paride/pf.c: blk-mq use-after-free (kernel v5.0)

paride/pf.c: blk-mq use-after-free (kernel v5.0)

[Randy Dunlap]

[Has this already been addressed/fixed?]


[ 1688.055696] calling  pf_init+0x0/0x1000 [pf] @ 8572
[ 1688.058871] pf: pf version 1.04, major 47, cluster 64, nice 0
[ 1688.064381] pf: No ATAPI disk detected
[ 1688.064783] initcall pf_init+0x0/0x1000 [pf] returned -19 after 8827 usecs
[ 1688.322562] calling  pf_init+0x0/0x1000 [pf] @ 8582
[ 1688.323566] ==================================================================
[ 1688.323621] BUG: KASAN: use-after-free in __cpuhp_state_add_instance_cpuslocked+0x33f/0x430
[ 1688.323669] Write of size 8 at addr ffff888117051810 by task modprobe/8582

[ 1688.323729] CPU: 3 PID: 8582 Comm: modprobe Not tainted 5.0.0mod #2
[ 1688.323767] Hardware name: TOSHIBA PORTEGE R835/Portable PC, BIOS Version 4.10   01/08/2013
[ 1688.323812] Call Trace:
[ 1688.323840]  dump_stack+0x7b/0xb5
[ 1688.323874]  print_address_description+0x6e/0x360
[ 1688.323916]  kasan_report+0x11a/0x198
[ 1688.323948]  ? __cpuhp_state_add_instance_cpuslocked+0x33f/0x430
[ 1688.323993]  ? __cpuhp_state_add_instance_cpuslocked+0x33f/0x430
[ 1688.324035]  __asan_report_store8_noabort+0x17/0x20
[ 1688.324070]  __cpuhp_state_add_instance_cpuslocked+0x33f/0x430
[ 1688.324108]  ? blk_mq_realloc_hw_ctxs+0x409/0xfb0
[ 1688.324142]  ? __might_sleep+0xa1/0x1b0
[ 1688.324178]  ? lockdep_init_map+0x115/0x5e0
[ 1688.324215]  __cpuhp_state_add_instance+0x78/0xf0
[ 1688.324249]  blk_mq_realloc_hw_ctxs+0x409/0xfb0
[ 1688.324279]  ? kasan_unpoison_shadow+0x35/0x50
[ 1688.324311]  ? __kasan_kmalloc.constprop.8+0xa7/0xd0
[ 1688.324362]  blk_mq_init_allocated_queue+0x404/0x1a00
[ 1688.324395]  ? blk_throtl_init+0x431/0x620
[ 1688.324430]  ? blkcg_init_queue+0x102/0x190
[ 1688.324475]  blk_mq_init_queue+0x56/0x80
[ 1688.324507]  blk_mq_init_sq_queue+0x144/0x1a0
[ 1688.324547]  pf_init+0x9f/0x1000 [pf]
[ 1688.324575]  ? 0xffffffffc0a48000
[ 1688.324605]  ? ktime_get+0xba/0x160
[ 1688.324634]  ? 0xffffffffc0a48000
[ 1688.324662]  do_one_initcall+0xab/0x2ad
[ 1688.324692]  ? initcall_blacklisted+0x190/0x190
[ 1688.324723]  ? kasan_unpoison_shadow+0x35/0x50
[ 1688.324759]  ? kasan_unpoison_shadow+0x35/0x50
[ 1688.324788]  ? kasan_unpoison_shadow+0x35/0x50
[ 1688.324819]  ? kasan_poison_shadow+0x2f/0x40
[ 1688.324849]  ? __asan_register_globals+0x5a/0x70
[ 1688.324888]  do_init_module+0x1c7/0x548
[ 1688.324926]  load_module+0x445d/0x5de0
[ 1688.324999]  ? layout_and_allocate+0x2d00/0x2d00
[ 1688.325035]  ? kernel_read+0x90/0x130
[ 1688.325074]  ? kasan_check_write+0x14/0x20
[ 1688.325105]  ? kernel_read_file+0x24a/0x640
[ 1688.325179]  __do_sys_finit_module+0x193/0x1b0
[ 1688.325209]  ? __do_sys_finit_module+0x193/0x1b0
[ 1688.325242]  ? __ia32_sys_init_module+0xa0/0xa0
[ 1688.325275]  ? vfs_statx_fd+0x45/0x80
[ 1688.325306]  ? kasan_check_write+0x14/0x20
[ 1688.325335]  ? fput+0x18/0x130
[ 1688.325363]  ? ksys_mmap_pgoff+0x3d9/0xb50
[ 1688.325416]  __x64_sys_finit_module+0x6e/0xb0
[ 1688.325442]  ? __x64_sys_newfstat+0x4f/0x70
[ 1688.325469]  do_syscall_64+0xaa/0x310
[ 1688.325501]  ? prepare_exit_to_usermode+0x8b/0x150
[ 1688.325536]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 1688.325567] RIP: 0033:0x7f17f52bd129
[ 1688.325595] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 3f 0d 2c 00 f7 d8 64 89 01 48
[ 1688.325679] RSP: 002b:00007fff2e723e38 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
[ 1688.325718] RAX: ffffffffffffffda RBX: 00005565f67c0b10 RCX: 00007f17f52bd129
[ 1688.325740] RDX: 0000000000000000 RSI: 00005565f65ae548 RDI: 0000000000000003
[ 1688.325762] RBP: 00005565f65ae548 R08: 0000000000000000 R09: 00005565f67c0400
[ 1688.325783] R10: 0000000000000003 R11: 0000000000000246 R12: 0000000000040000
[ 1688.325805] R13: 00005565f67c0c40 R14: 0000000000000000 R15: 00005565f67c0b10

[ 1688.325848] Allocated by task 8572:
[ 1688.325864]  save_stack+0x43/0xd0
[ 1688.325879]  __kasan_kmalloc.constprop.8+0xa7/0xd0
[ 1688.325896]  kasan_kmalloc+0x9/0x10
[ 1688.325912]  blk_mq_realloc_hw_ctxs+0x18b/0xfb0
[ 1688.325929]  blk_mq_init_allocated_queue+0x404/0x1a00
[ 1688.325948]  blk_mq_init_queue+0x56/0x80
[ 1688.325964]  blk_mq_init_sq_queue+0x144/0x1a0
[ 1688.325983]  pf_init+0x9f/0x1000 [pf]
[ 1688.325998]  do_one_initcall+0xab/0x2ad
[ 1688.326013]  do_init_module+0x1c7/0x548
[ 1688.326028]  load_module+0x445d/0x5de0
[ 1688.326043]  __do_sys_finit_module+0x193/0x1b0
[ 1688.326059]  __x64_sys_finit_module+0x6e/0xb0
[ 1688.326075]  do_syscall_64+0xaa/0x310
[ 1688.326097]  entry_SYSCALL_64_after_hwframe+0x44/0xa9

