linux-stable/fs/erofs
Hongyu Jin 8c697fbd2a erofs: fix use-after-free of on-stack io[]
[ Upstream commit 60b3005011 ]

The root cause is the race as follows:
Thread #1                              Thread #2(irq ctx)

z_erofs_runqueue()
  struct z_erofs_decompressqueue io_A[];
  submit bio A
  z_erofs_decompress_kickoff(,,1)
                                       z_erofs_decompressqueue_endio(bio A)
                                       z_erofs_decompress_kickoff(,,-1)
                                       spin_lock_irqsave()
                                       atomic_add_return()
  io_wait_event()	-> pending_bios is already 0
  [end of function]
                                       wake_up_locked(io_A[]) // crash

Referenced backtrace in kernel 5.4:

[   10.129422] Unable to handle kernel paging request at virtual address eb0454a4
[   10.364157] CPU: 0 PID: 709 Comm: getprop Tainted: G        WC O      5.4.147-ab09225 #1
[   11.556325] [<c01b33b8>] (__wake_up_common) from [<c01b3300>] (__wake_up_locked+0x40/0x48)
[   11.565487] [<c01b3300>] (__wake_up_locked) from [<c044c8d0>] (z_erofs_vle_unzip_kickoff+0x6c/0xc0)
[   11.575438] [<c044c8d0>] (z_erofs_vle_unzip_kickoff) from [<c044c854>] (z_erofs_vle_read_endio+0x16c/0x17c)
[   11.586082] [<c044c854>] (z_erofs_vle_read_endio) from [<c06a80e8>] (clone_endio+0xb4/0x1d0)
[   11.595428] [<c06a80e8>] (clone_endio) from [<c04a1280>] (blk_update_request+0x150/0x4dc)
[   11.604516] [<c04a1280>] (blk_update_request) from [<c06dea28>] (mmc_blk_cqe_complete_rq+0x144/0x15c)
[   11.614640] [<c06dea28>] (mmc_blk_cqe_complete_rq) from [<c04a5d90>] (blk_done_softirq+0xb0/0xcc)
[   11.624419] [<c04a5d90>] (blk_done_softirq) from [<c010242c>] (__do_softirq+0x184/0x56c)
[   11.633419] [<c010242c>] (__do_softirq) from [<c01051e8>] (irq_exit+0xd4/0x138)
[   11.641640] [<c01051e8>] (irq_exit) from [<c010c314>] (__handle_domain_irq+0x94/0xd0)
[   11.650381] [<c010c314>] (__handle_domain_irq) from [<c04fde70>] (gic_handle_irq+0x50/0xd4)
[   11.659641] [<c04fde70>] (gic_handle_irq) from [<c0101b70>] (__irq_svc+0x70/0xb0)

Signed-off-by: Hongyu Jin <hongyu.jin@unisoc.com>
Reviewed-by: Gao Xiang <hsiangkao@linux.alibaba.com>
Reviewed-by: Chao Yu <chao@kernel.org>
Link: https://lore.kernel.org/r/20220401115527.4935-1-hongyu.jin.cn@gmail.com
Signed-off-by: Gao Xiang <hsiangkao@linux.alibaba.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2022-05-09 09:16:28 +02:00
..
compress.h erofs: introduce z_erofs_fixup_insize 2021-12-29 06:42:07 +08:00
data.c erofs: fix fsdax partition offset handling 2022-01-24 22:36:27 +08:00
decompressor.c erofs: support unaligned data decompression 2021-12-31 00:48:43 +08:00
decompressor_lzma.c erofs: introduce z_erofs_fixup_insize 2021-12-29 06:42:07 +08:00
dir.c erofs: clean up file headers & footers 2021-06-08 00:41:24 +08:00
erofs_fs.h erofs: add on-disk compressed tail-packing inline support 2021-12-31 00:51:10 +08:00
inode.c erofs: use meta buffers for inode operations 2022-01-04 23:44:46 +08:00
internal.h erofs: fix ztailpacking on > 4GiB filesystems 2022-03-02 21:58:45 +08:00
Kconfig erofs: lzma compression support 2021-10-19 23:44:30 +08:00
Makefile erofs: add sysfs interface 2021-12-08 09:40:37 +08:00
namei.c erofs: add fiemap support with iomap 2021-08-19 00:13:43 +08:00
pcpubuf.c erofs: get rid of ->lru usage 2021-10-25 08:22:59 +08:00
super.c dax + libnvdimm for v5.17 2022-01-12 15:46:11 -08:00
sysfs.c fs: erofs: add sanity check for kobject in erofs_unregister_sysfs 2022-04-08 13:57:40 +02:00
tagptr.h erofs: clean up file headers & footers 2021-06-08 00:41:24 +08:00
utils.c erofs: fix deadlock when shrink erofs slab 2021-11-23 14:58:16 +08:00
xattr.c erofs: use meta buffers for xattr operations 2022-01-04 23:47:08 +08:00
xattr.h erofs: use meta buffers for xattr operations 2022-01-04 23:47:08 +08:00
zdata.c erofs: fix use-after-free of on-stack io[] 2022-05-09 09:16:28 +02:00
zdata.h erofs: fix use-after-free of on-stack io[] 2022-05-09 09:16:28 +02:00
zmap.c erofs: fix small compressed files inlining 2022-02-04 12:37:12 +08:00
zpvec.h erofs: fix unsafe pagevec reuse of hooked pclusters 2021-11-08 10:02:10 +08:00