From:   George Kennedy <george.kennedy@oracle.com>
To:     gregkh@linuxfoundation.org, axboe@kernel.dk, asml.silence@gmail.com
Cc:     george.kennedy@oracle.com, linux-block@vger.kernel.org,
        linux-kernel@vger.kernel.org
Subject: [PATCH 2/2] Revert "block: add single bio async direct IO helper"
Date:   Tue,  7 Dec 2021 10:51:42 -0500
Message-Id: <1638892302-14475-3-git-send-email-george.kennedy@oracle.com>
In-Reply-To: <1638892302-14475-1-git-send-email-george.kennedy@oracle.com>
References: <1638892302-14475-1-git-send-email-george.kennedy@oracle.com>
Content-Type: text/plain
MIME-Version: 1.0
X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1
X-MS-Exchange-AntiSpam-MessageData-0: =?us-ascii?Q?QRiyvQeQDc4+LCUdJQo1xjBaaxUBDmcYroop69m+OFXonNIQaJqDWn4JXTjw?=
 =?us-ascii?Q?Nml23W5gFS0dra2gIXhrvWRNHyb9N1nmCmgEwbcQaA4bdj61fXzPCgA9s49Z?=
 =?us-ascii?Q?UXpGTavc5mX7HoO+bAXHAp6rdh4AgqCfBpZyrYydVn9ymhFoeGOseD2Ropmd?=
 =?us-ascii?Q?MFf+QUwMpnJPxgcHfQsGP3SrHbRZELJQl9iJ/VCpKaWdEKNg0UK0TThA5Qfh?=
 =?us-ascii?Q?WNH1pcFtUCjdEBuJqEzV9wsyWc2cdn/cF/wkD08IqisSqD0/tpIB6zYAetNq?=
 =?us-ascii?Q?+ta9+7TtYB/1V5/VGCWXD6zqAh1Xo7mpHwaLZ+DlTNmE3eRscSOnd1vnsxAc?=
 =?us-ascii?Q?IFfb0Uh+xZNrbeXZxFpv77itn8fmG6IX1em0YjMobMRV2ZnPie3oNh+Pr013?=
 =?us-ascii?Q?LjZWQNf3LAWxHv+4cFk4W/k5uYH8CmhKD4lQdUL1cPYvNFzT83iyWWHnIr+R?=
 =?us-ascii?Q?C4D+IRiSsQ+RQZLuf6Fgg7YV9qxn8+l7rGwydOe6N1mNk9/SugpuDFEj42QT?=
 =?us-ascii?Q?zyyt7u4SyYVA1mgDqtrHcq2kEO3GknNf0wt21RF50ezLTTbECKB8lg4EGUQf?=
 =?us-ascii?Q?YWZYMxnQgwMPzqKdDo1MS6HfRADg705I9DCXZiBVvBZXS8f6hVRzIb5BrTFW?=
 =?us-ascii?Q?ItACMC+A4qHwJZ2MTENOIywUnIUMHdzbFjExc6Mr427yMAwukHlK4uBnYF4/?=
 =?us-ascii?Q?kr2w9uEKz26v6pP/OrxsmlcqEgH7GblhwMlIvWb88MV+pI6lLcBX7vwfH/71?=
 =?us-ascii?Q?Q7XeP5LgMK0b++D+5xXmbwf4tYaf/Hk+qnvJ10Cfu6aJlDkZNHWRUgc0yDLk?=
 =?us-ascii?Q?2KXk7vBtLFJmJp8z7+rHi5iQasE+0jywrmM0HozC4dD0ZHD/HZ4Ep84rQph6?=
 =?us-ascii?Q?Mz6Yj8yxzQgvZGH9YwJqg+7yY/IhZoFg/5Vc/yzQnQwWlwPbnWd+24XEyTFF?=
 =?us-ascii?Q?/3v1L9GZ1b3WWmZrgJT7I/RnIkdrEM7qpBD3h8F+fM62KdBqT3BI2hOgDX4R?=
 =?us-ascii?Q?LNiStsPc912Ku2OObU+8i/qasGUXJauYaX2671+4+UJpQmdsUepjvANXyyAq?=
 =?us-ascii?Q?AdwHIvgDGM8Y3j7jQmvXpdIQy4p0pPbTJ8GBmYjArBSjpMeXdC+bAzr2hBuy?=
 =?us-ascii?Q?0KX2D4n/RFjbFhLJtCG6bto0T16fuVjf5yp7Ej4OIV4JSSjNYGaZZ/yVecqd?=
 =?us-ascii?Q?+UVYkzqoTXVRmkIBNeFOeHMM/AGsMGE78rjG2Xm17CuXp7yJdeH9QDiVc0VS?=
 =?us-ascii?Q?npfBT/4faQPQbDsgchzmVRaW/OyFi8Z4V5Sw/UA4VAe4LUjpLigqNrAHWrw6?=
 =?us-ascii?Q?wY6HoZwVUjvWYNHGx7/7x3Y2uk+vgfCC+OHgaSS21d0eJIorH+7euW/YDgCj?=
 =?us-ascii?Q?9rSZF3YbvuVuMnXq9BtmhU3IWiNMh1rc3QdHOX3ml37Njm9IJ0QDm3XPWptq?=
 =?us-ascii?Q?gjGp0nSZ1THudMXHCD7idOMcA0drc6//FawFldB0CqzWii0F9KmpMzpqowpi?=
 =?us-ascii?Q?31DLu6rwtibxQ0BElrfS4eD0Y1yM8A2/CtG/1DFKEdCE2984uLN3qWbX6KLl?=
 =?us-ascii?Q?yrhFCEUa9vkVvaiGBo+uMH8fXfiw0m/c8eOncHVy5G/TBDIPxUzGLxdUmY+M?=
 =?us-ascii?Q?tLYXco75B8Hzf92gwlQUmZb16nJC3iTk2t2kIv7L22iy89D8RHt7ZrwZ1VZ9?=
 =?us-ascii?Q?hbcEtQ=3D=3D?=
X-OriginatorOrg: oracle.com
X-MS-Exchange-CrossTenant-Network-Message-Id: 0376d715-62f3-407f-32ae-08d9b999bf20
X-MS-Exchange-CrossTenant-AuthSource: BN0PR10MB5192.namprd10.prod.outlook.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-OriginalArrivalTime: 07 Dec 2021 15:53:43.8891
 (UTC)
X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted
X-MS-Exchange-CrossTenant-Id: 4e2c6054-71cb-48f1-bd6c-3a9705aca71b
X-MS-Exchange-CrossTenant-MailboxType: HOSTED
X-MS-Exchange-CrossTenant-UserPrincipalName: TBlf6ddfvrnWBx7qDFu9PFtZfgevD0RfVQ/3rl4fpmlLHWrR7rkHBjhXGA7kVenTpG9KwJIPZkKP4JRK2GgcxFGz1lgFqU6obt7zcinVQpM=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: BN7PR10MB2626
X-Proofpoint-Virus-Version: vendor=nai engine=6300 definitions=10190 signatures=668683
X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 mlxlogscore=999 mlxscore=0 spamscore=0
 phishscore=0 bulkscore=0 suspectscore=0 malwarescore=0 adultscore=0
 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.12.0-2110150000
 definitions=main-2112070097
X-Proofpoint-ORIG-GUID: 1GXDjFgWMa9sQNuznme8JHjFpfoGKP0T
X-Proofpoint-GUID: 1GXDjFgWMa9sQNuznme8JHjFpfoGKP0T
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

