| Message ID | c9eb786f6cef041e159e6287de131bec0719ad5c.1638907997.git.asml.silence@gmail.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [5.16] block: fix single bio async DIO error handling | expand |
On Tue, 7 Dec 2021 20:16:36 +0000, Pavel Begunkov wrote: > BUG: KASAN: use-after-free in io_submit_one+0x496/0x2fe0 fs/aio.c:1882 > CPU: 2 PID: 15100 Comm: syz-executor873 Not tainted 5.16.0-rc1-syzk #1 > Hardware name: Red Hat KVM, BIOS 1.13.0-2.module+el8.3.0+7860+a7792d29 > 04/01/2014 > Call Trace: > [...] > refcount_dec_and_test include/linux/refcount.h:333 [inline] > iocb_put fs/aio.c:1161 [inline] > io_submit_one+0x496/0x2fe0 fs/aio.c:1882 > __do_sys_io_submit fs/aio.c:1938 [inline] > __se_sys_io_submit fs/aio.c:1908 [inline] > __x64_sys_io_submit+0x1c7/0x4a0 fs/aio.c:1908 > do_syscall_x64 arch/x86/entry/common.c:50 [inline] > do_syscall_64+0x3a/0x80 arch/x86/entry/common.c:80 > entry_SYSCALL_64_after_hwframe+0x44/0xae > > [...] Applied, thanks! [1/1] block: fix single bio async DIO error handling commit: 75feae73a28020e492fbad2323245455ef69d687 Best regards,
diff --git a/block/fops.c b/block/fops.c index ad732a36f9b3..8d329ca56b0f 100644 --- a/block/fops.c +++ b/block/fops.c @@ -340,8 +340,7 @@ static ssize_t __blkdev_direct_IO_async(struct kiocb *iocb, } else { ret = bio_iov_iter_get_pages(bio, iter); if (unlikely(ret)) { - bio->bi_status = BLK_STS_IOERR; - bio_endio(bio); + bio_put(bio); return ret; } }
BUG: KASAN: use-after-free in io_submit_one+0x496/0x2fe0 fs/aio.c:1882 CPU: 2 PID: 15100 Comm: syz-executor873 Not tainted 5.16.0-rc1-syzk #1 Hardware name: Red Hat KVM, BIOS 1.13.0-2.module+el8.3.0+7860+a7792d29 04/01/2014 Call Trace: [...] refcount_dec_and_test include/linux/refcount.h:333 [inline] iocb_put fs/aio.c:1161 [inline] io_submit_one+0x496/0x2fe0 fs/aio.c:1882 __do_sys_io_submit fs/aio.c:1938 [inline] __se_sys_io_submit fs/aio.c:1908 [inline] __x64_sys_io_submit+0x1c7/0x4a0 fs/aio.c:1908 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x3a/0x80 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x44/0xae __blkdev_direct_IO_async() returns errors from bio_iov_iter_get_pages() directly, in which case upper layers won't be expecting ->ki_complete to be called by the block layer and will terminate the request. However, there is also bio_endio() leading to a second ->ki_complete and a double free. Fixes: 54a88eb838d37 ("block: add single bio async direct IO helper") Reported-by: George Kennedy <george.kennedy@oracle.com> Signed-off-by: Pavel Begunkov <asml.silence@gmail.com> --- block/fops.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-)