[ 1688.326142] Freed by task 2217:
[ 1688.326160]  save_stack+0x43/0xd0
[ 1688.326174]  __kasan_slab_free+0x137/0x190
[ 1688.326191]  kasan_slab_free+0xe/0x10
[ 1688.326206]  kfree+0xb0/0x1b0
[ 1688.326220]  blk_mq_hw_sysfs_release+0x6f/0x90
[ 1688.326237]  kobject_put+0x153/0x420
[ 1688.326252]  blk_mq_release+0xbc/0x160
[ 1688.326267]  __blk_release_queue+0x178/0x320
[ 1688.326284]  process_one_work+0x9fb/0x1710
[ 1688.326299]  worker_thread+0x85/0xee0
[ 1688.326315]  kthread+0x349/0x410
[ 1688.326329]  ret_from_fork+0x35/0x40

[ 1688.326353] The buggy address belongs to the object at ffff888117051588
                which belongs to the cache kmalloc-1k of size 1024
[ 1688.326388] The buggy address is located 648 bytes inside of
                1024-byte region [ffff888117051588, ffff888117051988)
[ 1688.326421] The buggy address belongs to the page:
[ 1688.326439] page:ffffea00045c1400 count:1 mapcount:0 mapping:ffff888107c16940 index:0x0 compound_mapcount: 0
[ 1688.326469] flags: 0x17ffffc0010200(slab|head)
[ 1688.326488] raw: 0017ffffc0010200 ffffea0004502408 ffffea00042c6408 ffff888107c16940
[ 1688.326512] raw: 0000000000000000 0000000000170017 00000001ffffffff 0000000000000000
[ 1688.326535] page dumped because: kasan: bad access detected

[ 1688.326562] Memory state around the buggy address:
[ 1688.326579]  ffff888117051700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1688.326602]  ffff888117051780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1688.326624] >ffff888117051800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1688.326646]                          ^
[ 1688.326660]  ffff888117051880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1688.326684]  ffff888117051900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
[ 1688.326705] ==================================================================
[ 1688.326726] Disabling lock debugging due to kernel taint
[ 1688.328731] pf: pf version 1.04, major 47, cluster 64, nice 0
[ 1688.336493] pf: No ATAPI disk detected
[ 1688.336730] initcall pf_init+0x0/0x1000 [pf] returned -19 after 13791 usecs

-- 
~Randy

Re: paride/pf.c: blk-mq use-after-free (kernel v5.0)

[Randy Dunlap]

On 3/11/19 6:25 PM, Randy Dunlap wrote:
> [Has this already been addressed/fixed?]
> 

Same bug occurs with paride/pcd.c driver.

