From patchwork Thu Feb 17 10:13:20 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Kirill Tkhai X-Patchwork-Id: 12750077 X-Patchwork-Delegate: snitzer@redhat.com Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.lore.kernel.org (Postfix) with ESMTPS id 6827DC433F5 for ; Thu, 17 Feb 2022 13:35:49 +0000 (UTC) Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-176-kygkI5vGPsqr6gXcRFTEUQ-1; Thu, 17 Feb 2022 08:35:44 -0500 X-MC-Unique: kygkI5vGPsqr6gXcRFTEUQ-1 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id B910A185302C; Thu, 17 Feb 2022 13:35:40 +0000 (UTC) Received: from colo-mx.corp.redhat.com (colo-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.21]) by smtp.corp.redhat.com (Postfix) with ESMTPS id 8427C7C0EB; Thu, 17 Feb 2022 13:35:40 +0000 (UTC) Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33]) by colo-mx.corp.redhat.com (Postfix) with ESMTP id 1F22D4A700; Thu, 17 Feb 2022 13:35:40 +0000 (UTC) Received: from smtp.corp.redhat.com (int-mx09.intmail.prod.int.rdu2.redhat.com [10.11.54.9]) by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id 21HADRJl019045 for ; Thu, 17 Feb 2022 05:13:28 -0500 Received: by smtp.corp.redhat.com (Postfix) id BC5B8492D4D; Thu, 17 Feb 2022 10:13:27 +0000 (UTC) Received: from mimecast-mx02.redhat.com (mimecast07.extmail.prod.ext.rdu2.redhat.com [10.11.55.23]) by smtp.corp.redhat.com (Postfix) with ESMTPS id B734548FB04 for ; Thu, 17 Feb 2022 10:13:27 +0000 (UTC) Received: from us-smtp-1.mimecast.com (us-smtp-delivery-1.mimecast.com [205.139.110.120]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 774613C0D1B0 for ; Thu, 17 Feb 2022 10:13:27 +0000 (UTC) Received: from EUR05-AM6-obe.outbound.protection.outlook.com (mail-am6eur05on2096.outbound.protection.outlook.com [40.107.22.96]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-464-rbBPEoxNOom7InZ4jvM6sQ-1; Thu, 17 Feb 2022 05:13:25 -0500 X-MC-Unique: rbBPEoxNOom7InZ4jvM6sQ-1 Received: from DB6PR0802MB2374.eurprd08.prod.outlook.com (2603:10a6:4:8a::21) by VE1PR08MB5853.eurprd08.prod.outlook.com (2603:10a6:800:1a5::24) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.4995.16; Thu, 17 Feb 2022 10:13:22 +0000 Received: from DB6PR0802MB2374.eurprd08.prod.outlook.com ([fe80::57c:1b85:7b36:55bf]) by DB6PR0802MB2374.eurprd08.prod.outlook.com ([fe80::57c:1b85:7b36:55bf%5]) with mapi id 15.20.4995.017; Thu, 17 Feb 2022 10:13:22 +0000 References: To: Damien Le Moal , "agk@redhat.com" , "snitzer@redhat.com" , "dm-devel@redhat.com" , linux-kernel@vger.kernel.org From: Kirill Tkhai X-Forwarded-Message-Id: Message-ID: Date: Thu, 17 Feb 2022 13:13:20 +0300 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.14.0 