Re: io_submit with slab free object overwritten

From: Eric Sandeen <sandeen@sandeen.net>
To: Qian Cai <cai@lca.pw>, hch@lst.de
Cc: axboe@kernel.dk, viro@zeniv.linux.org.uk, hare@suse.com,
	bcrl@kvack.org, linux-aio@kvack.org,
	Linux-MM <linux-mm@kvack.org>,
	jthumshirn@suse.de, linux-fsdevel@vger.kernel.org,
	Christoph Lameter <cl@linux.com>
Subject: Re: io_submit with slab free object overwritten
Date: Fri, 22 Feb 2019 15:58:02 -0600	[thread overview]
Message-ID: <aeeed9ef-357e-4702-1e4b-ed85cab7ae34@sandeen.net> (raw)
In-Reply-To: <e2fdd737-2a48-ecea-10b8-f90d6866df34@lca.pw>

On 2/22/19 3:48 PM, Qian Cai wrote:
> 
> 
> On 2/22/19 4:42 PM, Eric Sandeen wrote:
>> On 2/22/19 3:07 PM, Qian Cai wrote:
>>> Reverted the commit 75374d062756 ("fs: add an iopoll method to struct
>>> file_operations") fixed the problem. Christoph mentioned that the field can be
>>> calculated by the offset (40 bytes).
>>
>> I'm a little confused, you can't revert just that patch, right, because others
>> in the iopoll series depend on it.  Is the above commit really the culprit, or do
>> you mean you backed out the whole series?
> 
> No, I can revert that single commit on the top of linux-next (next-20190222)
> just fine.

Sorry for being pedantic, but this commit is still in your tree?  How can this build
with just 75374d062756 reverted?

(I'm confused about how simply changing the size of the 2 structures via
75374d062756 could cause memory corruption, so trying to really understand
what got tested...)

commit 06eca8c02eb3e171dc5721ddca4218d41b09b3aa
Author: Christoph Hellwig <hch@lst.de>
Date:   Fri Nov 30 08:31:52 2018 -0700

    block: wire up block device iopoll method
    
    Just call blk_poll on the iocb cookie, we can derive the block device
    from the inode trivially.
    
    Reviewed-by: Hannes Reinecke <hare@suse.com>
    Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
    Signed-off-by: Christoph Hellwig <hch@lst.de>
    Signed-off-by: Jens Axboe <axboe@kernel.dk>

diff --git a/fs/block_dev.c b/fs/block_dev.c
index 7758ade..d1277a1 100644
--- a/fs/block_dev.c
+++ b/fs/block_dev.c
@@ -294,6 +294,14 @@ struct blkdev_dio {
 
 static struct bio_set blkdev_dio_pool;
 
+static int blkdev_iopoll(struct kiocb *kiocb, bool wait)
+{
+       struct block_device *bdev = I_BDEV(kiocb->ki_filp->f_mapping->host);
+       struct request_queue *q = bdev_get_queue(bdev);
+
+       return blk_poll(q, READ_ONCE(kiocb->ki_cookie), wait);
+}
+
 static void blkdev_bio_end_io(struct bio *bio)
 {
        struct blkdev_dio *dio = bio->bi_private;
@@ -412,6 +420,7 @@ __blkdev_direct_IO(struct kiocb *iocb, struct iov_iter *iter, int nr_pages)
                                bio->bi_opf |= REQ_HIPRI;
 
                        qc = submit_bio(bio);
+                       WRITE_ONCE(iocb->ki_cookie, qc);
                        break;
                }
 
@@ -2078,6 +2087,7 @@ const struct file_operations def_blk_fops = {
        .llseek         = block_llseek,
        .read_iter      = blkdev_read_iter,
        .write_iter     = blkdev_write_iter,
+       .iopoll         = blkdev_iopoll,
        .mmap           = generic_file_mmap,
        .fsync          = blkdev_fsync,
        .unlocked_ioctl = block_ioctl,