> 
> [ 1688.055696] calling  pf_init+0x0/0x1000 [pf] @ 8572
> [ 1688.058871] pf: pf version 1.04, major 47, cluster 64, nice 0
> [ 1688.064381] pf: No ATAPI disk detected
> [ 1688.064783] initcall pf_init+0x0/0x1000 [pf] returned -19 after 8827 usecs
> [ 1688.322562] calling  pf_init+0x0/0x1000 [pf] @ 8582
> [ 1688.323566] ==================================================================
> [ 1688.323621] BUG: KASAN: use-after-free in __cpuhp_state_add_instance_cpuslocked+0x33f/0x430
> [ 1688.323669] Write of size 8 at addr ffff888117051810 by task modprobe/8582
> 
> [ 1688.323729] CPU: 3 PID: 8582 Comm: modprobe Not tainted 5.0.0mod #2
> [ 1688.323767] Hardware name: TOSHIBA PORTEGE R835/Portable PC, BIOS Version 4.10   01/08/2013
> [ 1688.323812] Call Trace:
> [ 1688.323840]  dump_stack+0x7b/0xb5
> [ 1688.323874]  print_address_description+0x6e/0x360
> [ 1688.323916]  kasan_report+0x11a/0x198
> [ 1688.323948]  ? __cpuhp_state_add_instance_cpuslocked+0x33f/0x430
> [ 1688.323993]  ? __cpuhp_state_add_instance_cpuslocked+0x33f/0x430
> [ 1688.324035]  __asan_report_store8_noabort+0x17/0x20
> [ 1688.324070]  __cpuhp_state_add_instance_cpuslocked+0x33f/0x430
> [ 1688.324108]  ? blk_mq_realloc_hw_ctxs+0x409/0xfb0
> [ 1688.324142]  ? __might_sleep+0xa1/0x1b0
> [ 1688.324178]  ? lockdep_init_map+0x115/0x5e0
> [ 1688.324215]  __cpuhp_state_add_instance+0x78/0xf0
> [ 1688.324249]  blk_mq_realloc_hw_ctxs+0x409/0xfb0
> [ 1688.324279]  ? kasan_unpoison_shadow+0x35/0x50
> [ 1688.324311]  ? __kasan_kmalloc.constprop.8+0xa7/0xd0
> [ 1688.324362]  blk_mq_init_allocated_queue+0x404/0x1a00
> [ 1688.324395]  ? blk_throtl_init+0x431/0x620
> [ 1688.324430]  ? blkcg_init_queue+0x102/0x190
> [ 1688.324475]  blk_mq_init_queue+0x56/0x80
> [ 1688.324507]  blk_mq_init_sq_queue+0x144/0x1a0
> [ 1688.324547]  pf_init+0x9f/0x1000 [pf]
> [ 1688.324575]  ? 0xffffffffc0a48000
> [ 1688.324605]  ? ktime_get+0xba/0x160
> [ 1688.324634]  ? 0xffffffffc0a48000
> [ 1688.324662]  do_one_initcall+0xab/0x2ad
> [ 1688.324692]  ? initcall_blacklisted+0x190/0x190
> [ 1688.324723]  ? kasan_unpoison_shadow+0x35/0x50
> [ 1688.324759]  ? kasan_unpoison_shadow+0x35/0x50
> [ 1688.324788]  ? kasan_unpoison_shadow+0x35/0x50
> [ 1688.324819]  ? kasan_poison_shadow+0x2f/0x40
> [ 1688.324849]  ? __asan_register_globals+0x5a/0x70
> [ 1688.324888]  do_init_module+0x1c7/0x548
> [ 1688.324926]  load_module+0x445d/0x5de0
> [ 1688.324999]  ? layout_and_allocate+0x2d00/0x2d00
> [ 1688.325035]  ? kernel_read+0x90/0x130
> [ 1688.325074]  ? kasan_check_write+0x14/0x20
> [ 1688.325105]  ? kernel_read_file+0x24a/0x640
> [ 1688.325179]  __do_sys_finit_module+0x193/0x1b0
> [ 1688.325209]  ? __do_sys_finit_module+0x193/0x1b0
> [ 1688.325242]  ? __ia32_sys_init_module+0xa0/0xa0
> [ 1688.325275]  ? vfs_statx_fd+0x45/0x80
> [ 1688.325306]  ? kasan_check_write+0x14/0x20
> [ 1688.325335]  ? fput+0x18/0x130
> [ 1688.325363]  ? ksys_mmap_pgoff+0x3d9/0xb50
> [ 1688.325416]  __x64_sys_finit_module+0x6e/0xb0
> [ 1688.325442]  ? __x64_sys_newfstat+0x4f/0x70
> [ 1688.325469]  do_syscall_64+0xaa/0x310
> [ 1688.325501]  ? prepare_exit_to_usermode+0x8b/0x150
> [ 1688.325536]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
> [ 1688.325567] RIP: 0033:0x7f17f52bd129
> [ 1688.325595] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 3f 0d 2c 00 f7 d8 64 89 01 48
> [ 1688.325679] RSP: 002b:00007fff2e723e38 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
> [ 1688.325718] RAX: ffffffffffffffda RBX: 00005565f67c0b10 RCX: 00007f17f52bd129
> [ 1688.325740] RDX: 0000000000000000 RSI: 00005565f65ae548 RDI: 0000000000000003
> [ 1688.325762] RBP: 00005565f65ae548 R08: 0000000000000000 R09: 00005565f67c0400
> [ 1688.325783] R10: 0000000000000003 R11: 0000000000000246 R12: 0000000000040000
> [ 1688.325805] R13: 00005565f67c0c40 R14: 0000000000000000 R15: 00005565f67c0b10
> 
> [ 1688.325848] Allocated by task 8572:
> [ 1688.325864]  save_stack+0x43/0xd0
> [ 1688.325879]  __kasan_kmalloc.constprop.8+0xa7/0xd0
> [ 1688.325896]  kasan_kmalloc+0x9/0x10
> [ 1688.325912]  blk_mq_realloc_hw_ctxs+0x18b/0xfb0
> [ 1688.325929]  blk_mq_init_allocated_queue+0x404/0x1a00
> [ 1688.325948]  blk_mq_init_queue+0x56/0x80
> [ 1688.325964]  blk_mq_init_sq_queue+0x144/0x1a0
> [ 1688.325983]  pf_init+0x9f/0x1000 [pf]
> [ 1688.325998]  do_one_initcall+0xab/0x2ad
> [ 1688.326013]  do_init_module+0x1c7/0x548
> [ 1688.326028]  load_module+0x445d/0x5de0
> [ 1688.326043]  __do_sys_finit_module+0x193/0x1b0
> [ 1688.326059]  __x64_sys_finit_module+0x6e/0xb0
> [ 1688.326075]  do_syscall_64+0xaa/0x310
> [ 1688.326097]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
> 
> [ 1688.326142] Freed by task 2217:
> [ 1688.326160]  save_stack+0x43/0xd0
> [ 1688.326174]  __kasan_slab_free+0x137/0x190
> [ 1688.326191]  kasan_slab_free+0xe/0x10
> [ 1688.326206]  kfree+0xb0/0x1b0
> [ 1688.326220]  blk_mq_hw_sysfs_release+0x6f/0x90
> [ 1688.326237]  kobject_put+0x153/0x420
> [ 1688.326252]  blk_mq_release+0xbc/0x160
> [ 1688.326267]  __blk_release_queue+0x178/0x320
> [ 1688.326284]  process_one_work+0x9fb/0x1710
> [ 1688.326299]  worker_thread+0x85/0xee0
> [ 1688.326315]  kthread+0x349/0x410
> [ 1688.326329]  ret_from_fork+0x35/0x40
> 
> [ 1688.326353] The buggy address belongs to the object at ffff888117051588
>                 which belongs to the cache kmalloc-1k of size 1024
> [ 1688.326388] The buggy address is located 648 bytes inside of
>                 1024-byte region [ffff888117051588, ffff888117051988)
> [ 1688.326421] The buggy address belongs to the page:
> [ 1688.326439] page:ffffea00045c1400 count:1 mapcount:0 mapping:ffff888107c16940 index:0x0 compound_mapcount: 0
> [ 1688.326469] flags: 0x17ffffc0010200(slab|head)
> [ 1688.326488] raw: 0017ffffc0010200 ffffea0004502408 ffffea00042c6408 ffff888107c16940
> [ 1688.326512] raw: 0000000000000000 0000000000170017 00000001ffffffff 0000000000000000
> [ 1688.326535] page dumped because: kasan: bad access detected
> 
> [ 1688.326562] Memory state around the buggy address:
> [ 1688.326579]  ffff888117051700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> [ 1688.326602]  ffff888117051780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> [ 1688.326624] >ffff888117051800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> [ 1688.326646]                          ^
> [ 1688.326660]  ffff888117051880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> [ 1688.326684]  ffff888117051900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
> [ 1688.326705] ==================================================================
> [ 1688.326726] Disabling lock debugging due to kernel taint
> [ 1688.328731] pf: pf version 1.04, major 47, cluster 64, nice 0
> [ 1688.336493] pf: No ATAPI disk detected
> [ 1688.336730] initcall pf_init+0x0/0x1000 [pf] returned -19 after 13791 usecs
> 


-- 
~Randy

Re: paride/pf.c: blk-mq use-after-free (kernel v5.0)

[Randy Dunlap]

On 3/11/19 6:34 PM, Randy Dunlap wrote:
> On 3/11/19 6:25 PM, Randy Dunlap wrote:
>> [Has this already been addressed/fixed?]>>
> 
> Same bug occurs with paride/pcd.c driver.

This still happens (in blk-mq) in v5.0-11053-gebc551f2b8f9 of Mar. 12, 2019,
around 4pm PT.  [caused by paride: pf.c and pcd.c)


