must be called
before blk_cleanup_disk() starts its killing:
blk_cleanup_disk->blk_cleanup_queue()->kobject_put()->blk_release_queue()->
->...RCU...->blk_free_queue_rcu()->kmem_cache_free()
Otherwise, RCU callback may be executed first,
and dm_cleanup_zoned_dev() touches freed memory:
BUG: KASAN: use-after-free in dm_cleanup_zoned_dev+0x33/0xd0
Read of size 8 at addr ffff88805ac6e430 by task dmsetup/681
CPU: 4 PID: 681 Comm: dmsetup Not tainted 5.17.0-rc2+ #6
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x57/0x7d
print_address_description.constprop.0+0x1f/0x150
? dm_cleanup_zoned_dev+0x33/0xd0
kasan_report.cold+0x7f/0x11b
? dm_cleanup_zoned_dev+0x33/0xd0
dm_cleanup_zoned_dev+0x33/0xd0
__dm_destroy+0x26a/0x400
? dm_blk_ioctl+0x230/0x230
? up_write+0xd8/0x270
dev_remove+0x156/0x1d0
ctl_ioctl+0x269/0x530
? table_clear+0x140/0x140
? lock_release+0xb2/0x750
? remove_all+0x40/0x40
? rcu_read_lock_sched_held+0x12/0x70
? lock_downgrade+0x3c0/0x3c0
? rcu_read_lock_sched_held+0x12/0x70
dm_ctl_ioctl+0xa/0x10
__x64_sys_ioctl+0xb9/0xf0
do_syscall_64+0x3b/0x90
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7fb6dfa95c27
Code: 00 00 00 48 8b 05 69 92 0c 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 39 92 0c 00 f7 d8 64 89 01 48
RSP: 002b:00007fff882c6c28 EFLAGS: 00000206 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fb6dfb73a8e RCX: 00007fb6dfa95c27
RDX: 00007fb6e01d7ca0 RSI: 00000000c138fd04 RDI: 0000000000000003
RBP: 00007fff882c6ce0 R08: 00007fb6dfbc3558 R09: 00007fff882c6a90
R10: 00007fb6dfbc28a2 R11: 0000000000000206 R12: 00007fb6dfbc28a2
R13: 00007fb6dfbc28a2 R14: 00007fb6dfbc28a2 R15: 00007fb6dfbc28a2
</TASK>
Allocated by task 673:
kasan_save_stack+0x1e/0x40
__kasan_slab_alloc+0x66/0x80
kmem_cache_alloc_node+0x1ca/0x460
blk_alloc_queue+0x33/0x4e0
__blk_alloc_disk+0x1b/0x60
dm_create+0x368/0xa20
dev_create+0xb9/0x170
ctl_ioctl+0x269/0x530
dm_ctl_ioctl+0xa/0x10
__x64_sys_ioctl+0xb9/0xf0
do_syscall_64+0x3b/0x90
entry_SYSCALL_64_after_hwframe+0x44/0xae
Freed by task 0:
kasan_save_stack+0x1e/0x40
kasan_set_track+0x21/0x30
kasan_set_free_info+0x20/0x30
__kasan_slab_free+0xfb/0x130
slab_free_freelist_hook+0x7d/0x150
kmem_cache_free+0x13c/0x340
rcu_do_batch+0x2d9/0x820
rcu_core+0x3b8/0x570
__do_softirq+0x1c4/0x63d
Last potentially related work creation:
kasan_save_stack+0x1e/0x40
__kasan_record_aux_stack+0x96/0xa0
call_rcu+0xc4/0x8f0
kobject_put+0xd9/0x270
disk_release+0xee/0x120
device_release+0x59/0xf0
kobject_put+0xd9/0x270
cleanup_mapped_device+0x12b/0x1b0
__dm_destroy+0x26a/0x400
dev_remove+0x156/0x1d0
ctl_ioctl+0x269/0x530
dm_ctl_ioctl+0xa/0x10
__x64_sys_ioctl+0xb9/0xf0
do_syscall_64+0x3b/0x90
entry_SYSCALL_64_after_hwframe+0x44/0xae
The buggy address belongs to the object at ffff88805ac6e180
which belongs to the cache request_queue of size 2992
The buggy address is located 688 bytes inside of
2992-byte region [ffff88805ac6e180, ffff88805ac6ed30)
The buggy address belongs to the page:
page:000000000837df3c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5ac68
head:000000000837df3c order:3 compound_mapcount:0 compound_pincount:0
flags: 0xfffffc0010200(slab|head|node=0|zone=1|lastcpupid=0x1fffff)
raw: 000fffffc0010200 0000000000000000 dead000000000122 ffff888001e58280
raw: 0000000000000000 00000000800a000a 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88805ac6e300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88805ac6e380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88805ac6e400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88805ac6e480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88805ac6e500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Fixes: bb37d77239af "dm: introduce zone append emulation"
Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com>
Reviewed-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
---
v2: Split long commit message line and delete [xxx] time prefix from kernel output.