This reverts commit 54a88eb838d37af930c9f19e1930a4fba6789cb5.

git bisect shows that commit 54a88eb838d3 ("block: add single bio async
direct IO helper") causes the following UAF:

BUG: KASAN: use-after-free in io_submit_one+0x496/0x2fe0 fs/aio.c:1882
Write of size 4 at addr ffff888027c338a0 by task syz-executor873/15100

CPU: 2 PID: 15100 Comm: syz-executor873 Not tainted 5.16.0-rc1-syzk #1
Hardware name: Red Hat KVM, BIOS
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x89/0xb5 lib/dump_stack.c:106
 print_address_description.constprop.9+0x28/0x160 mm/kasan/report.c:247
 __kasan_report mm/kasan/report.c:433 [inline]
 kasan_report.cold.14+0x7d/0x117 mm/kasan/report.c:450
 check_region_inline mm/kasan/generic.c:183 [inline]
 kasan_check_range+0x18e/0x1f0 mm/kasan/generic.c:189
 __kasan_check_write+0x14/0x20 mm/kasan/shadow.c:37
 instrument_atomic_read_write include/linux/instrumented.h:101 [inline]
 atomic_fetch_sub_release
    include/linux/atomic/atomic-instrumented.h:167 [inline]
 __refcount_sub_and_test include/linux/refcount.h:272 [inline]
 __refcount_dec_and_test include/linux/refcount.h:315 [inline]
 refcount_dec_and_test include/linux/refcount.h:333 [inline]
 iocb_put fs/aio.c:1161 [inline]
 io_submit_one+0x496/0x2fe0 fs/aio.c:1882
 __do_sys_io_submit fs/aio.c:1938 [inline]
__se_sys_io_submit fs/aio.c:1908 [inline]
 __x64_sys_io_submit+0x1c7/0x4a0 fs/aio.c:1908
 do_syscall_x64 arch/x86/entry/common.c:50 [inline]
 do_syscall_64+0x3a/0x80 arch/x86/entry/common.c:80
 entry_SYSCALL_64_after_hwframe+0x44/0xae