> 
>>
>> [ 1688.055696] calling  pf_init+0x0/0x1000 [pf] @ 8572
>> [ 1688.058871] pf: pf version 1.04, major 47, cluster 64, nice 0
>> [ 1688.064381] pf: No ATAPI disk detected
>> [ 1688.064783] initcall pf_init+0x0/0x1000 [pf] returned -19 after 8827 usecs
>> [ 1688.322562] calling  pf_init+0x0/0x1000 [pf] @ 8582
>> [ 1688.323566] ==================================================================
>> [ 1688.323621] BUG: KASAN: use-after-free in __cpuhp_state_add_instance_cpuslocked+0x33f/0x430
>> [ 1688.323669] Write of size 8 at addr ffff888117051810 by task modprobe/8582
>>
>> [ 1688.323729] CPU: 3 PID: 8582 Comm: modprobe Not tainted 5.0.0mod #2
>> [ 1688.323767] Hardware name: TOSHIBA PORTEGE R835/Portable PC, BIOS Version 4.10   01/08/2013
>> [ 1688.323812] Call Trace:
>> [ 1688.323840]  dump_stack+0x7b/0xb5
>> [ 1688.323874]  print_address_description+0x6e/0x360
>> [ 1688.323916]  kasan_report+0x11a/0x198
>> [ 1688.323948]  ? __cpuhp_state_add_instance_cpuslocked+0x33f/0x430
>> [ 1688.323993]  ? __cpuhp_state_add_instance_cpuslocked+0x33f/0x430
>> [ 1688.324035]  __asan_report_store8_noabort+0x17/0x20
>> [ 1688.324070]  __cpuhp_state_add_instance_cpuslocked+0x33f/0x430
>> [ 1688.324108]  ? blk_mq_realloc_hw_ctxs+0x409/0xfb0
>> [ 1688.324142]  ? __might_sleep+0xa1/0x1b0
>> [ 1688.324178]  ? lockdep_init_map+0x115/0x5e0
>> [ 1688.324215]  __cpuhp_state_add_instance+0x78/0xf0
>> [ 1688.324249]  blk_mq_realloc_hw_ctxs+0x409/0xfb0
>> [ 1688.324279]  ? kasan_unpoison_shadow+0x35/0x50
>> [ 1688.324311]  ? __kasan_kmalloc.constprop.8+0xa7/0xd0
>> [ 1688.324362]  blk_mq_init_allocated_queue+0x404/0x1a00
>> [ 1688.324395]  ? blk_throtl_init+0x431/0x620
>> [ 1688.324430]  ? blkcg_init_queue+0x102/0x190
>> [ 1688.324475]  blk_mq_init_queue+0x56/0x80
>> [ 1688.324507]  blk_mq_init_sq_queue+0x144/0x1a0
>> [ 1688.324547]  pf_init+0x9f/0x1000 [pf]
>> [ 1688.324575]  ? 0xffffffffc0a48000
>> [ 1688.324605]  ? ktime_get+0xba/0x160
>> [ 1688.324634]  ? 0xffffffffc0a48000
>> [ 1688.324662]  do_one_initcall+0xab/0x2ad
>> [ 1688.324692]  ? initcall_blacklisted+0x190/0x190
>> [ 1688.324723]  ? kasan_unpoison_shadow+0x35/0x50
>> [ 1688.324759]  ? kasan_unpoison_shadow+0x35/0x50
>> [ 1688.324788]  ? kasan_unpoison_shadow+0x35/0x50
>> [ 1688.324819]  ? kasan_poison_shadow+0x2f/0x40
>> [ 1688.324849]  ? __asan_register_globals+0x5a/0x70
>> [ 1688.324888]  do_init_module+0x1c7/0x548
>> [ 1688.324926]  load_module+0x445d/0x5de0
>> [ 1688.324999]  ? layout_and_allocate+0x2d00/0x2d00
>> [ 1688.325035]  ? kernel_read+0x90/0x130
>> [ 1688.325074]  ? kasan_check_write+0x14/0x20
>> [ 1688.325105]  ? kernel_read_file+0x24a/0x640
>> [ 1688.325179]  __do_sys_finit_module+0x193/0x1b0
>> [ 1688.325209]  ? __do_sys_finit_module+0x193/0x1b0
>> [ 1688.325242]  ? __ia32_sys_init_module+0xa0/0xa0
>> [ 1688.325275]  ? vfs_statx_fd+0x45/0x80
>> [ 1688.325306]  ? kasan_check_write+0x14/0x20
>> [ 1688.325335]  ? fput+0x18/0x130
>> [ 1688.325363]  ? ksys_mmap_pgoff+0x3d9/0xb50
>> [ 1688.325416]  __x64_sys_finit_module+0x6e/0xb0
>> [ 1688.325442]  ? __x64_sys_newfstat+0x4f/0x70
>> [ 1688.325469]  do_syscall_64+0xaa/0x310
>> [ 1688.325501]  ? prepare_exit_to_usermode+0x8b/0x150
>> [ 1688.325536]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
>> [ 1688.325567] RIP: 0033:0x7f17f52bd129
>> [ 1688.325595] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 3f 0d 2c 00 f7 d8 64 89 01 48
>> [ 1688.325679] RSP: 002b:00007fff2e723e38 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
>> [ 1688.325718] RAX: ffffffffffffffda RBX: 00005565f67c0b10 RCX: 00007f17f52bd129
>> [ 1688.325740] RDX: 0000000000000000 RSI: 00005565f65ae548 RDI: 0000000000000003
>> [ 1688.325762] RBP: 00005565f65ae548 R08: 0000000000000000 R09: 00005565f67c0400
>> [ 1688.325783] R10: 0000000000000003 R11: 0000000000000246 R12: 0000000000040000
>> [ 1688.325805] R13: 00005565f67c0c40 R14: 0000000000000000 R15: 00005565f67c0b10
>>
>> [ 1688.325848] Allocated by task 8572:
>> [ 1688.325864]  save_stack+0x43/0xd0
>> [ 1688.325879]  __kasan_kmalloc.constprop.8+0xa7/0xd0
>> [ 1688.325896]  kasan_kmalloc+0x9/0x10
>> [ 1688.325912]  blk_mq_realloc_hw_ctxs+0x18b/0xfb0
>> [ 1688.325929]  blk_mq_init_allocated_queue+0x404/0x1a00
>> [ 1688.325948]  blk_mq_init_queue+0x56/0x80
>> [ 1688.325964]  blk_mq_init_sq_queue+0x144/0x1a0
>> [ 1688.325983]  pf_init+0x9f/0x1000 [pf]
>> [ 1688.325998]  do_one_initcall+0xab/0x2ad
>> [ 1688.326013]  do_init_module+0x1c7/0x548
>> [ 1688.326028]  load_module+0x445d/0x5de0
>> [ 1688.326043]  __do_sys_finit_module+0x193/0x1b0
>> [ 1688.326059]  __x64_sys_finit_module+0x6e/0xb0
>> [ 1688.326075]  do_syscall_64+0xaa/0x310
>> [ 1688.326097]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
>>
>> [ 1688.326142] Freed by task 2217:
>> [ 1688.326160]  save_stack+0x43/0xd0
>> [ 1688.326174]  __kasan_slab_free+0x137/0x190
>> [ 1688.326191]  kasan_slab_free+0xe/0x10
>> [ 1688.326206]  kfree+0xb0/0x1b0
>> [ 1688.326220]  blk_mq_hw_sysfs_release+0x6f/0x90
>> [ 1688.326237]  kobject_put+0x153/0x420
>> [ 1688.326252]  blk_mq_release+0xbc/0x160
>> [ 1688.326267]  __blk_release_queue+0x178/0x320
>> [ 1688.326284]  process_one_work+0x9fb/0x1710
>> [ 1688.326299]  worker_thread+0x85/0xee0
>> [ 1688.326315]  kthread+0x349/0x410
>> [ 1688.326329]  ret_from_fork+0x35/0x40
>>
>> [ 1688.326353] The buggy address belongs to the object at ffff888117051588
>>                 which belongs to the cache kmalloc-1k of size 1024
>> [ 1688.326388] The buggy address is located 648 bytes inside of
>>                 1024-byte region [ffff888117051588, ffff888117051988)
>> [ 1688.326421] The buggy address belongs to the page:
>> [ 1688.326439] page:ffffea00045c1400 count:1 mapcount:0 mapping:ffff888107c16940 index:0x0 compound_mapcount: 0
>> [ 1688.326469] flags: 0x17ffffc0010200(slab|head)
>> [ 1688.326488] raw: 0017ffffc0010200 ffffea0004502408 ffffea00042c6408 ffff888107c16940
>> [ 1688.326512] raw: 0000000000000000 0000000000170017 00000001ffffffff 0000000000000000
>> [ 1688.326535] page dumped because: kasan: bad access detected
>>
>> [ 1688.326562] Memory state around the buggy address:
>> [ 1688.326579]  ffff888117051700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>> [ 1688.326602]  ffff888117051780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>> [ 1688.326624] >ffff888117051800: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>> [ 1688.326646]                          ^
>> [ 1688.326660]  ffff888117051880: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>> [ 1688.326684]  ffff888117051900: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb
>> [ 1688.326705] ==================================================================
>> [ 1688.326726] Disabling lock debugging due to kernel taint
>> [ 1688.328731] pf: pf version 1.04, major 47, cluster 64, nice 0
>> [ 1688.336493] pf: No ATAPI disk detected
>> [ 1688.336730] initcall pf_init+0x0/0x1000 [pf] returned -19 after 13791 usecs
>>
> 
> 