drivers/md/dm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/md/dm.c b/drivers/md/dm.c
index dcbd6d201619..d472fe5dbc1d 100644
--- a/drivers/md/dm.c
+++ b/drivers/md/dm.c
@@ -1607,6 +1607,7 @@ static void cleanup_mapped_device(struct mapped_device *md)
md->dax_dev = NULL;
}
+ dm_cleanup_zoned_dev(md);
if (md->disk) {
spin_lock(&_minor_lock);
md->disk->private_data = NULL;
@@ -1627,7 +1628,6 @@ static void cleanup_mapped_device(struct mapped_device *md)
mutex_destroy(&md->swap_bios_lock);
dm_mq_cleanup_mapped_device(md);
- dm_cleanup_zoned_dev(md);
}
/*
--
dm-devel mailing list
dm-devel@redhat.com
https://listman.redhat.com/mailman/listinfo/dm-devel
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [PATCH RESEND v2] dm: Fix use-after-free in dm_cleanup_zoned_dev()
2022-02-01 8:39 ` [dm-devel] [PATCH v2] " Kirill Tkhai
@ 2022-02-17 10:13 ` Kirill Tkhai
0 siblings, 0 replies; 13+ messages in thread
From: Kirill Tkhai @ 2022-02-17 10:13 UTC (permalink / raw)
To: Damien Le Moal, agk, snitzer, dm-devel, linux-kernel
dm_cleanup_zoned_dev() uses queue, so it must be called
before blk_cleanup_disk() starts its killing:
blk_cleanup_disk->blk_cleanup_queue()->kobject_put()->blk_release_queue()->
->...RCU...->blk_free_queue_rcu()->kmem_cache_free()
Otherwise, RCU callback may be executed first,
and dm_cleanup_zoned_dev() touches freed memory:
BUG: KASAN: use-after-free in dm_cleanup_zoned_dev+0x33/0xd0
Read of size 8 at addr ffff88805ac6e430 by task dmsetup/681
CPU: 4 PID: 681 Comm: dmsetup Not tainted 5.17.0-rc2+ #6
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x57/0x7d
print_address_description.constprop.0+0x1f/0x150
? dm_cleanup_zoned_dev+0x33/0xd0
kasan_report.cold+0x7f/0x11b
? dm_cleanup_zoned_dev+0x33/0xd0
dm_cleanup_zoned_dev+0x33/0xd0
__dm_destroy+0x26a/0x400
? dm_blk_ioctl+0x230/0x230
? up_write+0xd8/0x270
dev_remove+0x156/0x1d0
ctl_ioctl+0x269/0x530
? table_clear+0x140/0x140
? lock_release+0xb2/0x750
? remove_all+0x40/0x40
? rcu_read_lock_sched_held+0x12/0x70
? lock_downgrade+0x3c0/0x3c0
? rcu_read_lock_sched_held+0x12/0x70
dm_ctl_ioctl+0xa/0x10
__x64_sys_ioctl+0xb9/0xf0
do_syscall_64+0x3b/0x90
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7fb6dfa95c27
Code: 00 00 00 48 8b 05 69 92 0c 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 39 92 0c 00 f7 d8 64 89 01 48
RSP: 002b:00007fff882c6c28 EFLAGS: 00000206 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fb6dfb73a8e RCX: 00007fb6dfa95c27
RDX: 00007fb6e01d7ca0 RSI: 00000000c138fd04 RDI: 0000000000000003
RBP: 00007fff882c6ce0 R08: 00007fb6dfbc3558 R09: 00007fff882c6a90
R10: 00007fb6dfbc28a2 R11: 0000000000000206 R12: 00007fb6dfbc28a2
R13: 00007fb6dfbc28a2 R14: 00007fb6dfbc28a2 R15: 00007fb6dfbc28a2
</TASK>
Allocated by task 673:
kasan_save_stack+0x1e/0x40
__kasan_slab_alloc+0x66/0x80
kmem_cache_alloc_node+0x1ca/0x460
blk_alloc_queue+0x33/0x4e0
__blk_alloc_disk+0x1b/0x60
dm_create+0x368/0xa20
dev_create+0xb9/0x170
ctl_ioctl+0x269/0x530
dm_ctl_ioctl+0xa/0x10
__x64_sys_ioctl+0xb9/0xf0
do_syscall_64+0x3b/0x90
entry_SYSCALL_64_after_hwframe+0x44/0xae
Freed by task 0:
kasan_save_stack+0x1e/0x40
kasan_set_track+0x21/0x30
kasan_set_free_info+0x20/0x30
__kasan_slab_free+0xfb/0x130
slab_free_freelist_hook+0x7d/0x150
kmem_cache_free+0x13c/0x340
rcu_do_batch+0x2d9/0x820
rcu_core+0x3b8/0x570
__do_softirq+0x1c4/0x63d
Last potentially related work creation:
kasan_save_stack+0x1e/0x40
__kasan_record_aux_stack+0x96/0xa0
call_rcu+0xc4/0x8f0
kobject_put+0xd9/0x270
disk_release+0xee/0x120
device_release+0x59/0xf0
kobject_put+0xd9/0x270
cleanup_mapped_device+0x12b/0x1b0
__dm_destroy+0x26a/0x400
dev_remove+0x156/0x1d0
ctl_ioctl+0x269/0x530
dm_ctl_ioctl+0xa/0x10
__x64_sys_ioctl+0xb9/0xf0
do_syscall_64+0x3b/0x90
entry_SYSCALL_64_after_hwframe+0x44/0xae
The buggy address belongs to the object at ffff88805ac6e180
which belongs to the cache request_queue of size 2992
The buggy address is located 688 bytes inside of
2992-byte region [ffff88805ac6e180, ffff88805ac6ed30)
The buggy address belongs to the page:
page:000000000837df3c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5ac68
head:000000000837df3c order:3 compound_mapcount:0 compound_pincount:0
flags: 0xfffffc0010200(slab|head|node=0|zone=1|lastcpupid=0x1fffff)
raw: 000fffffc0010200 0000000000000000 dead000000000122 ffff888001e58280
raw: 0000000000000000 00000000800a000a 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88805ac6e300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88805ac6e380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88805ac6e400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88805ac6e480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88805ac6e500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Fixes: bb37d77239af "dm: introduce zone append emulation"
Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com>
Reviewed-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
---
v2: Split long commit message line and delete [xxx] time prefix from kernel output.
