block: GPF in get_task_ioprio

Message ID	20160701024328.GA9765@vader (mailing list archive)
State	New, archived
Headers	show Return-Path: <linux-block-owner@kernel.org> Date: Thu, 30 Jun 2016 19:43:28 -0700 From: Omar Sandoval <osandov@osandov.com> To: Dmitry Vyukov <dvyukov@google.com> Cc: axboe@kernel.dk, linux-block@vger.kernel.org, LKML <linux-kernel@vger.kernel.org>, syzkaller <syzkaller@googlegroups.com>, Kostya Serebryany <kcc@google.com>, Alexander Potapenko <glider@google.com> Subject: Re: block: GPF in get_task_ioprio Message-ID: <20160701024328.GA9765@vader> References: <CACT4Y+Y5rj9cnOrY6LY7NRa6OvVzLcDdg=ns7TA9Wnd3R02+wQ@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <CACT4Y+Y5rj9cnOrY6LY7NRa6OvVzLcDdg=ns7TA9Wnd3R02+wQ@mail.gmail.com> User-Agent: Mutt/1.6.1 (2016-04-27) Sender: linux-block-owner@vger.kernel.org Precedence: bulk

Message ID

20160701024328.GA9765@vader (mailing list archive)

State

New, archived

Headers

Date: Thu, 30 Jun 2016 19:43:28 -0700
From: Omar Sandoval <osandov@osandov.com>
To: Dmitry Vyukov <dvyukov@google.com>
Cc: axboe@kernel.dk, linux-block@vger.kernel.org,
	LKML <linux-kernel@vger.kernel.org>,
	syzkaller <syzkaller@googlegroups.com>,
	Kostya Serebryany <kcc@google.com>,
	Alexander Potapenko <glider@google.com>
Subject: Re: block: GPF in get_task_ioprio
Message-ID: <20160701024328.GA9765@vader>
References: <CACT4Y+Y5rj9cnOrY6LY7NRa6OvVzLcDdg=ns7TA9Wnd3R02+wQ@mail.gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <CACT4Y+Y5rj9cnOrY6LY7NRa6OvVzLcDdg=ns7TA9Wnd3R02+wQ@mail.gmail.com>
User-Agent: Mutt/1.6.1 (2016-04-27)
Sender: linux-block-owner@vger.kernel.org
Precedence: bulk

Commit Message

Omar Sandoval July 1, 2016, 2:43 a.m. UTC

On Thu, Jun 30, 2016 at 10:50:44AM +0200, Dmitry Vyukov wrote:
> Hello,
> 
> The following program triggers GPF in get_task_ioprio if run in a parallel loop:

Dmitry,

Could you please try the below?


I'm having a hard time reproducing it but I can see how it could happen;
I think `p->io_context` is getting freed in exit_io_context() in between
the `if (p->io_context)` and `ret = p->io_context->ioprio`.