-- 
~Randy

Re: paride/pf.c: blk-mq use-after-free (kernel v5.0)

[Jens Axboe]

On 3/13/19 5:09 PM, Randy Dunlap wrote:
> On 3/11/19 6:34 PM, Randy Dunlap wrote:
>> On 3/11/19 6:25 PM, Randy Dunlap wrote:
>>> [Has this already been addressed/fixed?]>>
>>
>> Same bug occurs with paride/pcd.c driver.
> 
> This still happens (in blk-mq) in v5.0-11053-gebc551f2b8f9 of Mar. 12, 2019,
> around 4pm PT.  [caused by paride: pf.c and pcd.c)

I'll take a look at this, been busy with other stuff. How are you
reproducing this? I'm assuming you don't actually have any hardware :-)

-- 
Jens Axboe

Re: paride/pf.c: blk-mq use-after-free (kernel v5.0)

[Randy Dunlap]

On 3/14/19 4:43 PM, Jens Axboe wrote:
> On 3/13/19 5:09 PM, Randy Dunlap wrote:
>> On 3/11/19 6:34 PM, Randy Dunlap wrote:
>>> On 3/11/19 6:25 PM, Randy Dunlap wrote:
>>>> [Has this already been addressed/fixed?]>>
>>>
>>> Same bug occurs with paride/pcd.c driver.
>>
>> This still happens (in blk-mq) in v5.0-11053-gebc551f2b8f9 of Mar. 12, 2019,
>> around 4pm PT.  [caused by paride: pf.c and pcd.c)
> 
> I'll take a look at this, been busy with other stuff. How are you
> reproducing this? I'm assuming you don't actually have any hardware :-)

Right.  I just load the module (pf or pcd), unload it, and
then load it again.

-- 
~Randy

Re: paride/pf.c: blk-mq use-after-free (kernel v5.0)

[Jens Axboe]

On 3/14/19 5:49 PM, Randy Dunlap wrote:
> On 3/14/19 4:43 PM, Jens Axboe wrote:
>> On 3/13/19 5:09 PM, Randy Dunlap wrote:
>>> On 3/11/19 6:34 PM, Randy Dunlap wrote:
>>>> On 3/11/19 6:25 PM, Randy Dunlap wrote:
>>>>> [Has this already been addressed/fixed?]>>
>>>>
>>>> Same bug occurs with paride/pcd.c driver.
>>>
>>> This still happens (in blk-mq) in v5.0-11053-gebc551f2b8f9 of Mar. 12, 2019,
>>> around 4pm PT.  [caused by paride: pf.c and pcd.c)
>>
>> I'll take a look at this, been busy with other stuff. How are you
>> reproducing this? I'm assuming you don't actually have any hardware :-)
> 
> Right.  I just load the module (pf or pcd), unload it, and
> then load it again.

Does this work?


diff --git a/drivers/block/paride/pcd.c b/drivers/block/paride/pcd.c
index 96670eefaeb2..4681ddef5666 100644
--- a/drivers/block/paride/pcd.c
+++ b/drivers/block/paride/pcd.c
@@ -749,8 +749,11 @@ static int pcd_detect(void)
 		return 0;
 
 	printk("%s: No CD-ROM drive found\n", name);
-	for (unit = 0, cd = pcd; unit < PCD_UNITS; unit++, cd++)
+	for (unit = 0, cd = pcd; unit < PCD_UNITS; unit++, cd++) {
+		blk_cleanup_queue(cd->disk->queue);
+		blk_mq_free_tag_set(&cd->tag_set);
 		put_disk(cd->disk);
+	}
 	pi_unregister_driver(par_drv);
 	return -1;
 }
diff --git a/drivers/block/paride/pf.c b/drivers/block/paride/pf.c
index e92e7a8eeeb2..d27f375bb55a 100644
--- a/drivers/block/paride/pf.c
+++ b/drivers/block/paride/pf.c
@@ -761,8 +761,11 @@ static int pf_detect(void)
 		return 0;
 
 	printk("%s: No ATAPI disk detected\n", name);
-	for (pf = units, unit = 0; unit < PF_UNITS; pf++, unit++)
+	for (pf = units, unit = 0; unit < PF_UNITS; pf++, unit++) {
+		blk_cleanup_queue(pf->disk->queue);
+		blk_mq_free_tag_set(&pf->tag_set);
 		put_disk(pf->disk);
+	}
 	pi_unregister_driver(par_drv);
 	return -1;
 }

-- 
Jens Axboe

Re: paride/pf.c: blk-mq use-after-free (kernel v5.0)

[Randy Dunlap]

On 3/15/19 9:33 AM, Jens Axboe wrote:
> On 3/14/19 5:49 PM, Randy Dunlap wrote:
>> On 3/14/19 4:43 PM, Jens Axboe wrote:
>>> On 3/13/19 5:09 PM, Randy Dunlap wrote:
>>>> On 3/11/19 6:34 PM, Randy Dunlap wrote:
>>>>> On 3/11/19 6:25 PM, Randy Dunlap wrote:
>>>>>> [Has this already been addressed/fixed?]>>
>>>>>
>>>>> Same bug occurs with paride/pcd.c driver.
>>>>
>>>> This still happens (in blk-mq) in v5.0-11053-gebc551f2b8f9 of Mar. 12, 2019,
>>>> around 4pm PT.  [caused by paride: pf.c and pcd.c)
>>>
>>> I'll take a look at this, been busy with other stuff. How are you
>>> reproducing this? I'm assuming you don't actually have any hardware :-)
>>
>> Right.  I just load the module (pf or pcd), unload it, and
>> then load it again.
> 
> Does this work?
> 