drivers/md/dm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/md/dm.c b/drivers/md/dm.c
index dcbd6d201619..d472fe5dbc1d 100644
--- a/drivers/md/dm.c
+++ b/drivers/md/dm.c
@@ -1607,6 +1607,7 @@ static void cleanup_mapped_device(struct mapped_device *md)
md->dax_dev = NULL;
}
+ dm_cleanup_zoned_dev(md);
if (md->disk) {
spin_lock(&_minor_lock);
md->disk->private_data = NULL;
@@ -1627,7 +1628,6 @@ static void cleanup_mapped_device(struct mapped_device *md)
mutex_destroy(&md->swap_bios_lock);
dm_mq_cleanup_mapped_device(md);
- dm_cleanup_zoned_dev(md);
}
/*
^ permalink raw reply related [flat|nested] 13+ messages in thread
* [dm-devel] [PATCH RESEND v2] dm: Fix use-after-free in dm_cleanup_zoned_dev()
@ 2022-02-17 10:13 ` Kirill Tkhai
0 siblings, 0 replies; 13+ messages in thread
From: Kirill Tkhai @ 2022-02-17 10:13 UTC (permalink / raw)
To: Damien Le Moal, agk, snitzer, dm-devel, linux-kernel
dm_cleanup_zoned_dev() uses queue, so it must be called
before blk_cleanup_disk() starts its killing:
blk_cleanup_disk->blk_cleanup_queue()->kobject_put()->blk_release_queue()->
->...RCU...->blk_free_queue_rcu()->kmem_cache_free()
Otherwise, RCU callback may be executed first,
and dm_cleanup_zoned_dev() touches freed memory:
BUG: KASAN: use-after-free in dm_cleanup_zoned_dev+0x33/0xd0
Read of size 8 at addr ffff88805ac6e430 by task dmsetup/681
CPU: 4 PID: 681 Comm: dmsetup Not tainted 5.17.0-rc2+ #6
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0x57/0x7d
print_address_description.constprop.0+0x1f/0x150
? dm_cleanup_zoned_dev+0x33/0xd0
kasan_report.cold+0x7f/0x11b
? dm_cleanup_zoned_dev+0x33/0xd0
dm_cleanup_zoned_dev+0x33/0xd0
__dm_destroy+0x26a/0x400
? dm_blk_ioctl+0x230/0x230
? up_write+0xd8/0x270
dev_remove+0x156/0x1d0
ctl_ioctl+0x269/0x530
? table_clear+0x140/0x140
? lock_release+0xb2/0x750
? remove_all+0x40/0x40
? rcu_read_lock_sched_held+0x12/0x70
? lock_downgrade+0x3c0/0x3c0
? rcu_read_lock_sched_held+0x12/0x70
dm_ctl_ioctl+0xa/0x10
__x64_sys_ioctl+0xb9/0xf0
do_syscall_64+0x3b/0x90
entry_SYSCALL_64_after_hwframe+0x44/0xae
RIP: 0033:0x7fb6dfa95c27
Code: 00 00 00 48 8b 05 69 92 0c 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 39 92 0c 00 f7 d8 64 89 01 48
RSP: 002b:00007fff882c6c28 EFLAGS: 00000206 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fb6dfb73a8e RCX: 00007fb6dfa95c27
RDX: 00007fb6e01d7ca0 RSI: 00000000c138fd04 RDI: 0000000000000003
RBP: 00007fff882c6ce0 R08: 00007fb6dfbc3558 R09: 00007fff882c6a90
R10: 00007fb6dfbc28a2 R11: 0000000000000206 R12: 00007fb6dfbc28a2
R13: 00007fb6dfbc28a2 R14: 00007fb6dfbc28a2 R15: 00007fb6dfbc28a2
</TASK>
Allocated by task 673:
kasan_save_stack+0x1e/0x40
__kasan_slab_alloc+0x66/0x80
kmem_cache_alloc_node+0x1ca/0x460
blk_alloc_queue+0x33/0x4e0
__blk_alloc_disk+0x1b/0x60
dm_create+0x368/0xa20
dev_create+0xb9/0x170
ctl_ioctl+0x269/0x530
dm_ctl_ioctl+0xa/0x10
__x64_sys_ioctl+0xb9/0xf0
do_syscall_64+0x3b/0x90
entry_SYSCALL_64_after_hwframe+0x44/0xae
Freed by task 0:
kasan_save_stack+0x1e/0x40
kasan_set_track+0x21/0x30
kasan_set_free_info+0x20/0x30
__kasan_slab_free+0xfb/0x130
slab_free_freelist_hook+0x7d/0x150
kmem_cache_free+0x13c/0x340
rcu_do_batch+0x2d9/0x820
rcu_core+0x3b8/0x570
__do_softirq+0x1c4/0x63d
Last potentially related work creation:
kasan_save_stack+0x1e/0x40
__kasan_record_aux_stack+0x96/0xa0
call_rcu+0xc4/0x8f0
kobject_put+0xd9/0x270
disk_release+0xee/0x120
device_release+0x59/0xf0
kobject_put+0xd9/0x270
cleanup_mapped_device+0x12b/0x1b0
__dm_destroy+0x26a/0x400
dev_remove+0x156/0x1d0
ctl_ioctl+0x269/0x530
dm_ctl_ioctl+0xa/0x10
__x64_sys_ioctl+0xb9/0xf0
do_syscall_64+0x3b/0x90
entry_SYSCALL_64_after_hwframe+0x44/0xae
The buggy address belongs to the object at ffff88805ac6e180
which belongs to the cache request_queue of size 2992
The buggy address is located 688 bytes inside of
2992-byte region [ffff88805ac6e180, ffff88805ac6ed30)
The buggy address belongs to the page:
page:000000000837df3c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5ac68
head:000000000837df3c order:3 compound_mapcount:0 compound_pincount:0
flags: 0xfffffc0010200(slab|head|node=0|zone=1|lastcpupid=0x1fffff)
raw: 000fffffc0010200 0000000000000000 dead000000000122 ffff888001e58280
raw: 0000000000000000 00000000800a000a 00000001ffffffff 0000000000000000
page dumped because: kasan: bad access detected
Memory state around the buggy address:
ffff88805ac6e300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88805ac6e380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>ffff88805ac6e400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
^
ffff88805ac6e480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
ffff88805ac6e500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
==================================================================
Fixes: bb37d77239af "dm: introduce zone append emulation"
Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com>
Reviewed-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
---
v2: Split long commit message line and delete [xxx] time prefix from kernel output.
drivers/md/dm.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/drivers/md/dm.c b/drivers/md/dm.c
index dcbd6d201619..d472fe5dbc1d 100644
--- a/drivers/md/dm.c
+++ b/drivers/md/dm.c
@@ -1607,6 +1607,7 @@ static void cleanup_mapped_device(struct mapped_device *md)
md->dax_dev = NULL;
}
+ dm_cleanup_zoned_dev(md);
if (md->disk) {
spin_lock(&_minor_lock);
md->disk->private_data = NULL;
@@ -1627,7 +1628,6 @@ static void cleanup_mapped_device(struct mapped_device *md)
mutex_destroy(&md->swap_bios_lock);
dm_mq_cleanup_mapped_device(md);
- dm_cleanup_zoned_dev(md);
}
/*
--
dm-devel mailing list
dm-devel@redhat.com
https://listman.redhat.com/mailman/listinfo/dm-devel
^ permalink raw reply related [flat|nested] 13+ messages in thread
* Re: [PATCH RESEND v2] dm: Fix use-after-free in dm_cleanup_zoned_dev()
2022-02-17 10:13 ` [dm-devel] " Kirill Tkhai
@ 2022-02-17 10:49 ` Damien Le Moal
-1 siblings, 0 replies; 13+ messages in thread
From: Damien Le Moal @ 2022-02-17 10:49 UTC (permalink / raw)
To: Kirill Tkhai, agk, snitzer, dm-devel, linux-kernel
On 2/17/22 19:13, Kirill Tkhai wrote:
>
> dm_cleanup_zoned_dev() uses queue, so it must be called
> before blk_cleanup_disk() starts its killing:
>
> blk_cleanup_disk->blk_cleanup_queue()->kobject_put()->blk_release_queue()->
> ->...RCU...->blk_free_queue_rcu()->kmem_cache_free()
>
> Otherwise, RCU callback may be executed first,
> and dm_cleanup_zoned_dev() touches freed memory:
Mike,
Can you queue this please ?
>
> BUG: KASAN: use-after-free in dm_cleanup_zoned_dev+0x33/0xd0
> Read of size 8 at addr ffff88805ac6e430 by task dmsetup/681
>
> CPU: 4 PID: 681 Comm: dmsetup Not tainted 5.17.0-rc2+ #6
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014
> Call Trace:
> <TASK>
> dump_stack_lvl+0x57/0x7d
> print_address_description.constprop.0+0x1f/0x150
> ? dm_cleanup_zoned_dev+0x33/0xd0
> kasan_report.cold+0x7f/0x11b
> ? dm_cleanup_zoned_dev+0x33/0xd0
> dm_cleanup_zoned_dev+0x33/0xd0
> __dm_destroy+0x26a/0x400
> ? dm_blk_ioctl+0x230/0x230
> ? up_write+0xd8/0x270
> dev_remove+0x156/0x1d0
> ctl_ioctl+0x269/0x530
> ? table_clear+0x140/0x140
> ? lock_release+0xb2/0x750
> ? remove_all+0x40/0x40
> ? rcu_read_lock_sched_held+0x12/0x70
> ? lock_downgrade+0x3c0/0x3c0
> ? rcu_read_lock_sched_held+0x12/0x70
> dm_ctl_ioctl+0xa/0x10
> __x64_sys_ioctl+0xb9/0xf0
> do_syscall_64+0x3b/0x90
> entry_SYSCALL_64_after_hwframe+0x44/0xae
> RIP: 0033:0x7fb6dfa95c27
> Code: 00 00 00 48 8b 05 69 92 0c 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 39 92 0c 00 f7 d8 64 89 01 48
> RSP: 002b:00007fff882c6c28 EFLAGS: 00000206 ORIG_RAX: 0000000000000010
> RAX: ffffffffffffffda RBX: 00007fb6dfb73a8e RCX: 00007fb6dfa95c27
> RDX: 00007fb6e01d7ca0 RSI: 00000000c138fd04 RDI: 0000000000000003
> RBP: 00007fff882c6ce0 R08: 00007fb6dfbc3558 R09: 00007fff882c6a90
> R10: 00007fb6dfbc28a2 R11: 0000000000000206 R12: 00007fb6dfbc28a2
> R13: 00007fb6dfbc28a2 R14: 00007fb6dfbc28a2 R15: 00007fb6dfbc28a2
> </TASK>
>
> Allocated by task 673:
> kasan_save_stack+0x1e/0x40
> __kasan_slab_alloc+0x66/0x80
> kmem_cache_alloc_node+0x1ca/0x460
> blk_alloc_queue+0x33/0x4e0
> __blk_alloc_disk+0x1b/0x60
> dm_create+0x368/0xa20
> dev_create+0xb9/0x170
> ctl_ioctl+0x269/0x530
> dm_ctl_ioctl+0xa/0x10
> __x64_sys_ioctl+0xb9/0xf0
> do_syscall_64+0x3b/0x90
> entry_SYSCALL_64_after_hwframe+0x44/0xae
>
> Freed by task 0:
> kasan_save_stack+0x1e/0x40
> kasan_set_track+0x21/0x30
> kasan_set_free_info+0x20/0x30
> __kasan_slab_free+0xfb/0x130
> slab_free_freelist_hook+0x7d/0x150
> kmem_cache_free+0x13c/0x340
> rcu_do_batch+0x2d9/0x820
> rcu_core+0x3b8/0x570
> __do_softirq+0x1c4/0x63d
>
> Last potentially related work creation:
> kasan_save_stack+0x1e/0x40
> __kasan_record_aux_stack+0x96/0xa0
> call_rcu+0xc4/0x8f0
> kobject_put+0xd9/0x270
> disk_release+0xee/0x120
> device_release+0x59/0xf0
> kobject_put+0xd9/0x270
> cleanup_mapped_device+0x12b/0x1b0
> __dm_destroy+0x26a/0x400
> dev_remove+0x156/0x1d0
> ctl_ioctl+0x269/0x530
> dm_ctl_ioctl+0xa/0x10
> __x64_sys_ioctl+0xb9/0xf0
> do_syscall_64+0x3b/0x90
> entry_SYSCALL_64_after_hwframe+0x44/0xae
>
> The buggy address belongs to the object at ffff88805ac6e180
> which belongs to the cache request_queue of size 2992
> The buggy address is located 688 bytes inside of
> 2992-byte region [ffff88805ac6e180, ffff88805ac6ed30)
> The buggy address belongs to the page:
> page:000000000837df3c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5ac68
> head:000000000837df3c order:3 compound_mapcount:0 compound_pincount:0
> flags: 0xfffffc0010200(slab|head|node=0|zone=1|lastcpupid=0x1fffff)
> raw: 000fffffc0010200 0000000000000000 dead000000000122 ffff888001e58280
> raw: 0000000000000000 00000000800a000a 00000001ffffffff 0000000000000000
> page dumped because: kasan: bad access detected
>
> Memory state around the buggy address:
> ffff88805ac6e300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff88805ac6e380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> >ffff88805ac6e400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ^
> ffff88805ac6e480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff88805ac6e500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ==================================================================
>
> Fixes: bb37d77239af "dm: introduce zone append emulation"
> Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com>
> Reviewed-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
> ---
> v2: Split long commit message line and delete [xxx] time prefix from kernel output.
