Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp5134835imu; Tue, 8 Jan 2019 12:08:31 -0800 (PST) X-Google-Smtp-Source: ALg8bN4KD+re1WIOAmj0oBU893o2AwcOy2ffo6jnOg0ab9X/FT0Rk86b8RuiixF1kX0ey9ZXDnhA X-Received: by 2002:a63:2507:: with SMTP id l7mr2643381pgl.22.1546978111297; Tue, 08 Jan 2019 12:08:31 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1546978111; cv=none; d=google.com; s=arc-20160816; b=WWn0xIzXO423H/RzQzlZ5f3QNs9VB/nvaa3rO0Y4r/ZxFgSiADDUPjv5oKOOa51xtv h5BJEoHb55T6Nj5s2aUTkxCQCINfuIm/BaKLSmTW4kbxgUH8B/z9CTOfZy8uEgew0tEi GIVa1evOE8fwn3MsLK/8w5hLsW/Inf498TkxyNrIjn6xub6XQw+Mmw6V6Qjm43s9uqGG ej0pO4dtmgB1TxfmdGcf95f4lQvb4XGVdjV2mhnWdwxpA032IitdV0lL+CKR75YiXaLo 4PdmC8eaFyvqnGjLqfMa/Fhcfd5m3u7R0xDUC9+BZrElxxmo1k7/a5uk2POsSrY2UIhi 2ZgQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=3niJABJHldI4aD9YssxfBZiSB+66FphRy4+feNH9vnM=; b=zt5fPHfg+pEMpvCoeL+Ee4iSdJ597srK9qeGISTydHhPk1GGYKGWtFscEIzIaLOKbR XwcFcuBaXEQpRE6oHdlCcwcomMG+jacsuY8KZ7ZR3P1OXjjslXOiHYK0ufPMxHEXbmBQ Cc1C05xl7K0WaU5Yoo58H80TlKZ15Ym1xEDKEicmjrcoun94lI2joyn6AewjVLrK4Ues 3iqAhFU9IaZDPrhzmiDb/sRjpwMxMxm1cyGYAA2Sg2SWo8H7az5V6e8Bl2J1DQq0ZfM4 wERIg1v3C93jrNBsCpBTGYZfjahLbYDZfu2f93tNE9TG36jHzDlgnoIQPE11iOafoVdS meCw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=sY1ewdJh; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 30si19102134pgv.191.2019.01.08.12.08.16; Tue, 08 Jan 2019 12:08:31 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=sY1ewdJh; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731369AbfAHUGX (ORCPT + 99 others); Tue, 8 Jan 2019 15:06:23 -0500 Received: from mail.kernel.org ([198.145.29.99]:34982 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729905AbfAHT2J (ORCPT ); Tue, 8 Jan 2019 14:28:09 -0500 Received: from sasha-vm.mshome.net (c-73-47-72-35.hsd1.nh.comcast.net [73.47.72.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 7CA8E20827; Tue, 8 Jan 2019 19:28:07 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1546975688; bh=oolFVc6pPT7lKrKvgCCxG9n+ztWUNckEjXO1ArBVLNk=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=sY1ewdJhlB8EZBbfYhzkkGrD1tXUxS5Vjios6WAXKdRmnY7Tqnh6uGvFYSbrwTO1a FW3qZux117nsOfilwdi0Y4xAZaIRt/7NAUnCk07V4rOVRXaxIQYs9+AQi/U/eTzi0s el6CvAC+t/rorQzsBRElwSPuyz73OdWi4Fcq/TmU= From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Gao Xiang , Greg Kroah-Hartman , Sasha Levin , linux-erofs@lists.ozlabs.org, devel@driverdev.osuosl.org Subject: [PATCH AUTOSEL 4.20 055/117] staging: erofs: fix use-after-free of on-stack `z_erofs_vle_unzip_io' Date: Tue, 8 Jan 2019 14:25:23 -0500 Message-Id: <20190108192628.121270-55-sashal@kernel.org> X-Mailer: git-send-email 2.19.1 In-Reply-To: <20190108192628.121270-1-sashal@kernel.org> References: <20190108192628.121270-1-sashal@kernel.org> MIME-Version: 1.0 X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Gao Xiang [ Upstream commit 848bd9acdcd00c164b42b14aacec242949ecd471 ] The root cause is the race as follows: Thread #0 Thread #1 z_erofs_vle_unzip_kickoff z_erofs_submit_and_unzip struct z_erofs_vle_unzip_io io[] atomic_add_return() wait_event() [end of function] wake_up() Fix it by taking the waitqueue lock between atomic_add_return and wake_up to close such the race. kernel message: Unable to handle kernel paging request at virtual address 97f7052caa1303dc ... Workqueue: kverityd verity_work task: ffffffe32bcb8000 task.stack: ffffffe3298a0000 PC is at __wake_up_common+0x48/0xa8 LR is at __wake_up+0x3c/0x58 ... Call trace: ... [] __wake_up_common+0x48/0xa8 [] __wake_up+0x3c/0x58 [] z_erofs_vle_unzip_kickoff+0x40/0x64 [] z_erofs_vle_read_endio+0x94/0x134 [] bio_endio+0xe4/0xf8 [] dec_pending+0x134/0x32c [] clone_endio+0x90/0xf4 [] bio_endio+0xe4/0xf8 [] verity_work+0x210/0x368 [] process_one_work+0x188/0x4b4 [] worker_thread+0x140/0x458 [] kthread+0xec/0x108 [] ret_from_fork+0x10/0x1c Code: d1006273 54000260 f9400804 b9400019 (b85fc081) ---[ end trace be9dde154f677cd1 ]--- Reviewed-by: Chao Yu Signed-off-by: Gao Xiang Signed-off-by: Greg Kroah-Hartman Signed-off-by: Sasha Levin --- drivers/staging/erofs/unzip_vle.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) diff --git a/drivers/staging/erofs/unzip_vle.c b/drivers/staging/erofs/unzip_vle.c index 79d3ba62b298..45e88bada907 100644 --- a/drivers/staging/erofs/unzip_vle.c +++ b/drivers/staging/erofs/unzip_vle.c @@ -717,13 +717,18 @@ static void z_erofs_vle_unzip_kickoff(void *ptr, int bios) struct z_erofs_vle_unzip_io *io = tagptr_unfold_ptr(t); bool background = tagptr_unfold_tags(t); - if (atomic_add_return(bios, &io->pending_bios)) + if (!background) { + unsigned long flags; + + spin_lock_irqsave(&io->u.wait.lock, flags); + if (!atomic_add_return(bios, &io->pending_bios)) + wake_up_locked(&io->u.wait); + spin_unlock_irqrestore(&io->u.wait.lock, flags); return; + } - if (background) + if (!atomic_add_return(bios, &io->pending_bios)) queue_work(z_erofs_workqueue, &io->u.work); - else - wake_up(&io->u.wait); } static inline void z_erofs_vle_read_endio(struct bio *bio) -- 2.19.1