Conflicts:
	block/fops.c

Reported-by: syzkaller <syzkaller@googlegroups.com>
Signed-off-by: George Kennedy <george.kennedy@oracle.com>
---
 block/fops.c | 86 +++---------------------------------------------------------
 1 file changed, 3 insertions(+), 83 deletions(-)

diff --git a/block/fops.c b/block/fops.c
index e73167b..88e0401 100644
--- a/block/fops.c
+++ b/block/fops.c
@@ -282,84 +282,6 @@ static ssize_t __blkdev_direct_IO(struct kiocb *iocb, struct iov_iter *iter,
 	return ret;
 }
 
-static void blkdev_bio_end_io_async(struct bio *bio)
-{
-	struct blkdev_dio *dio = container_of(bio, struct blkdev_dio, bio);
-	struct kiocb *iocb = dio->iocb;
-	ssize_t ret;
-
-	if (likely(!bio->bi_status)) {
-		ret = dio->size;
-		iocb->ki_pos += ret;
-	} else {
-		ret = blk_status_to_errno(bio->bi_status);
-	}
-
-	iocb->ki_complete(iocb, ret);
-
-	if (dio->flags & DIO_SHOULD_DIRTY) {
-		bio_check_pages_dirty(bio);
-	} else {
-		bio_release_pages(bio, false);
-		bio_put(bio);
-	}
-}
-
-static ssize_t __blkdev_direct_IO_async(struct kiocb *iocb,
-					struct iov_iter *iter,
-					unsigned int nr_pages)
-{
-	struct block_device *bdev = iocb->ki_filp->private_data;
-	struct blkdev_dio *dio;
-	struct bio *bio;
-	loff_t pos = iocb->ki_pos;
-	int ret = 0;
-
-	if ((pos | iov_iter_alignment(iter)) &
-	    (bdev_logical_block_size(bdev) - 1))
-		return -EINVAL;
-
-	bio = bio_alloc_kiocb(iocb, nr_pages, &blkdev_dio_pool);
-	dio = container_of(bio, struct blkdev_dio, bio);
-	dio->flags = 0;
-	dio->iocb = iocb;
-	bio_set_dev(bio, bdev);
-	bio->bi_iter.bi_sector = pos >> SECTOR_SHIFT;
-	bio->bi_write_hint = iocb->ki_hint;
-	bio->bi_end_io = blkdev_bio_end_io_async;
-	bio->bi_ioprio = iocb->ki_ioprio;
-
-	ret = bio_iov_iter_get_pages(bio, iter);
-	if (unlikely(ret)) {
-		bio->bi_status = BLK_STS_IOERR;
-		bio_endio(bio);
-		return ret;
-	}
-	dio->size = bio->bi_iter.bi_size;
-
-	if (iov_iter_rw(iter) == READ) {
-		bio->bi_opf = REQ_OP_READ;
-		if (iter_is_iovec(iter)) {
-			dio->flags |= DIO_SHOULD_DIRTY;
-			bio_set_pages_dirty(bio);
-		}
-	} else {
-		bio->bi_opf = dio_bio_write_op(iocb);
-		task_io_account_write(bio->bi_iter.bi_size);
-	}
-
-	if (iocb->ki_flags & IOCB_HIPRI) {
-		bio->bi_opf |= REQ_POLLED | REQ_NOWAIT;
-		submit_bio(bio);
-		WRITE_ONCE(iocb->private, bio);
-	} else {
-		if (iocb->ki_flags & IOCB_NOWAIT)
-			bio->bi_opf |= REQ_NOWAIT;
-		submit_bio(bio);
-	}
-	return -EIOCBQUEUED;
-}
-
 static ssize_t blkdev_direct_IO(struct kiocb *iocb, struct iov_iter *iter)
 {
 	unsigned int nr_pages;
@@ -368,11 +290,9 @@ static ssize_t blkdev_direct_IO(struct kiocb *iocb, struct iov_iter *iter)
 		return 0;
 
 	nr_pages = bio_iov_vecs_to_alloc(iter, BIO_MAX_VECS + 1);
-	if (likely(nr_pages <= BIO_MAX_VECS)) {
-		if (is_sync_kiocb(iocb))
-			return __blkdev_direct_IO_simple(iocb, iter, nr_pages);
-		return __blkdev_direct_IO_async(iocb, iter, nr_pages);
-	}
+	if (is_sync_kiocb(iocb) && nr_pages <= BIO_MAX_VECS)
+		return __blkdev_direct_IO_simple(iocb, iter, nr_pages);
+
 	return __blkdev_direct_IO(iocb, iter, bio_max_segs(nr_pages));
 }
 
-- 
1.8.3.1