>
> drivers/md/dm.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/md/dm.c b/drivers/md/dm.c
> index dcbd6d201619..d472fe5dbc1d 100644
> --- a/drivers/md/dm.c
> +++ b/drivers/md/dm.c
> @@ -1607,6 +1607,7 @@ static void cleanup_mapped_device(struct mapped_device *md)
> md->dax_dev = NULL;
> }
>
> + dm_cleanup_zoned_dev(md);
> if (md->disk) {
> spin_lock(&_minor_lock);
> md->disk->private_data = NULL;
> @@ -1627,7 +1628,6 @@ static void cleanup_mapped_device(struct mapped_device *md)
> mutex_destroy(&md->swap_bios_lock);
>
> dm_mq_cleanup_mapped_device(md);
> - dm_cleanup_zoned_dev(md);
> }
>
> /*
>
--
Damien Le Moal
Western Digital Research
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [dm-devel] [PATCH RESEND v2] dm: Fix use-after-free in dm_cleanup_zoned_dev()
@ 2022-02-17 10:49 ` Damien Le Moal
0 siblings, 0 replies; 13+ messages in thread
From: Damien Le Moal @ 2022-02-17 10:49 UTC (permalink / raw)
To: Kirill Tkhai, agk, snitzer, dm-devel, linux-kernel
On 2/17/22 19:13, Kirill Tkhai wrote:
>
> dm_cleanup_zoned_dev() uses queue, so it must be called
> before blk_cleanup_disk() starts its killing:
>
> blk_cleanup_disk->blk_cleanup_queue()->kobject_put()->blk_release_queue()->
> ->...RCU...->blk_free_queue_rcu()->kmem_cache_free()
>
> Otherwise, RCU callback may be executed first,
> and dm_cleanup_zoned_dev() touches freed memory:
Mike,
Can you queue this please ?
>
> BUG: KASAN: use-after-free in dm_cleanup_zoned_dev+0x33/0xd0
> Read of size 8 at addr ffff88805ac6e430 by task dmsetup/681
>
> CPU: 4 PID: 681 Comm: dmsetup Not tainted 5.17.0-rc2+ #6
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014
> Call Trace:
> <TASK>
> dump_stack_lvl+0x57/0x7d
> print_address_description.constprop.0+0x1f/0x150
> ? dm_cleanup_zoned_dev+0x33/0xd0
> kasan_report.cold+0x7f/0x11b
> ? dm_cleanup_zoned_dev+0x33/0xd0
> dm_cleanup_zoned_dev+0x33/0xd0
> __dm_destroy+0x26a/0x400
> ? dm_blk_ioctl+0x230/0x230
> ? up_write+0xd8/0x270
> dev_remove+0x156/0x1d0
> ctl_ioctl+0x269/0x530
> ? table_clear+0x140/0x140
> ? lock_release+0xb2/0x750
> ? remove_all+0x40/0x40
> ? rcu_read_lock_sched_held+0x12/0x70
> ? lock_downgrade+0x3c0/0x3c0
> ? rcu_read_lock_sched_held+0x12/0x70
> dm_ctl_ioctl+0xa/0x10
> __x64_sys_ioctl+0xb9/0xf0
> do_syscall_64+0x3b/0x90
> entry_SYSCALL_64_after_hwframe+0x44/0xae
> RIP: 0033:0x7fb6dfa95c27
> Code: 00 00 00 48 8b 05 69 92 0c 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 39 92 0c 00 f7 d8 64 89 01 48
> RSP: 002b:00007fff882c6c28 EFLAGS: 00000206 ORIG_RAX: 0000000000000010
> RAX: ffffffffffffffda RBX: 00007fb6dfb73a8e RCX: 00007fb6dfa95c27
> RDX: 00007fb6e01d7ca0 RSI: 00000000c138fd04 RDI: 0000000000000003
> RBP: 00007fff882c6ce0 R08: 00007fb6dfbc3558 R09: 00007fff882c6a90
> R10: 00007fb6dfbc28a2 R11: 0000000000000206 R12: 00007fb6dfbc28a2
> R13: 00007fb6dfbc28a2 R14: 00007fb6dfbc28a2 R15: 00007fb6dfbc28a2
> </TASK>
>
> Allocated by task 673:
> kasan_save_stack+0x1e/0x40
> __kasan_slab_alloc+0x66/0x80
> kmem_cache_alloc_node+0x1ca/0x460
> blk_alloc_queue+0x33/0x4e0
> __blk_alloc_disk+0x1b/0x60
> dm_create+0x368/0xa20
> dev_create+0xb9/0x170
> ctl_ioctl+0x269/0x530
> dm_ctl_ioctl+0xa/0x10
> __x64_sys_ioctl+0xb9/0xf0
> do_syscall_64+0x3b/0x90
> entry_SYSCALL_64_after_hwframe+0x44/0xae
>
> Freed by task 0:
> kasan_save_stack+0x1e/0x40
> kasan_set_track+0x21/0x30
> kasan_set_free_info+0x20/0x30
> __kasan_slab_free+0xfb/0x130
> slab_free_freelist_hook+0x7d/0x150
> kmem_cache_free+0x13c/0x340
> rcu_do_batch+0x2d9/0x820
> rcu_core+0x3b8/0x570
> __do_softirq+0x1c4/0x63d
>
> Last potentially related work creation:
> kasan_save_stack+0x1e/0x40
> __kasan_record_aux_stack+0x96/0xa0
> call_rcu+0xc4/0x8f0
> kobject_put+0xd9/0x270
> disk_release+0xee/0x120
> device_release+0x59/0xf0
> kobject_put+0xd9/0x270
> cleanup_mapped_device+0x12b/0x1b0
> __dm_destroy+0x26a/0x400
> dev_remove+0x156/0x1d0
> ctl_ioctl+0x269/0x530
> dm_ctl_ioctl+0xa/0x10
> __x64_sys_ioctl+0xb9/0xf0
> do_syscall_64+0x3b/0x90
> entry_SYSCALL_64_after_hwframe+0x44/0xae
>
> The buggy address belongs to the object at ffff88805ac6e180
