BUG: KASAN: use-after-free in bdev_free_inode+0x202/0x220
Read of size 8 at addr ffff88806e022148 by task systemd-udevd/8843
Call Trace:
<IRQ>
__dump_stack [inline]
dump_stack_lvl+0xcd/0x134
print_address_description.constprop.0.cold+0x6c/0x2d6
__kasan_report [inline]
kasan_report.cold+0x83/0xdf
bdev_free_inode+0x202/0x220
i_callback+0x3f/0x70
rcu_do_batch [inline]
rcu_core+0x7ab/0x1470
__do_softirq+0x29b/0x9c2
invoke_softirq [inline]
__irq_exit_rcu+0x123/0x180
irq_exit_rcu+0x5/0x20
Allocated by task 15227:
kasan_save_stack+0x1b/0x40
kasan_set_track [inline]
set_alloc_info [inline]
____kasan_kmalloc [inline]
____kasan_kmalloc [inline]
__kasan_kmalloc+0xa1/0xd0
kasan_kmalloc [inline]
kmem_cache_alloc_node_trace+0x20b/0x5d0
kmalloc_node [inline]
kzalloc_node [inline]
__alloc_disk_node+0x77/0x580
__blk_mq_alloc_disk+0xed/0x160
loop_add+0x340/0x960
loop_control_get_free [inline]
loop_control_ioctl+0x227/0x4a0
Freed by task 15227:
kasan_save_stack+0x1b/0x40
kasan_set_track+0x1c/0x30
kasan_set_free_info+0x20/0x30
____kasan_slab_free [inline]
____kasan_slab_free [inline]
__kasan_slab_free+0xd1/0x110
kasan_slab_free [inline]
__cache_free [inline]
kfree+0x10a/0x2c0
__alloc_disk_node+0x474/0x580
__blk_mq_alloc_disk+0xed/0x160
loop_add+0x340/0x960
loop_control_get_free [inline]
loop_control_ioctl+0x227/0x4a0
The xa_insert() may be return error in __alloc_disk_node(), and the disk
object will be release, however there are two operations that will release
it, kfree(disk) and iput(disk->part0->bd_inode), the iput operations
will call call_rcu(), because the rcu callback executed is an asynchronous
actionthe, so when free disk object in rcu callback, the disk object haven
been released. solve it through a unified release action.
Reported-by: [email protected]
Signed-off-by: Zqiang <[email protected]>
---
block/genhd.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/block/genhd.c b/block/genhd.c
index 5e8aa0ab66c2..924b75d9dfa6 100644
--- a/block/genhd.c
+++ b/block/genhd.c
@@ -1269,11 +1269,13 @@ struct gendisk *__alloc_disk_node(struct request_queue *q, int node_id,
out_destroy_part_tbl:
xa_destroy(&disk->part_tbl);
- iput(disk->part0->bd_inode);
out_free_bdi:
bdi_put(disk->bdi);
out_free_disk:
- kfree(disk);
+ if (disk->part0)
+ iput(disk->part0->bd_inode);
+ else
+ kfree(disk);
out_put_queue:
blk_put_queue(q);
return NULL;
--
2.17.1
On 2021/10/09 15:59, Zqiang wrote:
> The xa_insert() may be return error in __alloc_disk_node(), and the disk
> object will be release, however there are two operations that will release
> it, kfree(disk) and iput(disk->part0->bd_inode), the iput operations
> will call call_rcu(), because the rcu callback executed is an asynchronous
> actionthe, so when free disk object in rcu callback, the disk object haven
> been released. solve it through a unified release action.
>
> Reported-by: [email protected]
> Signed-off-by: Zqiang <[email protected]>
Thanks. But my patch is ready for 5.15.
https://lore.kernel.org/all/[email protected]/T/#u
On 2021/10/9 下午5:34, Tetsuo Handa wrote:
> On 2021/10/09 15:59, Zqiang wrote:
>> The xa_insert() may be return error in __alloc_disk_node(), and the disk
>> object will be release, however there are two operations that will release
>> it, kfree(disk) and iput(disk->part0->bd_inode), the iput operations
>> will call call_rcu(), because the rcu callback executed is an asynchronous
>> actionthe, so when free disk object in rcu callback, the disk object haven
>> been released. solve it through a unified release action.
>>
>> Reported-by: [email protected]
>> Signed-off-by: Zqiang <[email protected]>
> Thanks. But my patch is ready for 5.15.
>
> https://lore.kernel.org/all/[email protected]/T/#u
Thanks, there is a problem with my patch, your path is more suitable