From: Jens Axboe <axboe@kernel.dk>
To: Shinichiro Kawasaki <shinichiro.kawasaki@wdc.com>,
Yu Kuai <yukuai1@huaweicloud.com>
Cc: Jan Kara <jack@suse.cz>,
"linux-block@vger.kernel.org" <linux-block@vger.kernel.org>,
Gabriele Felici <felicigb@gmail.com>,
Gianmarco Lusvardi <glusvardi@posteo.net>,
Giulio Barabino <giuliobarabino99@gmail.com>,
Emiliano Maccaferri <inbox@emilianomaccaferri.com>,
Paolo Valente <paolo.valente@linaro.org>,
Damien Le Moal <damien.lemoal@opensource.wdc.com>,
"yukuai (C)" <yukuai3@huawei.com>
Subject: Re: [bug report] BUG: KASAN: slab-use-after-free in bfq_setup_cooperator
Date: Tue, 7 Mar 2023 07:26:22 -0700 [thread overview]
Message-ID: <4e6e1606-1d9e-9903-8a44-ccac58a1fe06@kernel.dk> (raw)
In-Reply-To: <20230307114949.mh7fbo4e2zepcllg@shindev>
On 3/7/23 4:49 AM, Shinichiro Kawasaki wrote:
> On Mar 07, 2023 / 18:28, Yu Kuai wrote:
>> Hi, Jan
>>
>> 在 2023/03/07 18:20, Jan Kara 写道:
>
> [...]
>
>>> So rather doing something like:
>>>
>>> bfqq_data->stable_merge_bfqq = NULL;
>>> new_bfqq = bfq_setup_stable_merge(bfqd, bfqq,
>>> stable_merge_bfqq, bfqq_data);
>>> bfq_put_stable_ref(stable_merge_bfqq);
>>> return new_bfqq;
>>>
>>> should work in bfq_setup_cooperator().
>>
>> Yes, this will work.
>
> Based on the description above, I quickly created the dirty patch below, and
> confirmed it avoids the BUG. Looks good. Jan, Yu, thanks for the quick actions.
> Let me wait for the formal patch.
>
> diff --git a/block/bfq-iosched.c b/block/bfq-iosched.c
> index 8a8d4441519c..50eb435efed0 100644
> --- a/block/bfq-iosched.c
> +++ b/block/bfq-iosched.c
> @@ -2932,15 +2932,15 @@ bfq_setup_cooperator(struct bfq_data *bfqd, struct bfq_queue *bfqq,
> msecs_to_jiffies(bfq_late_stable_merging))) {
> struct bfq_queue *stable_merge_bfqq =
> bfqq_data->stable_merge_bfqq;
> + static struct bfq_queue *new_bfqq;
>
> /* deschedule stable merge, because done or aborted here */
> - bfq_put_stable_ref(stable_merge_bfqq);
> -
> bfqq_data->stable_merge_bfqq = NULL;
> -
> - return bfq_setup_stable_merge(bfqd, bfqq,
> - stable_merge_bfqq,
> - bfqq_data);
> + new_bfqq = bfq_setup_stable_merge(bfqd, bfqq,
> + stable_merge_bfqq,
> + bfqq_data);
> + bfq_put_stable_ref(stable_merge_bfqq);
> + return new_bfqq;
> }
> }
Can you or Jan post this as a real patch so we can get it queued
up?
--
Jens Axboe
next prev parent reply other threads:[~2023-03-07 14:31 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-03-07 7:14 [bug report] BUG: KASAN: slab-use-after-free in bfq_setup_cooperator Shinichiro Kawasaki
2023-03-07 8:57 ` Yu Kuai
2023-03-07 9:13 ` Shinichiro Kawasaki
2023-03-07 9:36 ` Yu Kuai
2023-03-07 10:20 ` Jan Kara
2023-03-07 10:28 ` Yu Kuai
2023-03-07 11:49 ` Shinichiro Kawasaki
2023-03-07 14:26 ` Jens Axboe [this message]
2023-03-08 2:32 ` [PATCH] block, bfq: fix uaf for 'stable_merge_bfqq' Yu Kuai
2023-03-08 5:56 ` Shinichiro Kawasaki
2023-03-08 10:21 ` Jan Kara
2023-03-08 14:35 ` Jens Axboe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4e6e1606-1d9e-9903-8a44-ccac58a1fe06@kernel.dk \
--to=axboe@kernel.dk \
--cc=damien.lemoal@opensource.wdc.com \
--cc=felicigb@gmail.com \
--cc=giuliobarabino99@gmail.com \
--cc=glusvardi@posteo.net \
--cc=inbox@emilianomaccaferri.com \
--cc=jack@suse.cz \
--cc=linux-block@vger.kernel.org \
--cc=paolo.valente@linaro.org \
--cc=shinichiro.kawasaki@wdc.com \
--cc=yukuai1@huaweicloud.com \
--cc=yukuai3@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.