> which belongs to the cache request_queue of size 2992
> The buggy address is located 688 bytes inside of
> 2992-byte region [ffff88805ac6e180, ffff88805ac6ed30)
> The buggy address belongs to the page:
> page:000000000837df3c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5ac68
> head:000000000837df3c order:3 compound_mapcount:0 compound_pincount:0
> flags: 0xfffffc0010200(slab|head|node=0|zone=1|lastcpupid=0x1fffff)
> raw: 000fffffc0010200 0000000000000000 dead000000000122 ffff888001e58280
> raw: 0000000000000000 00000000800a000a 00000001ffffffff 0000000000000000
> page dumped because: kasan: bad access detected
>
> Memory state around the buggy address:
> ffff88805ac6e300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff88805ac6e380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> >ffff88805ac6e400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ^
> ffff88805ac6e480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ffff88805ac6e500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> ==================================================================
>
> Fixes: bb37d77239af "dm: introduce zone append emulation"
> Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com>
> Reviewed-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
> ---
> v2: Split long commit message line and delete [xxx] time prefix from kernel output.
>
> drivers/md/dm.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/drivers/md/dm.c b/drivers/md/dm.c
> index dcbd6d201619..d472fe5dbc1d 100644
> --- a/drivers/md/dm.c
> +++ b/drivers/md/dm.c
> @@ -1607,6 +1607,7 @@ static void cleanup_mapped_device(struct mapped_device *md)
> md->dax_dev = NULL;
> }
>
> + dm_cleanup_zoned_dev(md);
> if (md->disk) {
> spin_lock(&_minor_lock);
> md->disk->private_data = NULL;
> @@ -1627,7 +1628,6 @@ static void cleanup_mapped_device(struct mapped_device *md)
> mutex_destroy(&md->swap_bios_lock);
>
> dm_mq_cleanup_mapped_device(md);
> - dm_cleanup_zoned_dev(md);
> }
>
> /*
>
--
Damien Le Moal
Western Digital Research
--
dm-devel mailing list
dm-devel@redhat.com
https://listman.redhat.com/mailman/listinfo/dm-devel
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH RESEND v2] dm: Fix use-after-free in dm_cleanup_zoned_dev()
2022-02-17 10:49 ` [dm-devel] " Damien Le Moal
@ 2022-02-23 3:02 ` Mike Snitzer
-1 siblings, 0 replies; 13+ messages in thread
From: Mike Snitzer @ 2022-02-23 3:02 UTC (permalink / raw)
To: Damien Le Moal; +Cc: Kirill Tkhai, agk, dm-devel, Linux Kernel Mailing List
On Thu, Feb 17, 2022 at 5:49 AM Damien Le Moal
<damien.lemoal@opensource.wdc.com> wrote:
>
> On 2/17/22 19:13, Kirill Tkhai wrote:
> >
> > dm_cleanup_zoned_dev() uses queue, so it must be called
> > before blk_cleanup_disk() starts its killing:
> >
> > blk_cleanup_disk->blk_cleanup_queue()->kobject_put()->blk_release_queue()->
> > ->...RCU...->blk_free_queue_rcu()->kmem_cache_free()
> >
> > Otherwise, RCU callback may be executed first,
> > and dm_cleanup_zoned_dev() touches freed memory:
>
> Mike,
>
> Can you queue this please ?
I queued it earlier today, please see:
https://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm.git/commit/?h=dm-5.18&id=588b7f5df0cb64f281290c7672470c006abe7160
Thanks,
Mike
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [dm-devel] [PATCH RESEND v2] dm: Fix use-after-free in dm_cleanup_zoned_dev()
@ 2022-02-23 3:02 ` Mike Snitzer
0 siblings, 0 replies; 13+ messages in thread
From: Mike Snitzer @ 2022-02-23 3:02 UTC (permalink / raw)
To: Damien Le Moal; +Cc: dm-devel, Kirill Tkhai, Linux Kernel Mailing List, agk
On Thu, Feb 17, 2022 at 5:49 AM Damien Le Moal
<damien.lemoal@opensource.wdc.com> wrote:
>
> On 2/17/22 19:13, Kirill Tkhai wrote:
> >
> > dm_cleanup_zoned_dev() uses queue, so it must be called
> > before blk_cleanup_disk() starts its killing:
> >
> > blk_cleanup_disk->blk_cleanup_queue()->kobject_put()->blk_release_queue()->
> > ->...RCU...->blk_free_queue_rcu()->kmem_cache_free()
> >
> > Otherwise, RCU callback may be executed first,
> > and dm_cleanup_zoned_dev() touches freed memory:
>
> Mike,
>
> Can you queue this please ?