In-Reply-To: X-ClientProxiedBy: AS8PR07CA0035.eurprd07.prod.outlook.com (2603:10a6:20b:459::27) To DB6PR0802MB2374.eurprd08.prod.outlook.com (2603:10a6:4:8a::21) MIME-Version: 1.0 X-MS-PublicTrafficType: Email X-MS-Office365-Filtering-Correlation-Id: 25a8552c-e3eb-4a32-06e5-08d9f1fe208d X-MS-TrafficTypeDiagnostic: VE1PR08MB5853:EE_ X-Microsoft-Antispam-PRVS: X-MS-Oob-TLC-OOBClassifiers: OLM:172 X-MS-Exchange-SenderADCheck: 1 X-MS-Exchange-AntiSpam-Relay: 0 X-Microsoft-Antispam: BCL:0 X-Microsoft-Antispam-Message-Info: i0Kq2n03eHoZk6kTKH7v/ZmWAYTTPyxrCQLJu68hl6BYaeaDy5NVcfJ/5DxV0FGH/mDsmxUWvwPNK1C1aDwQoC6RhoMu+kNSmf2sy5EmHNeKyE4zinbSzoQMvJtsWu/+rh+JM1rHwBV/zg39rq6OnJiBYpiJrOk4dcmzoHtajoPHtn+ivKpaF3FRFeqEzE8p/FDItaD2vbTd2yla/2CUkDPiwogVQ8ZGGJ2s0dWwvkMhwiL0nzePS/Ps/OLO1AcnvIEHpd+b/3assv9DwGkXVoS6R5UQce2+NaMlvqKLmToezhb5otJknSzdmvMt54rtxrcGMkLL+c2kftWNxphBDhX2ePIfQdBlquYNBOG4mN84mDWMdD1FBEArvGCBVd7hDcVzRkZiojBI+JlRlkXj6omNZxQJG2BYwo/TMocNgS/CR3626mGniugCGXPbpbq2+IoC1nPTD1b7fVEvSGEa912YDrU/KzcWF/v5Ejg98my4qUDlCgvlScAw0qjJyKfOyo4bdXsHNVdorMdgILn9FB0Q2nx2dGU+IIYVhM+5B4UwXuCzftTk23CUi28XIkdfFi9H/cBesfRbZmAEgtwIJ60jQUw8egokIWkHOasaG769fhI7g/3WIbE5mTPvsqSk1t9hfX1DsXtqwaDAZWU6xnSUyWPV2OLls9J/ZKsZqR71KaqrRgYLgIpML91SEvasNTQCnwHFvEJrLXnklDd1S1F0RmCK81Gv+sENNWDlOm8d07wcDnL8BBmku7g4yqr3lX315oaug/QNmfWvY7JpKp2Kq/StKjnX8VnNgTO0C1g= X-Forefront-Antispam-Report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:DB6PR0802MB2374.eurprd08.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230001)(4636009)(366004)(2616005)(186003)(26005)(31686004)(52116002)(6512007)(6506007)(508600001)(316002)(110136005)(36756003)(6486002)(8936002)(2906002)(83380400001)(86362001)(66476007)(66556008)(66946007)(8676002)(5660300002)(31696002)(38100700002)(38350700002)(21314003)(45980500001)(43740500002); DIR:OUT; SFP:1102 X-MS-Exchange-AntiSpam-MessageData-ChunkCount: 1 X-MS-Exchange-AntiSpam-MessageData-0: =?utf-8?q?ghemS7/QGvhEj+IFXJJkaiRM18WX?= =?utf-8?q?ZidzDrQBq8RaJmGmkYsILDnLPjoHEbbzfjQysblZ8usUhCPQVz990oILelyn9O+73?= =?utf-8?q?Mn0TRGEUE56RI0Xz0k8s8CukwPcIvKJP54wTRWjjzi04jIWNIHIPcIXG5WdHe0Kfb?= =?utf-8?q?iCc9g9o4bPpK3d/S+4eXmIJnTcgCHEnwos4X7ObR+wZDp3Ny/E7zRtzwwi/giCPb9?= =?utf-8?q?/2qXB80EUDSlPYFDeMniNLFuFUZNNohc0JWW9b7eZYzE5ecMGg0xWU+8OWJglDBAP?= =?utf-8?q?dhhbS+zt13mb3rnPmKDkwabO3wSUPZ3xnupfv3Vu8BWuMzLv2CaO87Z/JFqLQ8M3K?= =?utf-8?q?yn1Zt3fy4i5/bP9t/KaR3r+h9P4r0gXxGmJw/kYkz0NwtM7ww9UzOX8Ct1Go/ukl7?= =?utf-8?q?4SIP2wZt4IrwwLRc0RoGAvhhTxr8zf5/NwP/7Rbon8Z1oDQ+T2rtO+q0wOVADBV9c?= =?utf-8?q?YRAdWlFw6kxnuaJwMPYU3pi8thprHQQwmz8a+2Eyfey/7klJCBzkmGOa9TNnku3A8?= =?utf-8?q?oBA2/e5YvZpVioXPn8bT1dO0S+rQfE7IcF2pZlx6kPiAHxICakG8ryJtb1xFKATG0?