No.  Just loading the pf module gives this:

[ 1787.318420] calling  pf_init+0x0/0x1000 [pf] @ 2889
[ 1787.321872] pf: pf version 1.04, major 47, cluster 64, nice 0
[ 1787.328702] pf: No ATAPI disk detected
[ 1787.329211] ------------[ cut here ]------------
[ 1787.329245] refcount_t: underflow; use-after-free.
[ 1787.329302] WARNING: CPU: 2 PID: 2889 at ../lib/refcount.c:190 refcount_sub_and_test_checked+0x15d/0x190
[ 1787.329359] Modules linked in: pf(+) paride ppdev parport_pc parport ctr ccm af_packet xt_tcpudp ip6t_rpfilter ip6t_REJECT nf_reject_ipv6 ipt_REJECT nf_reject_ipv4 xt_conntrack ip_set nfnetlink ebtable_nat ebtable_broute bridge stp llc ip6table_nat ip6table_mangle ip6table_raw ip6table_security iptable_nat nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 iptable_mangle iptable_raw iptable_security ebtable_filter ebtables ip6table_filter ip6_tables iptable_filter ip_tables x_tables bpfilter btrfs uvcvideo videobuf2_vmalloc videobuf2_memops msr videobuf2_v4l2 videobuf2_common xor videodev zstd_compress hid_generic media usbmouse raid6_pq usbkbd libcrc32c usbhid mei_hdcp zstd_decompress hid coretemp iTCO_wdt hwmon intel_rapl iTCO_vendor_support x86_pkg_temp_thermal intel_powerclamp kvm_intel snd_hda_codec_hdmi kvm arc4 iwldvm snd_hda_codec_realtek irqbypass snd_hda_codec_generic ledtrig_audio crct10dif_pclmul mac80211 crc32_pclmul crc32c_intel snd_hda_intel ghash_clmulni_intel snd_hda_codec
[ 1787.329462]  snd_hda_core aesni_intel aes_x86_64 sdhci_pci crypto_simd iwlwifi snd_hwdep cryptd glue_helper snd_pcm toshiba_acpi cqhci sparse_keymap sdhci snd_timer intel_cstate uio_pdrv_genirq wmi intel_uncore cfg80211 uio mmc_core e1000e joydev sr_mod snd intel_rapl_perf input_leds mei_me mousedev pcspkr led_class cdrom mei serio_raw industrialio soundcore rfkill lpc_ich thermal pcc_cpufreq rtc_cmos evdev mac_hid toshiba_haps battery ac sg dm_multipath dm_mod scsi_dh_rdac scsi_dh_emc scsi_dh_alua autofs4
[ 1787.330126] CPU: 2 PID: 2889 Comm: modprobe Not tainted 5.0.0mod #1
[ 1787.330161] Hardware name: TOSHIBA PORTEGE R835/Portable PC, BIOS Version 4.10   01/08/2013
[ 1787.330209] RIP: 0010:refcount_sub_and_test_checked+0x15d/0x190
[ 1787.330246] Code: 74 86 0f b6 1d 3d d5 05 03 80 fb 01 77 2f 83 e3 01 74 04 31 c9 eb 9e 48 c7 c7 c0 c9 7c 8c c6 05 21 d5 05 03 01 e8 b3 04 4d ff <0f> 0b 31 c9 eb 85 48 89 df e8 15 95 a0 ff e9 27 ff ff ff 0f b6 f3
[ 1787.330336] RSP: 0018:ffff88810c4ff718 EFLAGS: 00010282
[ 1787.330370] RAX: dffffc0000000008 RBX: 0000000000000000 RCX: ffffffff8a450275
[ 1787.330410] RDX: 0000000000000000 RSI: 0000000000000008 RDI: ffff88811f3df790
[ 1787.330451] RBP: ffff88810c4ff7a8 R08: ffffed1023e7bef3 R09: ffffed1023e7bef3
[ 1787.330491] R10: 0000000000000001 R11: ffffed1023e7bef2 R12: 0000000000000001
[ 1787.330531] R13: ffff88810c4ff780 R14: dffffc0000000000 R15: 00000000ffffffff
[ 1787.330571] FS:  00007f77083bdb80(0000) GS:ffff88811f200000(0000) knlGS:0000000000000000
[ 1787.330615] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 1787.330658] CR2: 00007f28306a3ed4 CR3: 000000010bb3a005 CR4: 00000000000606e0
[ 1787.330707] Call Trace:
[ 1787.330733]  ? refcount_inc_checked+0x50/0x50
[ 1787.330768]  ? do_raw_spin_unlock+0x54/0x220
[ 1787.330810]  refcount_dec_and_test_checked+0x11/0x20
[ 1787.330844]  kobject_put+0x55/0x420
[ 1787.330876]  blk_put_queue+0x10/0x20
[ 1787.330904]  disk_release+0x20c/0x290
[ 1787.330936]  device_release+0x74/0x1d0
[ 1787.330968]  kobject_put+0x153/0x420
[ 1787.331000]  put_disk+0x15/0x20
[ 1787.331032]  pf_init+0x946/0x1000 [pf]
[ 1787.331061]  ? 0xffffffffc1d28000
[ 1787.331094]  ? 0xffffffffc1d28000
[ 1787.331123]  do_one_initcall+0xab/0x2ad
[ 1787.331154]  ? initcall_blacklisted+0x190/0x190
[ 1787.331187]  ? kasan_unpoison_shadow+0x35/0x50
[ 1787.331225]  ? kasan_unpoison_shadow+0x35/0x50
[ 1787.331255]  ? kasan_unpoison_shadow+0x35/0x50
[ 1787.331287]  ? kasan_poison_shadow+0x2f/0x40
[ 1787.331317]  ? __asan_register_globals+0x5a/0x70
[ 1787.331357]  do_init_module+0x1c7/0x548
[ 1787.331394]  load_module+0x46bb/0x5da0
[ 1787.331466]  ? layout_and_allocate+0x2d00/0x2d00
[ 1787.331505]  ? kernel_read+0x90/0x130
[ 1787.331535]  ? kasan_check_write+0x14/0x20
[ 1787.331565]  ? kernel_read_file+0x247/0x630
[ 1787.331640]  __do_sys_finit_module+0x193/0x1b0
[ 1787.331673]  ? __do_sys_finit_module+0x193/0x1b0
[ 1787.331713]  ? __ia32_sys_init_module+0xa0/0xa0
[ 1787.331746]  ? vfs_statx_fd+0x45/0x80
[ 1787.331775]  ? kasan_check_write+0x14/0x20
[ 1787.331804]  ? fput_many+0x1b/0x130
[ 1787.331833]  ? fput+0xe/0x10
[ 1787.331858]  ? ksys_mmap_pgoff+0x3d9/0xb50
[ 1787.331912]  __x64_sys_finit_module+0x6e/0xb0
[ 1787.331943]  ? __x64_sys_newfstat+0x4f/0x70
[ 1787.331975]  do_syscall_64+0xaa/0x310
[ 1787.332002]  ? prepare_exit_to_usermode+0x8b/0x150
[ 1787.332038]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[ 1787.332071] RIP: 0033:0x7f7707aa6129
[ 1787.332098] Code: 00 f3 c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 3f 0d 2c 00 f7 d8 64 89 01 48
[ 1787.332188] RSP: 002b:00007ffff0b922a8 EFLAGS: 00000246 ORIG_RAX: 0000000000000139
[ 1787.332233] RAX: ffffffffffffffda RBX: 000055e0b8f46b10 RCX: 00007f7707aa6129
[ 1787.332273] RDX: 0000000000000000 RSI: 000055e0b8d34548 RDI: 0000000000000004
[ 1787.332314] RBP: 000055e0b8d34548 R08: 0000000000000000 R09: 000055e0b8f46400
[ 1787.332354] R10: 0000000000000004 R11: 0000000000000246 R12: 0000000000040000
[ 1787.332394] R13: 000055e0b8f46c40 R14: 0000000000000000 R15: 000055e0b8f46b10
[ 1787.332454] ---[ end trace 25a30d991b83572f ]---
[ 1787.333319] initcall pf_init+0x0/0x1000 [pf] returned -19 after 14500 usecs


