Received: by 2002:a05:6358:9144:b0:117:f937:c515 with SMTP id r4csp432327rwr; Thu, 4 May 2023 05:21:11 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ7OrE/xbJdgPZrHiIKm/1g/ywZLf+XnsD4YuFJUOpzic4UOzJh8yN87Ycbk/bZa/W48Gb0v X-Received: by 2002:a17:902:da8a:b0:1aa:e739:4092 with SMTP id j10-20020a170902da8a00b001aae7394092mr4397846plx.52.1683202871136; Thu, 04 May 2023 05:21:11 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1683202871; cv=none; d=google.com; s=arc-20160816; b=XknERFu6mQEdPOaedAq5JQKFQqfTiODTcJjmXF16iqzQTPkOlQTUYGMnqu2Muc1SGH e720k581nul8ooE5HAV8G/2OIL1T9wN/raB4xDcivvAlDXHb3JItFOl5NP5l+5MKWbgI fPsT/Az2oBxNortec6KOflMZQGpGaGIQMm3g65/ijs06y0NQWQfJ5ODat0viLkFux6rF thAvzT6lygcAd0uDvGAaEjzwt2WI6uSQcBWGf5kUBipr8Ko6DSveAsZaZTn5KUVdofKo XeO7e0ow5fPw9U12cOjdsgvXO1ywxzxg/bUOOwJHyeAjzMRsaaAOaU4vVpGUdISOvJ5n tgxg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to :mime-version:user-agent:date:message-id:from:references:cc:to :subject; bh=QQT7vhkSEwAKYsVqBnVYVeWcZoj22uVFN7zfsQuFW68=; b=ETjZ5mZjTwk1BfWaSMBhAjQSsiTDB+ed8ykSea8d8f8O7ScuixrqP84fQ6Cf1AGWiE cgDMZxgfHGla0l5mLQd07lASV6nWSZpKBrgEk72Q3SSEL1YewwxAga02iq4+C/BDrn8I TXqTSslNy+KOEBRruxyeaj2NeagVDIiLwivIyocxAngcKUS5YFN42+vtmdSGvdWW38h0 7y7+nzEHl1cMMs4jzI89X7vjzi4phtlAdjLvMXPTMzm3Hmy++CyJd1Na0mmS5WFng0YU IFDT8042wSgww2hZ/w45Lxmr8gNccdl55hTbTFCm0ikW1M5fyQE4QFyM27MDcizs2udn N0Qg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id e12-20020a170902784c00b001a6ade4c8c2si32475823pln.142.2023.05.04.05.20.58; Thu, 04 May 2023 05:21:11 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230242AbjEDMJv (ORCPT + 99 others); Thu, 4 May 2023 08:09:51 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44124 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230011AbjEDMJu (ORCPT ); Thu, 4 May 2023 08:09:50 -0400 Received: from szxga01-in.huawei.com (szxga01-in.huawei.com [45.249.212.187]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CAE285FCE for ; Thu, 4 May 2023 05:09:48 -0700 (PDT) Received: from kwepemm600013.china.huawei.com (unknown [172.30.72.57]) by szxga01-in.huawei.com (SkyGuard) with ESMTP id 4QBsyj5Z7kzsR5q; Thu, 4 May 2023 20:07:57 +0800 (CST) Received: from [10.174.178.46] (10.174.178.46) by kwepemm600013.china.huawei.com (7.193.23.68) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2507.23; Thu, 4 May 2023 20:09:43 +0800 Subject: Re: [PATCH -next,V2 1/2] ubi: fix slab-out-of-bounds in ubi_eba_get_ldesc+0xfb/0x130 To: ZhaoLong Wang , , , CC: , , References: <20230504025354.3595768-1-wangzhaolong1@huawei.com> From: Zhihao Cheng Message-ID: <3158c9dc-9f7b-b443-e442-6e38afd340de@huawei.com> Date: Thu, 4 May 2023 20:09:42 +0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.5.0 MIME-Version: 1.0 In-Reply-To: <20230504025354.3595768-1-wangzhaolong1@huawei.com> Content-Type: text/plain; charset="gbk"; format=flowed Content-Transfer-Encoding: 8bit X-Originating-IP: [10.174.178.46] X-ClientProxiedBy: dggems704-chm.china.huawei.com (10.3.19.181) To kwepemm600013.china.huawei.com (7.193.23.68) X-CFilter-Loop: Reflected X-Spam-Status: No, score=-8.5 required=5.0 tests=BAYES_00,NICE_REPLY_A, RCVD_IN_DNSWL_MED,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org ?? 