From: Qian Cai <cai@lca.pw>
To: Eric Sandeen <sandeen@sandeen.net>, hch@lst.de
Cc: axboe@kernel.dk, viro@zeniv.linux.org.uk, hare@suse.com,
bcrl@kvack.org, linux-aio@kvack.org,
Linux-MM <linux-mm@kvack.org>,
jthumshirn@suse.de, linux-fsdevel@vger.kernel.org,
Christoph Lameter <cl@linux.com>
Subject: Re: io_submit with slab free object overwritten
Date: Fri, 22 Feb 2019 17:06:56 -0500 [thread overview]
Message-ID: <fb8add28-41da-da16-8b3d-7c7f4d4b0b8a@lca.pw> (raw)
In-Reply-To: <aeeed9ef-357e-4702-1e4b-ed85cab7ae34@sandeen.net>
On 2/22/19 4:58 PM, Eric Sandeen wrote:
> On 2/22/19 3:48 PM, Qian Cai wrote:
>>
>>
>> On 2/22/19 4:42 PM, Eric Sandeen wrote:
>>> On 2/22/19 3:07 PM, Qian Cai wrote:
>>>> Reverted the commit 75374d062756 ("fs: add an iopoll method to struct
>>>> file_operations") fixed the problem. Christoph mentioned that the field can be
>>>> calculated by the offset (40 bytes).
>>>
>>> I'm a little confused, you can't revert just that patch, right, because others
>>> in the iopoll series depend on it. Is the above commit really the culprit, or do
>>> you mean you backed out the whole series?
>>
>> No, I can revert that single commit on the top of linux-next (next-20190222)
>> just fine.
>
> Sorry for being pedantic, but this commit is still in your tree? How can this build
> with just 75374d062756 reverted?
>
> (I'm confused about how simply changing the size of the 2 structures via
> 75374d062756 could cause memory corruption, so trying to really understand
> what got tested...)
>
> commit 06eca8c02eb3e171dc5721ddca4218d41b09b3aa
> Author: Christoph Hellwig <hch@lst.de>
> Date: Fri Nov 30 08:31:52 2018 -0700
>
> block: wire up block device iopoll method
>
> Just call blk_poll on the iocb cookie, we can derive the block device
> from the inode trivially.
>
> Reviewed-by: Hannes Reinecke <hare@suse.com>
> Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
> Signed-off-by: Christoph Hellwig <hch@lst.de>
> Signed-off-by: Jens Axboe <axboe@kernel.dk>
>
> diff --git a/fs/block_dev.c b/fs/block_dev.c
> index 7758ade..d1277a1 100644
> --- a/fs/block_dev.c
> +++ b/fs/block_dev.c
> @@ -294,6 +294,14 @@ struct blkdev_dio {
>
> static struct bio_set blkdev_dio_pool;
>
> +static int blkdev_iopoll(struct kiocb *kiocb, bool wait)
> +{
> + struct block_device *bdev = I_BDEV(kiocb->ki_filp->f_mapping->host);
> + struct request_queue *q = bdev_get_queue(bdev);
> +
> + return blk_poll(q, READ_ONCE(kiocb->ki_cookie), wait);
> +}
> +
> static void blkdev_bio_end_io(struct bio *bio)
> {
> struct blkdev_dio *dio = bio->bi_private;
> @@ -412,6 +420,7 @@ __blkdev_direct_IO(struct kiocb *iocb, struct iov_iter *iter, int nr_pages)
> bio->bi_opf |= REQ_HIPRI;
>
> qc = submit_bio(bio);
> + WRITE_ONCE(iocb->ki_cookie, qc);
> break;
> }
>
> @@ -2078,6 +2087,7 @@ const struct file_operations def_blk_fops = {
> .llseek = block_llseek,
> .read_iter = blkdev_read_iter,
> .write_iter = blkdev_write_iter,
> + .iopoll = blkdev_iopoll,
> .mmap = generic_file_mmap,
> .fsync = blkdev_fsync,
> .unlocked_ioctl = block_ioctl,
>
Sorry, I had a copy-and-paste error here while looking at the surrounding
commits. I meant,
Reverted 06eca8c02eb3 (block: wire up block device iopoll method) fixed the problem.
prev parent reply other threads:[~2019-02-22 22:07 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
[not found] <4a56fc9f-27f7-5cb5-feed-a4e33f05a5d1@lca.pw>
2019-02-22 21:07 ` io_submit with slab free object overwritten Qian Cai
2019-02-22 21:42 ` Eric Sandeen
2019-02-22 21:48 ` Qian Cai
2019-02-22 21:58 ` Eric Sandeen
2019-02-22 22:06 ` Qian Cai [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=fb8add28-41da-da16-8b3d-7c7f4d4b0b8a@lca.pw \
--to=cai@lca.pw \
--cc=axboe@kernel.dk \
--cc=bcrl@kvack.org \
--cc=cl@linux.com \
--cc=hare@suse.com \
--cc=hch@lst.de \
--cc=jthumshirn@suse.de \
--cc=linux-aio@kvack.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=sandeen@sandeen.net \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).