= =?utf-8?q?LKRTEkblziSv1+ZgT+j8DK4mq0BmNNQCajt+dq3abH1Dt1R8us8FbNt7YGO2rDGgz?= =?utf-8?q?NhpPp2fahwtrCGpxhnER/JuAz4nuhAQaCVS8I+EvUPC+wQZB448zKN1lFSpet9yoC?= =?utf-8?q?3+mDoN93EQtpJHU2HLerHQMPsC/FXMA9KaSGh55sI+vfL0XbIJFrP1JeQ1jvblMmY?= =?utf-8?q?cypibGaRV8hRE0M/NbZPfuBiHl9k7fsm+ALatx8kRZPbpm5qkqDedeIVbg3Ps49Qy?= =?utf-8?q?darX9+HD7g7unlvh4AHzCQmaKAAP+Wz5+pGb5jvYfcqHzx1dtlS7MtJIiQcz6iHZz?= =?utf-8?q?mq89nU8d6yeFOeONd7rmo7WsoU8upAB1Szgaead4f/dxW60wVsX7O5d6QpO4YJrAm?= =?utf-8?q?H4PPh578q4KELQ/nj40ZdMf+6Uu4WWl/VrWr9YKc0z2OKYBRnIUwdXK75p8x6jMQW?= =?utf-8?q?24YJ3PwzlXvHudAVTSsn095F9NW+zK/Ld4s8FAppR197PY+SF+2IuP8bms2LN2RrV?= =?utf-8?q?ATeb0bB32PlyhVSzht68lJj9DiAFtZqNZJ8ZXErrrvHMMo76vmlrHu2R7mVVtGR6e?= =?utf-8?q?puuMMj6P4i0WIGiEEX8TgYeIANtfCeatHTyPCApTGjVFkB6TC+293NfSPXWG+AgIX?= =?utf-8?q?nYcmS5Vl2yciv2hdxKCp+w1jA+JDAu1TB/jQkL3vbcXxH93dn4gpSIXa8gbJrQtnj?= =?utf-8?q?nFcOknmPRXYWpYq2r/AdKBnHbauxJ8cXbS+f56wbg81uoofRP7Gv2+1KGpzxYbGRa?= =?utf-8?q?rkusQN+y4xBPma8EaO3fcdJjpEL59jq4YJqKtTvnx10tIXOVC1jDKJKUaB1VpLyv9?= =?utf-8?q?l4kmwevbYcdmKm+4iSrklO/O97wKBx1rCb3u+NeviU1HAWTMgImXybSP2haKm5Yfb?= =?utf-8?q?IoanCmZOjXv8txzgBVjLYNS7Hnp8y+kYe95e0ORN1UsgGKYbyUYZ2gxFYEsLQzXER?= =?utf-8?q?Prykithz85aNcDqyyf29tbknu6LwjZU4IywYfD2cH5CnDQMVpPQFFO4=3D?= X-OriginatorOrg: virtuozzo.com X-MS-Exchange-CrossTenant-Network-Message-Id: 25a8552c-e3eb-4a32-06e5-08d9f1fe208d X-MS-Exchange-CrossTenant-AuthSource: DB6PR0802MB2374.eurprd08.prod.outlook.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-OriginalArrivalTime: 17 Feb 2022 10:13:22.2236 (UTC) X-MS-Exchange-CrossTenant-FromEntityHeader: Hosted X-MS-Exchange-CrossTenant-Id: 0bc7f26d-0264-416e-a6fc-8352af79c58f X-MS-Exchange-CrossTenant-MailboxType: HOSTED X-MS-Exchange-CrossTenant-UserPrincipalName: yXFElfsFCMPhhV8NlyvVpzP+3RsNfPBIHJz3mlCWCnyxg95A3QagM2YORiH52dMUCxMvBZCpD+4c5HgSX4Q9Dw== X-MS-Exchange-Transport-CrossTenantHeadersStamped: VE1PR08MB5853 X-Mimecast-Impersonation-Protect: Policy=CLT - Impersonation Protection Definition; Similar Internal Domain=false; Similar Monitored External Domain=false; Custom External Domain=false; Mimecast External Domain=false; Newly Observed Domain=false; Internal User Name=false; Custom Display Name List=false; Reply-to Address Mismatch=false; Targeted Threat Dictionary=false; Mimecast Threat Dictionary=false; Custom Threat Dictionary=false X-Scanned-By: MIMEDefang 2.85 on 10.11.54.9 X-loop: dm-devel@redhat.com X-Mailman-Approved-At: Thu, 17 Feb 2022 08:30:58 -0500 Subject: [dm-devel] [PATCH RESEND v2] dm: Fix use-after-free in dm_cleanup_zoned_dev() X-BeenThere: dm-devel@redhat.com X-Mailman-Version: 2.1.12 Precedence: junk List-Id: device-mapper