> 
> diff --git a/drivers/block/paride/pcd.c b/drivers/block/paride/pcd.c
> index 96670eefaeb2..4681ddef5666 100644
> --- a/drivers/block/paride/pcd.c
> +++ b/drivers/block/paride/pcd.c
> @@ -749,8 +749,11 @@ static int pcd_detect(void)
>  		return 0;
>  
>  	printk("%s: No CD-ROM drive found\n", name);
> -	for (unit = 0, cd = pcd; unit < PCD_UNITS; unit++, cd++)
> +	for (unit = 0, cd = pcd; unit < PCD_UNITS; unit++, cd++) {
> +		blk_cleanup_queue(cd->disk->queue);
> +		blk_mq_free_tag_set(&cd->tag_set);
>  		put_disk(cd->disk);
> +	}
>  	pi_unregister_driver(par_drv);
>  	return -1;
>  }
> diff --git a/drivers/block/paride/pf.c b/drivers/block/paride/pf.c
> index e92e7a8eeeb2..d27f375bb55a 100644
> --- a/drivers/block/paride/pf.c
> +++ b/drivers/block/paride/pf.c
> @@ -761,8 +761,11 @@ static int pf_detect(void)
>  		return 0;
>  
>  	printk("%s: No ATAPI disk detected\n", name);
> -	for (pf = units, unit = 0; unit < PF_UNITS; pf++, unit++)
> +	for (pf = units, unit = 0; unit < PF_UNITS; pf++, unit++) {
> +		blk_cleanup_queue(pf->disk->queue);
> +		blk_mq_free_tag_set(&pf->tag_set);
>  		put_disk(pf->disk);
> +	}
>  	pi_unregister_driver(par_drv);
>  	return -1;
>  }
> 


-- 
~Randy

Re: paride/pf.c: blk-mq use-after-free (kernel v5.0)

[Jens Axboe]

On 3/15/19 6:32 PM, Randy Dunlap wrote:
> On 3/15/19 9:33 AM, Jens Axboe wrote:
>> On 3/14/19 5:49 PM, Randy Dunlap wrote:
>>> On 3/14/19 4:43 PM, Jens Axboe wrote:
>>>> On 3/13/19 5:09 PM, Randy Dunlap wrote:
>>>>> On 3/11/19 6:34 PM, Randy Dunlap wrote:
>>>>>> On 3/11/19 6:25 PM, Randy Dunlap wrote:
>>>>>>> [Has this already been addressed/fixed?]>>
>>>>>>
>>>>>> Same bug occurs with paride/pcd.c driver.
>>>>>
>>>>> This still happens (in blk-mq) in v5.0-11053-gebc551f2b8f9 of Mar. 12, 2019,
>>>>> around 4pm PT.  [caused by paride: pf.c and pcd.c)
>>>>
>>>> I'll take a look at this, been busy with other stuff. How are you
>>>> reproducing this? I'm assuming you don't actually have any hardware :-)
>>>
>>> Right.  I just load the module (pf or pcd), unload it, and
>>> then load it again.
>>
>> Does this work?
>>
> 
> No.  Just loading the pf module gives this:

Missing clear of the queue. This one should be more complete.

To be fair, this was utterly broken since forever. It's just now apparent
since we complain about it. But pf/pcd was one big leak fest.


diff --git a/drivers/block/paride/pcd.c b/drivers/block/paride/pcd.c
index 96670eefaeb2..377a694dc228 100644
--- a/drivers/block/paride/pcd.c
+++ b/drivers/block/paride/pcd.c
@@ -749,8 +749,12 @@ static int pcd_detect(void)
 		return 0;
 
 	printk("%s: No CD-ROM drive found\n", name);
-	for (unit = 0, cd = pcd; unit < PCD_UNITS; unit++, cd++)
+	for (unit = 0, cd = pcd; unit < PCD_UNITS; unit++, cd++) {
+		blk_cleanup_queue(cd->disk->queue);
+		cd->disk->queue = NULL;
+		blk_mq_free_tag_set(&cd->tag_set);
 		put_disk(cd->disk);
+	}
 	pi_unregister_driver(par_drv);
 	return -1;
 }
diff --git a/drivers/block/paride/pf.c b/drivers/block/paride/pf.c
index e92e7a8eeeb2..103b617cdc31 100644
--- a/drivers/block/paride/pf.c
+++ b/drivers/block/paride/pf.c
@@ -761,8 +761,12 @@ static int pf_detect(void)
 		return 0;
 
 	printk("%s: No ATAPI disk detected\n", name);
-	for (pf = units, unit = 0; unit < PF_UNITS; pf++, unit++)
+	for (pf = units, unit = 0; unit < PF_UNITS; pf++, unit++) {
+		blk_cleanup_queue(pf->disk->queue);
+		pf->disk->queue = NULL;
+		blk_mq_free_tag_set(&pf->tag_set);
 		put_disk(pf->disk);
+	}
 	pi_unregister_driver(par_drv);
 	return -1;
 }
@@ -1047,13 +1051,15 @@ static void __exit pf_exit(void)
 	int unit;
 	unregister_blkdev(major, name);
 	for (pf = units, unit = 0; unit < PF_UNITS; pf++, unit++) {
-		if (!pf->present)
-			continue;
-		del_gendisk(pf->disk);
+		if (pf->present)
+			del_gendisk(pf->disk);
+
 		blk_cleanup_queue(pf->disk->queue);
 		blk_mq_free_tag_set(&pf->tag_set);
 		put_disk(pf->disk);
-		pi_release(pf->pi);
+
+		if (pf->present)
+			pi_release(pf->pi);
 	}
 }
 