I queued it earlier today, please see:
https://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm.git/commit/?h=dm-5.18&id=588b7f5df0cb64f281290c7672470c006abe7160
Thanks,
Mike
--
dm-devel mailing list
dm-devel@redhat.com
https://listman.redhat.com/mailman/listinfo/dm-devel
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [PATCH RESEND v2] dm: Fix use-after-free in dm_cleanup_zoned_dev()
2022-02-23 3:02 ` [dm-devel] " Mike Snitzer
@ 2022-02-23 3:19 ` Damien Le Moal
-1 siblings, 0 replies; 13+ messages in thread
From: Damien Le Moal @ 2022-02-23 3:19 UTC (permalink / raw)
To: Mike Snitzer; +Cc: Kirill Tkhai, agk, dm-devel, Linux Kernel Mailing List
On 2/23/22 12:02, Mike Snitzer wrote:
> On Thu, Feb 17, 2022 at 5:49 AM Damien Le Moal
> <damien.lemoal@opensource.wdc.com> wrote:
>>
>> On 2/17/22 19:13, Kirill Tkhai wrote:
>>>
>>> dm_cleanup_zoned_dev() uses queue, so it must be called
>>> before blk_cleanup_disk() starts its killing:
>>>
>>> blk_cleanup_disk->blk_cleanup_queue()->kobject_put()->blk_release_queue()->
>>> ->...RCU...->blk_free_queue_rcu()->kmem_cache_free()
>>>
>>> Otherwise, RCU callback may be executed first,
>>> and dm_cleanup_zoned_dev() touches freed memory:
>>
>> Mike,
>>
>> Can you queue this please ?
>
> I queued it earlier today, please see:
> https://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm.git/commit/?h=dm-5.18&id=588b7f5df0cb64f281290c7672470c006abe7160
>
> Thanks,
> Mike
Thanks !
--
Damien Le Moal
Western Digital Research
^ permalink raw reply [flat|nested] 13+ messages in thread
* Re: [dm-devel] [PATCH RESEND v2] dm: Fix use-after-free in dm_cleanup_zoned_dev()
@ 2022-02-23 3:19 ` Damien Le Moal
0 siblings, 0 replies; 13+ messages in thread
From: Damien Le Moal @ 2022-02-23 3:19 UTC (permalink / raw)
To: Mike Snitzer; +Cc: dm-devel, Kirill Tkhai, Linux Kernel Mailing List, agk
On 2/23/22 12:02, Mike Snitzer wrote:
> On Thu, Feb 17, 2022 at 5:49 AM Damien Le Moal
> <damien.lemoal@opensource.wdc.com> wrote:
>>
>> On 2/17/22 19:13, Kirill Tkhai wrote:
>>>
>>> dm_cleanup_zoned_dev() uses queue, so it must be called
>>> before blk_cleanup_disk() starts its killing:
>>>
>>> blk_cleanup_disk->blk_cleanup_queue()->kobject_put()->blk_release_queue()->
>>> ->...RCU...->blk_free_queue_rcu()->kmem_cache_free()
>>>
>>> Otherwise, RCU callback may be executed first,
>>> and dm_cleanup_zoned_dev() touches freed memory:
>>
>> Mike,
>>
>> Can you queue this please ?
>
> I queued it earlier today, please see:
> https://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm.git/commit/?h=dm-5.18&id=588b7f5df0cb64f281290c7672470c006abe7160
>
> Thanks,
> Mike
Thanks !
--
Damien Le Moal
Western Digital Research
--
dm-devel mailing list
dm-devel@redhat.com
https://listman.redhat.com/mailman/listinfo/dm-devel
^ permalink raw reply [flat|nested] 13+ messages in thread
end of thread, other threads:[~2022-02-23 3:20 UTC | newest]
Thread overview: 13+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-01-31 16:20 [dm-devel] dm: Fix use-after-free in dm_cleanup_zoned_dev() Kirill Tkhai
2022-01-31 23:37 ` Damien Le Moal
2022-02-01 8:12 ` Kirill Tkhai
2022-02-01 8:26 ` Damien Le Moal
2022-02-01 8:39 ` [dm-devel] [PATCH v2] " Kirill Tkhai
2022-02-17 10:13 ` [PATCH RESEND " Kirill Tkhai
2022-02-17 10:13 ` [dm-devel] " Kirill Tkhai
2022-02-17 10:49 ` Damien Le Moal
2022-02-17 10:49 ` [dm-devel] " Damien Le Moal
2022-02-23 3:02 ` Mike Snitzer
2022-02-23 3:02 ` [dm-devel] " Mike Snitzer
2022-02-23 3:19 ` Damien Le Moal
2022-02-23 3:19 ` [dm-devel] " Damien Le Moal
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.