development List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: dm-devel-bounces@redhat.com Errors-To: dm-devel-bounces@redhat.com X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16 Authentication-Results: relay.mimecast.com; auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=dm-devel-bounces@redhat.com X-Mimecast-Spam-Score: 0 X-Mimecast-Originator: redhat.com Content-Language: en-US dm_cleanup_zoned_dev() uses queue, so it must be called before blk_cleanup_disk() starts its killing: blk_cleanup_disk->blk_cleanup_queue()->kobject_put()->blk_release_queue()-> ->...RCU...->blk_free_queue_rcu()->kmem_cache_free() Otherwise, RCU callback may be executed first, and dm_cleanup_zoned_dev() touches freed memory: BUG: KASAN: use-after-free in dm_cleanup_zoned_dev+0x33/0xd0 Read of size 8 at addr ffff88805ac6e430 by task dmsetup/681 CPU: 4 PID: 681 Comm: dmsetup Not tainted 5.17.0-rc2+ #6 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014 Call Trace: dump_stack_lvl+0x57/0x7d print_address_description.constprop.0+0x1f/0x150 ? dm_cleanup_zoned_dev+0x33/0xd0 kasan_report.cold+0x7f/0x11b ? dm_cleanup_zoned_dev+0x33/0xd0 dm_cleanup_zoned_dev+0x33/0xd0 __dm_destroy+0x26a/0x400 ? dm_blk_ioctl+0x230/0x230 ? up_write+0xd8/0x270 dev_remove+0x156/0x1d0 ctl_ioctl+0x269/0x530 ? table_clear+0x140/0x140 ? lock_release+0xb2/0x750 ? remove_all+0x40/0x40 ? rcu_read_lock_sched_held+0x12/0x70 ? lock_downgrade+0x3c0/0x3c0 ? rcu_read_lock_sched_held+0x12/0x70 dm_ctl_ioctl+0xa/0x10 __x64_sys_ioctl+0xb9/0xf0 do_syscall_64+0x3b/0x90 entry_SYSCALL_64_after_hwframe+0x44/0xae RIP: 0033:0x7fb6dfa95c27 Code: 00 00 00 48 8b 05 69 92 0c 00 64 c7 00 26 00 00 00 48 c7 c0 ff ff ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 b8 10 00 00 00 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 39 92 0c 00 f7 d8 64 89 01 48 RSP: 002b:00007fff882c6c28 EFLAGS: 00000206 ORIG_RAX: 0000000000000010 RAX: ffffffffffffffda RBX: 00007fb6dfb73a8e RCX: 00007fb6dfa95c27 RDX: 00007fb6e01d7ca0 RSI: 00000000c138fd04 RDI: 0000000000000003 RBP: 00007fff882c6ce0 R08: 00007fb6dfbc3558 R09: 00007fff882c6a90 R10: 00007fb6dfbc28a2 R11: 0000000000000206 R12: 00007fb6dfbc28a2 R13: 00007fb6dfbc28a2 R14: 00007fb6dfbc28a2 R15: 00007fb6dfbc28a2 Allocated by task 673: kasan_save_stack+0x1e/0x40 __kasan_slab_alloc+0x66/0x80 kmem_cache_alloc_node+0x1ca/0x460 blk_alloc_queue+0x33/0x4e0 __blk_alloc_disk+0x1b/0x60 dm_create+0x368/0xa20 dev_create+0xb9/0x170 ctl_ioctl+0x269/0x530 dm_ctl_ioctl+0xa/0x10 __x64_sys_ioctl+0xb9/0xf0 do_syscall_64+0x3b/0x90 entry_SYSCALL_64_after_hwframe+0x44/0xae Freed by task 0: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 