From: John Garry <john.garry@huawei.com>
To: Ming Lei <ming.lei@redhat.com>
Cc: "axboe@kernel.dk" <axboe@kernel.dk>,
"linux-block@vger.kernel.org" <linux-block@vger.kernel.org>,
Christoph Hellwig <hch@infradead.org>
Subject: Re: [REPORT] BUG: KASAN: use-after-free in bt_iter+0x80/0xf8
Date: Wed, 19 Aug 2020 11:14:34 +0100 [thread overview]
Message-ID: <83de2368-a122-3b9c-db15-63ea442eecd9@huawei.com> (raw)
In-Reply-To: <20200819085843.GA2730150@T590>
On 19/08/2020 09:58, Ming Lei wrote:
>> ah, right. I vaguely remember this. Well, if we didn't have a reliable
>> reproducer before, we do now.
> OK, that is great, please try the following patch:
>
> diff --git a/block/blk-mq-tag.c b/block/blk-mq-tag.c
> index 32d82e23b095..f18632c524e9 100644
> --- a/block/blk-mq-tag.c
> +++ b/block/blk-mq-tag.c
> @@ -185,19 +185,19 @@ static bool bt_iter(struct sbitmap *bitmap, unsigned int bitnr, void *data)
> {
> struct bt_iter_data *iter_data = data;
> struct blk_mq_hw_ctx *hctx = iter_data->hctx;
> - struct blk_mq_tags *tags = hctx->tags;
> + struct blk_mq_tags *tags = hctx->sched_tags ?: hctx->tags;
> bool reserved = iter_data->reserved;
> struct request *rq;
>
> if (!reserved)
> bitnr += tags->nr_reserved_tags;
> - rq = tags->rqs[bitnr];
> + rq = tags->static_rqs[bitnr];
>
> /*
> * We can hit rq == NULL here, because the tagging functions
> * test and set the bit before assigning ->rqs[].
> */
> - if (rq && rq->q == hctx->queue)
> + if (rq && rq->tag >= 0 && rq->q == hctx->queue)
> return iter_data->fn(hctx, rq, iter_data->data, reserved);
> return true;
> }
> @@ -406,7 +406,7 @@ void blk_mq_queue_tag_busy_iter(struct request_queue *q, busy_iter_fn *fn,
> return;
>
> queue_for_each_hw_ctx(q, hctx, i) {
> - struct blk_mq_tags *tags = hctx->tags;
> + struct blk_mq_tags *tags = hctx->sched_tags ?: hctx->tags;
>
> /*
> * If no software queues are currently mapped to this
I gave it a quick try and it looks to silence KASAN. I'll try to test
more over the next day or so.
BTW, I doubt KASAN is even right to complain about this. I'll check that
thread you pointed me at to learn more about what was discussed on that.
Thanks,
John
next prev parent reply other threads:[~2020-08-19 10:17 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-08-18 12:03 [REPORT] BUG: KASAN: use-after-free in bt_iter+0x80/0xf8 John Garry
2020-08-18 18:19 ` John Garry
2020-08-19 0:00 ` Ming Lei
2020-08-19 7:43 ` John Garry
2020-08-19 8:58 ` Ming Lei
2020-08-19 10:14 ` John Garry [this message]
2020-08-19 14:21 ` Ming Lei
2020-08-19 16:48 ` John Garry
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=83de2368-a122-3b9c-db15-63ea442eecd9@huawei.com \
--to=john.garry@huawei.com \
--cc=axboe@kernel.dk \
--cc=hch@infradead.org \
--cc=linux-block@vger.kernel.org \
--cc=ming.lei@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).