2023/5/4 10:53, ZhaoLong Wang ะด??: > From: Guo Xuenan > > When using ioctl interface to resize ubi volume, ubi_resize_volume will > resize eba table first, but not change vol->reserved_pebs in the same > atomic context which may cause concurrency access eba table. > > For example, When user do shrink ubi volume A calling ubi_resize_volume, > while the other thread is writing (volume B) and triggering wear-leveling, > which may calling ubi_write_fastmap, under these circumstances, KASAN may > report: slab-out-of-bounds in ubi_eba_get_ldesc+0xfb/0x130. > > The main work of this patch include: > 1. fix races in ubi_resize_volume and ubi_update_fastmap, to avoid > eba_tbl read out of bounds. first, we make eba_tbl and reserved_pebs > updating under the protect of vol->volumes_lock. second, rollback > volume in case of resize failure. Also mention that for volume > shrinking failure, since part of volume has been shrunk and unmapped, > there is no need to recover {rsvd/avail}_pebs. > 2. fix some memleak in error path of ubi_resize_volume when destroy > new_eba_tbl. This line can be deleted. > > ================================================================== > BUG: KASAN: slab-out-of-bounds in ubi_eba_get_ldesc+0xfb/0x130 [ubi] > Read of size 4 at addr ffff88800f43f570 by task kworker/u16:0/7 > CPU: 0 PID: 7 Comm: kworker/u16:0 Not tainted 5.16.0-rc7 #3 > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.13.0-1ubuntu1.1 04/01/2014 > Workqueue: writeback wb_workfn (flush-ubifs_0_0) > Call Trace: > > dump_stack_lvl+0x4d/0x66 > print_address_description.constprop.0+0x41/0x60 > kasan_report.cold+0x83/0xdf > ubi_eba_get_ldesc+0xfb/0x130 [ubi] > ubi_update_fastmap.cold+0x60f/0xc7d [ubi] > ubi_wl_get_peb+0x25b/0x4f0 [ubi] > try_write_vid_and_data+0x9a/0x4d0 [ubi] > ubi_eba_write_leb+0x7e4/0x17d0 [ubi] > ubi_leb_map+0x1a0/0x2c0 [ubi] > ubifs_leb_map+0x139/0x270 [ubifs] > ubifs_add_bud_to_log+0xb40/0xf30 [ubifs] > make_reservation+0x86e/0xb00 [ubifs] > ubifs_jnl_write_data+0x430/0x9d0 [ubifs] > do_writepage+0x1d1/0x550 [ubifs] > ubifs_writepage+0x37c/0x670 [ubifs] > __writepage+0x67/0x170 > write_cache_pages+0x259/0xa90 > do_writepages+0x277/0x5d0 > __writeback_single_inode+0xb8/0x850 > writeback_sb_inodes+0x4b3/0xb20 > __writeback_inodes_wb+0xc1/0x220 > wb_writeback+0x59f/0x740 > wb_workfn+0x6d0/0xca0 > process_one_work+0x711/0xfc0 > worker_thread+0x95/0xd00 > kthread+0x3a6/0x490 > ret_from_fork+0x1f/0x30 > > > Allocated by task 711: > kasan_save_stack+0x1e/0x50 > __kasan_kmalloc+0x81/0xa0 > ubi_eba_create_table+0x88/0x1a0 [ubi] > ubi_resize_volume.cold+0x175/0xae7 [ubi] > ubi_cdev_ioctl+0x57f/0x1a60 [ubi] > __x64_sys_ioctl+0x13a/0x1c0 > do_syscall_64+0x35/0x80 > entry_SYSCALL_64_after_hwframe+0x44/0xae > > Last potentially related work creation: > kasan_save_stack+0x1e/0x50 > __kasan_record_aux_stack+0xb7/0xc0 > call_rcu+0xd6/0x1000 > blk_stat_free_callback+0x28/0x30 > blk_release_queue+0x8a/0x2e0 > kobject_put+0x186/0x4c0 > scsi_device_dev_release_usercontext+0x620/0xbd0 > execute_in_process_context+0x2f/0x120 > device_release+0xa4/0x240 > kobject_put+0x186/0x4c0 > put_device+0x20/0x30 > __scsi_remove_device+0x1c3/0x300 > scsi_probe_and_add_lun+0x2140/0x2eb0 > __scsi_scan_target+0x1f2/0xbb0 > scsi_scan_channel+0x11b/0x1a0 > scsi_scan_host_selected+0x24c/0x310 > do_scsi_scan_host+0x1e0/0x250 > do_scan_async+0x45/0x490 > async_run_entry_fn+0xa2/0x530 > process_one_work+0x711/0xfc0 > worker_thread+0x95/0xd00 > kthread+0x3a6/0x490 > ret_from_fork+0x1f/0x30 > The buggy address belongs to the object at ffff88800f43f500 > which belongs to the cache kmalloc-128 of size 128 > The buggy address is located 112 bytes inside of > 128-byte region [ffff88800f43f500, ffff88800f43f580) > The buggy address belongs to the page: > page:ffffea00003d0f00 refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0xf43c > head:ffffea00003d0f00 order:2 compound_mapcount:0 compound_pincount:0 > flags: 0x1fffff80010200(slab|head|node=0|zone=1|lastcpupid=0x1fffff) > raw: 001fffff80010200 ffffea000046ba08 ffffea0000457208 ffff88810004d1c0 > raw: 0000000000000000 0000000000190019 00000001ffffffff 0000000000000000 > page dumped because: kasan: bad access detected > Memory state around the buggy address: > ffff88800f43f400: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > ffff88800f43f480: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc >> ffff88800f43f500: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 fc fc > ^ > ffff88800f43f580: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > ffff88800f43f600: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc > > The following steps can used to reproduce: > Process 1: write and trigger ubi wear-leveling > ubimkvol /dev/ubi0 -s 5000MiB -N v1 > ubimkvol /dev/ubi0 -s 2000MiB -N v2 > ubimkvol /dev/ubi0 -s 10MiB -N v3 > mount -t ubifs /dev/ubi0_0 /mnt/ubifs > while true; > do > filename=/mnt/ubifs/$((RANDOM)) > dd if=/dev/random of=${filename} bs=1M count=$((RANDOM % 1000)) > rm -rf ${filename} > sync /mnt/ubifs/ > done > > Process 2: do random resize > struct ubi_rsvol_req req; > req.vol_id = 1; > req.bytes = (rand() % 50) * 512KB; > ioctl(fd, UBI_IOCRSVOL, &req); > > V2: > - Add volumes_lock in ubi_eba_copy_leb() to avoid race caused by > updating eba_tbl. > > V1: > - Rebase the patch on the latest mainline. > > Signed-off-by: Guo Xuenan > Signed-off-by: ZhaoLong Wang > --- > drivers/mtd/ubi/eba.c | 7 +++++++ > drivers/mtd/ubi/vmt.c | 24 +++++++++++++++++------- > 2 files changed, 24 insertions(+), 7 deletions(-) Reviewed-by: Zhihao Cheng