From: Jeff Moyer <jmoyer@redhat.com>
To: Qian Cai <cai@lca.pw>
Cc: axboe@kernel.dk, viro@zeniv.linux.org.uk, hare@suse.com,
bcrl@kvack.org, linux-aio@kvack.org,
Linux-MM <linux-mm@kvack.org>
Subject: Re: io_submit with slab free object overwritten
Date: Fri, 22 Feb 2019 17:25:46 -0500 [thread overview]
Message-ID: <x49o973v4t1.fsf@segfault.boston.devel.redhat.com> (raw)
In-Reply-To: <4a56fc9f-27f7-5cb5-feed-a4e33f05a5d1@lca.pw> (Qian Cai's message of "Fri, 22 Feb 2019 00:40:29 -0500")
Qian Cai <cai@lca.pw> writes:
> This is only reproducible on linux-next (20190221), as v5.0-rc7 is fine. Running
> two LTP tests and then reboot will trigger this on ppc64le (CONFIG_IO_URING=n
> and CONFIG_SHUFFLE_PAGE_ALLOCATOR=y).
>
> # fgetxattr02
> # io_submit01
> # systemctl reboot
>
> There is a 32-bit (with all ones) overwritten of free slab objects (poisoned).
>
> [23424.121182] BUG aio_kiocb (Tainted: G B W L ): Poison overwritten
> [23424.121189]
> -----------------------------------------------------------------------------
> [23424.121189]
> [23424.121197] INFO: 0x000000009f1f5145-0x00000000841e301b. First byte 0xff
> instead of 0x6b
> [23424.121205] INFO: Allocated in io_submit_one+0x9c/0xb20 age=0 cpu=7 pid=12174
> [23424.121212] __slab_alloc+0x34/0x60
> [23424.121217] kmem_cache_alloc+0x504/0x5c0
> [23424.121221] io_submit_one+0x9c/0xb20
> [23424.121224] sys_io_submit+0xe0/0x350
> [23424.121227] system_call+0x5c/0x70
> [23424.121231] INFO: Freed in aio_complete+0x31c/0x410 age=0 cpu=7 pid=12174
> [23424.121234] kmem_cache_free+0x4bc/0x540
> [23424.121237] aio_complete+0x31c/0x410
> [23424.121240] blkdev_bio_end_io+0x238/0x3e0
> [23424.121243] bio_endio.part.3+0x214/0x330
> [23424.121247] brd_make_request+0x2d8/0x314 [brd]
Yeah, the ramdisk is synchronous, so I/O completes in the issuing
context. I guess we could also see a problem with an error in the issue
path, and regular storage.
That -1 probably comes from this:
@@ -412,6 +420,7 @@ __blkdev_direct_IO(struct kiocb *iocb, struct iov_iter *iter, int nr_pages)
bio->bi_opf |= REQ_HIPRI;
qc = submit_bio(bio);
+ WRITE_ONCE(iocb->ki_cookie, qc);
#define BLK_QC_T_NONE -1U
Use after free. Further down the function, we also reference the iocb,
though:
if (!is_sync)
return -EIOCBQUEUED;
for (;;) {
set_current_state(TASK_UNINTERRUPTIBLE);
if (!READ_ONCE(dio->waiter))
break;
if (!(iocb->ki_flags & IOCB_HIPRI) ||
!blk_poll(bdev_get_queue(bdev), qc, true))
io_schedule();
}
So I guess a bit more auditing is required.
-Jeff
next prev parent reply other threads:[~2019-02-22 22:25 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-02-22 5:40 Qian Cai
2019-02-22 15:36 ` Christopher Lameter
2019-02-22 21:07 ` Qian Cai
2019-02-22 21:42 ` Eric Sandeen
2019-02-22 21:48 ` Qian Cai
2019-02-22 21:58 ` Eric Sandeen
2019-02-22 22:06 ` Qian Cai
2019-02-22 22:25 ` Jeff Moyer [this message]
2019-02-22 22:40 ` Jens Axboe
2019-02-23 1:58 ` Qian Cai
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=x49o973v4t1.fsf@segfault.boston.devel.redhat.com \
--to=jmoyer@redhat.com \
--cc=axboe@kernel.dk \
--cc=bcrl@kvack.org \
--cc=cai@lca.pw \
--cc=hare@suse.com \
--cc=linux-aio@kvack.org \
--cc=linux-mm@kvack.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox