Received: by 2002:ac0:946b:0:0:0:0:0 with SMTP id j40csp3802477imj; Tue, 19 Feb 2019 09:39:16 -0800 (PST) X-Google-Smtp-Source: AHgI3IZRMAVFXTUkDdr1XZMPuihC5qANuYGAURMCIzk8y4mvk8VJSU6lVttgOjjCP4GWTLuUGUNV X-Received: by 2002:a63:6c43:: with SMTP id h64mr23844056pgc.22.1550597956121; Tue, 19 Feb 2019 09:39:16 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1550597956; cv=none; d=google.com; s=arc-20160816; b=fBWNxcOLJ+0RHOsh+I3fedIduFrr8d2leZP9KMDk1efCR5FYD8K0oI8kpWhKsGvMNt oYQOGv3WVzmgCxcjoCEJJgtr3ID+x9LCb5Q5a/dEEFpXTTyNl4xCGtjxVoqrOwRxgzs/ 6ArzqZxajROpfXBOOPhnt4Mmfobk8q//8FCAEWQgUielHmFRE87PUEd9yTl2VFQNs4wR c8EOxpgPEFsCLQnHZqfYodvOHq5Hzh0QfzSOpVGJuQRSYGhmClJw7h01b+t+y6vWoCcX vDaSDMajk+Bo+862VnrlfmvpFlbdEJ5iTI4CGBSszQOr2U9HdA18oMERsJlUlcNvYMia 6t9g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=3v37P5RymGuT1AAPaE3obF0SV/G7A1OcPc/AFTRKTiw=; b=eLVJIGeFoUT3fxBW3v1JULfvTBuw7m8pQNya8sstlpNC+0j3mRtww3bMW27YRXFV55 IVKPe2wMY/T5sPsHuCYDpZeQhPCxdqS5NoPF3V1Otdh7T9qqz4fYgBtOS9u/dpX2vbXX /XwEOKNPGcjXl7Gw+9z3eRxwaDh/JBG6RU1N9qd+8H0vMZXYWnYyeK3CYL66Ei8sP5ua MUB+Z9zh0NEyQRcjr/pAL69L1i3XxflXzDL3z84z3el7h4vJQBiMHE6kWArgVTgNqZQE BU77gsiWc0tLSq2KZJG3L0EgXUnZ4EfbXfsCcNWgc/8Us6mM4mjzifQAeJ4DqBqBJQSr igdQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d15si15331113pgv.583.2019.02.19.09.38.58; Tue, 19 Feb 2019 09:39:16 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726612AbfBSRg6 (ORCPT + 99 others); Tue, 19 Feb 2019 12:36:58 -0500 Received: from mx1.redhat.com ([209.132.183.28]:53306 "EHLO mx1.redhat.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725613AbfBSRg5 (ORCPT ); Tue, 19 Feb 2019 12:36:57 -0500 Received: from smtp.corp.redhat.com (int-mx08.intmail.prod.int.phx2.redhat.com [10.5.11.23]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 2C90CC0C6C2B; Tue, 19 Feb 2019 17:36:57 +0000 (UTC) Received: from dhcp-27-174.brq.redhat.com (unknown [10.43.17.152]) by smtp.corp.redhat.com (Postfix) with SMTP id 7C76D19C58; Tue, 19 Feb 2019 17:36:55 +0000 (UTC) Received: by dhcp-27-174.brq.redhat.com (nbSMTP-1.00) for uid 1000 oleg@redhat.com; Tue, 19 Feb 2019 18:36:56 +0100 (CET) Date: Tue, 19 Feb 2019 18:36:54 +0100 From: Oleg Nesterov To: Guenter Roeck Cc: Andrew Morton , Ben Woodard , "Eric W. Biederman" , Kees Cook , Michal Hocko , linux-kernel@vger.kernel.org Subject: Re: [PATCH 2/2] exec: increase BINPRM_BUF_SIZE to 256 Message-ID: <20190219173654.GA4314@redhat.com> References: <20181112160931.GA28463@redhat.com> <20181112160956.GA28472@redhat.com> <20190218193734.GA29983@roeck-us.net> <20190219123756.GA9210@redhat.com> <20190219162643.GA15202@roeck-us.net> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20190219162643.GA15202@roeck-us.net> User-Agent: Mutt/1.5.24 (2015-08-30) X-Scanned-By: MIMEDefang 2.84 on 10.5.11.23 X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.5.110.32]); Tue, 19 Feb 2019 17:36:57 +0000 (UTC) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 02/19, Guenter Roeck wrote: > > On Tue, Feb 19, 2019 at 01:37:57PM +0100, Oleg Nesterov wrote: > > > > looks unrelated... > > > > Indeed... > > The underlying problem is in the error handling code of ace_setup(), > which calls put_disk() followed by blk_cleanup_queue(). put_disk() > calls disk_release(), which calls blk_put_queue(), which in turn > results in a call to blk_mq_hw_sysfs_release(). > > Added debug code, with your patch reverted, shows: > > ######### blk_mq_hw_sysfs_release hctx=cee4a800 > ... > ######### blk_mq_run_hw_queue hctx=cee4a800 > > blk_mq_hw_sysfs_release() calls kfree(htcx), so accessing it later is most > definitely not a good idea. Thanks! > No idea why this only causes problems with your patch applied. Well... blk_put_queue() may trigger kobject_uevent() which does call_usermodehelper. So if one of the used-after-free datastructures was already re-allocated as linux_binprm, then with my patch it can look "more corrupted"... But honestly, I too have no idea. Thanks Guenter. Oleg.