-- 
Jens Axboe

Re: paride/pf.c: blk-mq use-after-free (kernel v5.0)

[Randy Dunlap]

On 3/16/19 12:31 PM, Jens Axboe wrote:
> On 3/15/19 6:32 PM, Randy Dunlap wrote:
>> On 3/15/19 9:33 AM, Jens Axboe wrote:
>>> On 3/14/19 5:49 PM, Randy Dunlap wrote:
>>>> On 3/14/19 4:43 PM, Jens Axboe wrote:
>>>>> On 3/13/19 5:09 PM, Randy Dunlap wrote:
>>>>>> On 3/11/19 6:34 PM, Randy Dunlap wrote:
>>>>>>> On 3/11/19 6:25 PM, Randy Dunlap wrote:
>>>>>>>> [Has this already been addressed/fixed?]>>
>>>>>>>
>>>>>>> Same bug occurs with paride/pcd.c driver.
>>>>>>
>>>>>> This still happens (in blk-mq) in v5.0-11053-gebc551f2b8f9 of Mar. 12, 2019,
>>>>>> around 4pm PT.  [caused by paride: pf.c and pcd.c)
>>>>>
>>>>> I'll take a look at this, been busy with other stuff. How are you
>>>>> reproducing this? I'm assuming you don't actually have any hardware :-)
>>>>
>>>> Right.  I just load the module (pf or pcd), unload it, and
>>>> then load it again.
>>>
>>> Does this work?
>>>
>>
>> No.  Just loading the pf module gives this:
> 
> Missing clear of the queue. This one should be more complete.
> 
> To be fair, this was utterly broken since forever. It's just now apparent
> since we complain about it. But pf/pcd was one big leak fest.
> 

OK, this one works for both pf and pcd.
By "works" I mean that the driver init function runs and exits without
causing a BUG or GP fault etc.
Not that I have any such hardware.

Tested-by: Randy Dunlap <rdunlap@infradead.org>

Thanks.

> 
> diff --git a/drivers/block/paride/pcd.c b/drivers/block/paride/pcd.c
> index 96670eefaeb2..377a694dc228 100644
> --- a/drivers/block/paride/pcd.c
> +++ b/drivers/block/paride/pcd.c
> @@ -749,8 +749,12 @@ static int pcd_detect(void)
>  		return 0;
>  
>  	printk("%s: No CD-ROM drive found\n", name);
> -	for (unit = 0, cd = pcd; unit < PCD_UNITS; unit++, cd++)
> +	for (unit = 0, cd = pcd; unit < PCD_UNITS; unit++, cd++) {
> +		blk_cleanup_queue(cd->disk->queue);
> +		cd->disk->queue = NULL;
> +		blk_mq_free_tag_set(&cd->tag_set);
>  		put_disk(cd->disk);
> +	}
>  	pi_unregister_driver(par_drv);
>  	return -1;
>  }
> diff --git a/drivers/block/paride/pf.c b/drivers/block/paride/pf.c
> index e92e7a8eeeb2..103b617cdc31 100644
> --- a/drivers/block/paride/pf.c
> +++ b/drivers/block/paride/pf.c
> @@ -761,8 +761,12 @@ static int pf_detect(void)
>  		return 0;
>  
>  	printk("%s: No ATAPI disk detected\n", name);
> -	for (pf = units, unit = 0; unit < PF_UNITS; pf++, unit++)
> +	for (pf = units, unit = 0; unit < PF_UNITS; pf++, unit++) {
> +		blk_cleanup_queue(pf->disk->queue);
> +		pf->disk->queue = NULL;
> +		blk_mq_free_tag_set(&pf->tag_set);
>  		put_disk(pf->disk);
> +	}
>  	pi_unregister_driver(par_drv);
>  	return -1;
>  }
> @@ -1047,13 +1051,15 @@ static void __exit pf_exit(void)
>  	int unit;
>  	unregister_blkdev(major, name);
>  	for (pf = units, unit = 0; unit < PF_UNITS; pf++, unit++) {
> -		if (!pf->present)
> -			continue;
> -		del_gendisk(pf->disk);
> +		if (pf->present)
> +			del_gendisk(pf->disk);
> +
>  		blk_cleanup_queue(pf->disk->queue);
>  		blk_mq_free_tag_set(&pf->tag_set);
>  		put_disk(pf->disk);
> -		pi_release(pf->pi);
> +
> +		if (pf->present)
> +			pi_release(pf->pi);
>  	}
>  }
>  
> 


-- 
~Randy

Re: paride/pf.c: blk-mq use-after-free (kernel v5.0)

[Jens Axboe]

On 3/16/19 5:48 PM, Randy Dunlap wrote:
> On 3/16/19 12:31 PM, Jens Axboe wrote:
>> On 3/15/19 6:32 PM, Randy Dunlap wrote:
>>> On 3/15/19 9:33 AM, Jens Axboe wrote:
>>>> On 3/14/19 5:49 PM, Randy Dunlap wrote:
>>>>> On 3/14/19 4:43 PM, Jens Axboe wrote:
>>>>>> On 3/13/19 5:09 PM, Randy Dunlap wrote:
>>>>>>> On 3/11/19 6:34 PM, Randy Dunlap wrote:
>>>>>>>> On 3/11/19 6:25 PM, Randy Dunlap wrote:
>>>>>>>>> [Has this already been addressed/fixed?]>>
>>>>>>>>
>>>>>>>> Same bug occurs with paride/pcd.c driver.
>>>>>>>
>>>>>>> This still happens (in blk-mq) in v5.0-11053-gebc551f2b8f9 of Mar. 12, 2019,
>>>>>>> around 4pm PT.  [caused by paride: pf.c and pcd.c)
>>>>>>
>>>>>> I'll take a look at this, been busy with other stuff. How are you
>>>>>> reproducing this? I'm assuming you don't actually have any hardware :-)
>>>>>
>>>>> Right.  I just load the module (pf or pcd), unload it, and
>>>>> then load it again.
>>>>
>>>> Does this work?
>>>>
>>>
>>> No.  Just loading the pf module gives this:
>>
>> Missing clear of the queue. This one should be more complete.
>>
>> To be fair, this was utterly broken since forever. It's just now apparent
>> since we complain about it. But pf/pcd was one big leak fest.
>>
> 
> OK, this one works for both pf and pcd.
> By "works" I mean that the driver init function runs and exits without
> causing a BUG or GP fault etc.
> Not that I have any such hardware.
> 
> Tested-by: Randy Dunlap <rdunlap@infradead.org>

Thanks Randy, I'll get these queued up.

-- 
Jens Axboe