Received: by 2002:a25:e7d8:0:0:0:0:0 with SMTP id e207csp531045ybh; Wed, 11 Mar 2020 06:00:12 -0700 (PDT) X-Google-Smtp-Source: ADFU+vs/UA4gtGTPmF0OcpDdZDxDpi7ZKy615iYJX7gjPWroqVjGQbcceBqNyFUSVv1eSFyHm+ZD X-Received: by 2002:a05:6830:114f:: with SMTP id x15mr2215360otq.306.1583931612709; Wed, 11 Mar 2020 06:00:12 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1583931612; cv=none; d=google.com; s=arc-20160816; b=oNs3+Egsm0fBHP/xsaZTLl4zh9ND24F9suRPb7fMdZ8pvTOToUf56LkMJ4LbgiIBjc BEtnpgzwgX+uraH9a8XQUga8kc2zbdPZVYZjIoccTXYs2gBuQgnCBU2Czzi9dlSuymIv DrFBoUdQh1kryo+pkcC3Yt+ihslTse0hm2WvwiuoJMXZVSozRDJOWTmFOK4WPsWmPrm7 TdUQQUou6daN+QhM78MnSaCM1Se6IeOpLE1tVsbnkCXt4fOmQYMB6zXOPBi3XdnAEaM3 v09l5kOmoZhG6QhVg6++FzkM3PL49YbvjrKzoOG7D8cVUQJO6AzIVldH/unQvSiaSOiQ 22wQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:dkim-signature; bh=9l0335H7R/gtb+vxYfReRASjTU9/uz9886f0Ecj/gTU=; b=02A9BQl57ZKR7YMJQ6Zft6rP4OEkQ2y6neSt7Cjtzu8gueB64L+ebazfHhjGKyF9Iz /GotAS7FDIphRGsJnZAm39SDRNz9TsVuWp3xScljXzcTVzxPEqDVsQiiwNgU4QYDILXT BJU6olDblS1eydy6jO5Uy4yesQ2JQ7LmZiIW4ERRP5NleSbkDxlr23OBl1KGo8aid0Yt s5AzxO1y7OKtdEiWASFuQlh83xHG11yg8lHbd05VMIpLgFAfW9JwjnHzMs0W+QrDLhpZ LP+jK+rfXgH5C5ohY0NKdse1y50bu0QbZ7RSGRADf3jbrchzjt+C6fw8+JfzR49M+m4h tSyw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel-dk.20150623.gappssmtp.com header.s=20150623 header.b=cBX9fKK9; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l25si1087025otq.76.2020.03.11.06.00.00; Wed, 11 Mar 2020 06:00:12 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel-dk.20150623.gappssmtp.com header.s=20150623 header.b=cBX9fKK9; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729494AbgCKM7i (ORCPT + 99 others); Wed, 11 Mar 2020 08:59:38 -0400 Received: from mail-io1-f68.google.com ([209.85.166.68]:45900 "EHLO mail-io1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729401AbgCKM7h (ORCPT ); Wed, 11 Mar 2020 08:59:37 -0400 Received: by mail-io1-f68.google.com with SMTP id w9so1758040iob.12 for ; Wed, 11 Mar 2020 05:59:36 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel-dk.20150623.gappssmtp.com; s=20150623; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=9l0335H7R/gtb+vxYfReRASjTU9/uz9886f0Ecj/gTU=; b=cBX9fKK9kCURF+tzK+q02uWe1wlkHdpQKBOKxTNGlv/iaPh3Fth1OCztTJOwGToc0n zYEBA1cwfskvgCni8Vrmrmddo8xXTbPC240dk5n7pIjTZszTfpMx1Uwg17w6g5OBPmVB /qDaqZKNETlMfoppxTw64IxVw14UntG6b0+mhzX2tGyMhdlyeSYxojBhu/9jARSCLyLI 9cYak3H3lNcv8vzquw+GVUVEecWM6vmP3ZMSoqtbeDJTXz4YNMeYDa0ew4xwLMKVTmEb HW0qSDSeknuwPX37i0PvSYQKvWmi2gO98c2Ub2K1b0tDemLtXFQf2FIeb5W6rDdektqZ Zygw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=9l0335H7R/gtb+vxYfReRASjTU9/uz9886f0Ecj/gTU=; b=dHn6TIez9nVlV8V0Le5bw4k5T0Ay6ccp4tudOw2i6UnyZ65AHBMDFNrZ7GzNO/SsNb aUfKruuMP34wqASA716QT0bt3BeNcC8vj19sFWoID+xnbu379aLQ3PAdEj4Jde1f3aPX xVtKow6kyET7IlKQ3MLk4ass5ewMVJmGMJYiFiz2QL4mR9FVrb6rDfsNfNv/VQvijJ3a JjtgdVXNx6jejQvRppf00qmoVuCVrhkyjZYMRbs0YUk+USBYBFukt5uDx03ochBnjvA1 SBP5RhsihMQ30rlQUF0p7NLg7vVefL4zY+4FGAuXaDOuWZahmowMH/UGWmScPaj9kCf8 /Lgg== X-Gm-Message-State: ANhLgQ0e6rL06oFbIKIbh/h3NcIMMz8Ipr8OA+/+hy7tP+g2KmOXx5TL DjasyZmXtYOA83eh6OJV5mG9Ow== X-Received: by 2002:a6b:ea0b:: with SMTP id m11mr2796586ioc.182.1583931576447; Wed, 11 Mar 2020 05:59:36 -0700 (PDT) Received: from [192.168.1.159] ([65.144.74.34]) by smtp.gmail.com with ESMTPSA id t7sm2138153ioc.15.2020.03.11.05.59.35 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 11 Mar 2020 05:59:36 -0700 (PDT) Subject: Re: [PATCH] block: Fix use-after-free issue accessing struct io_cq To: Sahitya Tummala , linux-block@vger.kernel.org Cc: linux-kernel@vger.kernel.org, Pradeep P V K References: <1583923070-22245-1-git-send-email-stummala@codeaurora.org> From: Jens Axboe Message-ID: Date: Wed, 11 Mar 2020 06:59:34 -0600 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.4.1 MIME-Version: 1.0 In-Reply-To: <1583923070-22245-1-git-send-email-stummala@codeaurora.org> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 3/11/20 4:37 AM, Sahitya Tummala wrote: > There is a potential race between ioc_release_fn() and > ioc_clear_queue() as shown below, due to which below kernel > crash is observed. It also can result into use-after-free > issue. > > context#1: context#2: > ioc_release_fn() __ioc_clear_queue() gets the same icq > ->spin_lock(&ioc->lock); ->spin_lock(&ioc->lock); > ->ioc_destroy_icq(icq); > ->list_del_init(&icq->q_node); > ->call_rcu(&icq->__rcu_head, > icq_free_icq_rcu); > ->spin_unlock(&ioc->lock); > ->ioc_destroy_icq(icq); > ->hlist_del_init(&icq->ioc_node); > This results into below crash as this memory > is now used by icq->__rcu_head in context#1. > There is a chance that icq could be free'd > as well. > > 22150.386550: <6> Unable to handle kernel write to read-only memory > at virtual address ffffffaa8d31ca50 Fix looks good to me, applied. -- Jens Axboe