kasan_set_free_info+0x20/0x30 __kasan_slab_free+0xfb/0x130 slab_free_freelist_hook+0x7d/0x150 kmem_cache_free+0x13c/0x340 rcu_do_batch+0x2d9/0x820 rcu_core+0x3b8/0x570 __do_softirq+0x1c4/0x63d Last potentially related work creation: kasan_save_stack+0x1e/0x40 __kasan_record_aux_stack+0x96/0xa0 call_rcu+0xc4/0x8f0 kobject_put+0xd9/0x270 disk_release+0xee/0x120 device_release+0x59/0xf0 kobject_put+0xd9/0x270 cleanup_mapped_device+0x12b/0x1b0 __dm_destroy+0x26a/0x400 dev_remove+0x156/0x1d0 ctl_ioctl+0x269/0x530 dm_ctl_ioctl+0xa/0x10 __x64_sys_ioctl+0xb9/0xf0 do_syscall_64+0x3b/0x90 entry_SYSCALL_64_after_hwframe+0x44/0xae The buggy address belongs to the object at ffff88805ac6e180 which belongs to the cache request_queue of size 2992 The buggy address is located 688 bytes inside of 2992-byte region [ffff88805ac6e180, ffff88805ac6ed30) The buggy address belongs to the page: page:000000000837df3c refcount:1 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x5ac68 head:000000000837df3c order:3 compound_mapcount:0 compound_pincount:0 flags: 0xfffffc0010200(slab|head|node=0|zone=1|lastcpupid=0x1fffff) raw: 000fffffc0010200 0000000000000000 dead000000000122 ffff888001e58280 raw: 0000000000000000 00000000800a000a 00000001ffffffff 0000000000000000 page dumped because: kasan: bad access detected Memory state around the buggy address: ffff88805ac6e300: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88805ac6e380: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb >ffff88805ac6e400: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ^ ffff88805ac6e480: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ffff88805ac6e500: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb ================================================================== Fixes: bb37d77239af "dm: introduce zone append emulation" Signed-off-by: Kirill Tkhai Reviewed-by: Damien Le Moal --- v2: Split long commit message line and delete [xxx] time prefix from kernel output. drivers/md/dm.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) -- dm-devel mailing list dm-devel@redhat.com https://listman.redhat.com/mailman/listinfo/dm-devel diff --git a/drivers/md/dm.c b/drivers/md/dm.c index dcbd6d201619..d472fe5dbc1d 100644 --- a/drivers/md/dm.c +++ b/drivers/md/dm.c @@ -1607,6 +1607,7 @@ static void cleanup_mapped_device(struct mapped_device *md) md->dax_dev = NULL; } + dm_cleanup_zoned_dev(md); if (md->disk) { spin_lock(&_minor_lock); md->disk->private_data = NULL; @@ -1627,7 +1628,6 @@ static void cleanup_mapped_device(struct mapped_device *md) mutex_destroy(&md->swap_bios_lock); dm_mq_cleanup_mapped_device(md); - dm_cleanup_zoned_dev(md); } /*