Thanks,
Omar

> 
> // autogenerated by syzkaller (http://github.com/google/syzkaller)
> #include <stdint.h>
> #include <string.h>
> #include <sys/syscall.h>
> #include <unistd.h>
> 
> int main()
> {
>   syscall(SYS_ioprio_set, 0x2ul, 0x0ul, 0x7ffful, 0, 0, 0);
>   syscall(SYS_ioprio_get, 0x3ul, 0x0ul, 0, 0, 0, 0);
>   return 0;
> }
> 
> This patch also seems to help to trigger it:
> 
>  int set_task_ioprio(struct task_struct *task, int ioprio)
>  {
> @@ -150,8 +151,10 @@ static int get_task_ioprio(struct task_struct *p)
>         if (ret)
>                 goto out;
>         ret = IOPRIO_PRIO_VALUE(IOPRIO_CLASS_NONE, IOPRIO_NORM);
> -       if (p->io_context)
> +       if (p->io_context) {
> +               ndelay(10000);
>                 ret = p->io_context->ioprio;
> +       }
>  out:
>         return ret;
>  }
> 
> kasan: GPF could be caused by NULL-ptr deref or user memory access
> general protection fault: 0000 [#1] SMP DEBUG_PAGEALLOC KASAN
> Modules linked in:
> CPU: 2 PID: 8978 Comm: a.out Not tainted 4.7.0-rc5+ #22
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
> task: ffff8800612397c0 ti: ffff880062d08000 task.ti: ffff880062d08000
> RIP: 0010:[<ffffffff82c7fa2a>]
>   [<ffffffff82c7fa2a>] get_task_ioprio+0x9a/0xe0 block/ioprio.c:156
> RSP: 0018:ffff880062d0feb8  EFLAGS: 00010206
> RAX: dffffc0000000000 RBX: 0000000000000000 RCX: 0000000000007605
> RDX: 0000000000000009 RSI: 0000002004a58c71 RDI: 0000000000000048
> RBP: ffff880062d0fed0 R08: 0000000000000002 R09: 0000000000000002
> R10: 0000000000000000 R11: 0000000000000001 R12: ffff8800647817c0
> R13: ffff8800647827b0 R14: ffffffff82c80ac2 R15: dffffc0000000000
> FS:  0000000001127880(0000) GS:ffff88006d400000(0000) knlGS:0000000000000000
> CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> CR2: 00000000004b20c0 CR3: 0000000061894000 CR4: 00000000000006e0
> Stack:
>  ffff8800647817c0 0000000000000000 ffffffff8813a660 ffff880062d0ff48
>  ffffffff82c80ec5 ffffffff82c80ac2 ffffffff880f8240 0000000362d0ff48
>  0000000000000000 000040037fff4003 fffffbfff101f048 ffffffff880f81e0
> Call Trace:
>  [<     inline     >] SYSC_ioprio_get block/ioprio.c:230
>  [<ffffffff82c80ec5>] SyS_ioprio_get+0x795/0x9c0 block/ioprio.c:182
>  [<ffffffff86a9b380>] entry_SYSCALL_64_fastpath+0x23/0xc1
> arch/x86/entry/entry_64.S:207
> Code: 00 fc ff df 48 c1 ea 03 80 3c 02 00 75 4f 49 8b 9c 24 f0 0f 00
> 00 48 b8 00 00 00 00 00 fc ff df 48 8d 7b 48 48 89 fa 48 c1 ea 03 <0f>
> b6 04 02 84 c0 74 04 3c 01 7e 12 0f b7 5b 48 e8 51 6f 91 fe
> RIP  [<ffffffff82c7fa2a>] get_task_ioprio+0x9a/0xe0 block/ioprio.c:156
>  RSP <ffff880062d0feb8>
> ---[ end trace 8b400ca760ff21a5 ]---
> 
> On commit 00bf377d19ad3d80cbc7a036521279a86e397bfb (Jun 29).
> --
> To unsubscribe from this list: send the line "unsubscribe linux-block" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html

Comments

Dmitry Vyukov July 1, 2016, 8:31 a.m. UTC | #1

On Fri, Jul 1, 2016 at 4:43 AM, Omar Sandoval <osandov@osandov.com> wrote:
> On Thu, Jun 30, 2016 at 10:50:44AM +0200, Dmitry Vyukov wrote:
>> Hello,
>>
>> The following program triggers GPF in get_task_ioprio if run in a parallel loop:
>
> Dmitry,
>
> Could you please try the below?
>
> diff --git a/block/ioprio.c b/block/ioprio.c
> index cc7800e9eb44..01b8116298a1 100644
> --- a/block/ioprio.c
> +++ b/block/ioprio.c
> @@ -150,8 +150,10 @@ static int get_task_ioprio(struct task_struct *p)
>         if (ret)
>                 goto out;
>         ret = IOPRIO_PRIO_VALUE(IOPRIO_CLASS_NONE, IOPRIO_NORM);
> +       task_lock(p);
>         if (p->io_context)
>                 ret = p->io_context->ioprio;
> +       task_unlock(p);
>  out:
>         return ret;
>  }
>
> I'm having a hard time reproducing it but I can see how it could happen;
> I think `p->io_context` is getting freed in exit_io_context() in between
> the `if (p->io_context)` and `ret = p->io_context->ioprio`.


I see that you were able to reproduce it. So I am not testing it.
--
To unsubscribe from this list: send the line "unsubscribe linux-block" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

diff --git a/block/ioprio.c b/block/ioprio.c
index cc7800e9eb44..01b8116298a1 100644
--- a/block/ioprio.c
+++ b/block/ioprio.c
@@ -150,8 +150,10 @@  static int get_task_ioprio(struct task_struct *p)
 	if (ret)
 		goto out;
 	ret = IOPRIO_PRIO_VALUE(IOPRIO_CLASS_NONE, IOPRIO_NORM);
+	task_lock(p);
 	if (p->io_context)
 		ret = p->io_context->ioprio;
+	task_unlock(p);
 out:
 	return ret;
 }

block: GPF in get_task_ioprio

Commit Message

Comments

Patch