mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-09-30 14:19:16 +00:00
Code Issues Releases Wiki Activity
linux-stable/fs
History
Mike Krinkin 7ddc971f86 block: fix use-after-free in dio_bio_complete 
kasan reported the following error when i ran xfstest:

[  701.826854] ==================================================================
[  701.826864] BUG: KASAN: use-after-free in dio_bio_complete+0x41a/0x600 at addr ffff880080b95f94
[  701.826870] Read of size 4 by task loop2/3874
[  701.826879] page:ffffea000202e540 count:0 mapcount:0 mapping:          (null) index:0x0
[  701.826890] flags: 0x100000000000000()
[  701.826895] page dumped because: kasan: bad access detected
[  701.826904] CPU: 3 PID: 3874 Comm: loop2 Tainted: G    B   W    L  4.5.0-rc1-next-20160129 #83
[  701.826910] Hardware name: LENOVO 23205NG/23205NG, BIOS G2ET95WW (2.55 ) 07/09/2013
[  701.826917]  ffff88008fadf800 ffff88008fadf758 ffffffff81ca67bb 0000000041b58ab3
[  701.826941]  ffffffff830d1e74 ffffffff81ca6724 ffff88008fadf748 ffffffff8161c05c
[  701.826963]  0000000000000282 ffff88008fadf800 ffffed0010172bf2 ffffea000202e540
[  701.826987] Call Trace:
[  701.826997]  [<ffffffff81ca67bb>] dump_stack+0x97/0xdc
[  701.827005]  [<ffffffff81ca6724>] ? _atomic_dec_and_lock+0xc4/0xc4
[  701.827014]  [<ffffffff8161c05c>] ? __dump_page+0x32c/0x490
[  701.827023]  [<ffffffff816b0d03>] kasan_report_error+0x5f3/0x8b0
[  701.827033]  [<ffffffff817c302a>] ? dio_bio_complete+0x41a/0x600
[  701.827040]  [<ffffffff816b1119>] __asan_report_load4_noabort+0x59/0x80
[  701.827048]  [<ffffffff817c302a>] ? dio_bio_complete+0x41a/0x600
[  701.827053]  [<ffffffff817c302a>] dio_bio_complete+0x41a/0x600
[  701.827057]  [<ffffffff81bd19c8>] ? blk_queue_exit+0x108/0x270
[  701.827060]  [<ffffffff817c32b0>] dio_bio_end_aio+0xa0/0x4d0
[  701.827063]  [<ffffffff817c3210>] ? dio_bio_complete+0x600/0x600
[  701.827067]  [<ffffffff81bd2806>] ? blk_account_io_completion+0x316/0x5d0
[  701.827070]  [<ffffffff81bafe89>] bio_endio+0x79/0x200
[  701.827074]  [<ffffffff81bd2c9f>] blk_update_request+0x1df/0xc50
[  701.827078]  [<ffffffff81c02c27>] blk_mq_end_request+0x57/0x120
[  701.827081]  [<ffffffff81c03670>] __blk_mq_complete_request+0x310/0x590
[  701.827084]  [<ffffffff812348d8>] ? set_next_entity+0x2f8/0x2ed0
[  701.827088]  [<ffffffff8124b34d>] ? put_prev_entity+0x22d/0x2a70
[  701.827091]  [<ffffffff81c0394b>] blk_mq_complete_request+0x5b/0x80
[  701.827094]  [<ffffffff821e2a33>] loop_queue_work+0x273/0x19d0
[  701.827098]  [<ffffffff811f6578>] ? finish_task_switch+0x1c8/0x8e0
[  701.827101]  [<ffffffff8129d058>] ? trace_hardirqs_on_caller+0x18/0x6c0
[  701.827104]  [<ffffffff821e27c0>] ? lo_read_simple+0x890/0x890
[  701.827108]  [<ffffffff8129dd60>] ? debug_check_no_locks_freed+0x350/0x350
[  701.827111]  [<ffffffff811f63b0>] ? __hrtick_start+0x130/0x130
[  701.827115]  [<ffffffff82a0c8f6>] ? __schedule+0x936/0x20b0
[  701.827118]  [<ffffffff811dd6bd>] ? kthread_worker_fn+0x3ed/0x8d0
[  701.827121]  [<ffffffff811dd4ed>] ? kthread_worker_fn+0x21d/0x8d0
[  701.827125]  [<ffffffff8129d058>] ? trace_hardirqs_on_caller+0x18/0x6c0
[  701.827128]  [<ffffffff811dd57f>] kthread_worker_fn+0x2af/0x8d0
[  701.827132]  [<ffffffff811dd2d0>] ? __init_kthread_worker+0x170/0x170
[  701.827135]  [<ffffffff82a1ea46>] ? _raw_spin_unlock_irqrestore+0x36/0x60
[  701.827138]  [<ffffffff811dd2d0>] ? __init_kthread_worker+0x170/0x170
[  701.827141]  [<ffffffff811dd2d0>] ? __init_kthread_worker+0x170/0x170
[  701.827144]  [<ffffffff811dd00b>] kthread+0x24b/0x3a0
[  701.827148]  [<ffffffff811dcdc0>] ? kthread_create_on_node+0x4c0/0x4c0
[  701.827151]  [<ffffffff8129d70d>] ? trace_hardirqs_on+0xd/0x10
[  701.827155]  [<ffffffff8116d41d>] ? do_group_exit+0xdd/0x350
[  701.827158]  [<ffffffff811dcdc0>] ? kthread_create_on_node+0x4c0/0x4c0
[  701.827161]  [<ffffffff82a1f52f>] ret_from_fork+0x3f/0x70
[  701.827165]  [<ffffffff811dcdc0>] ? kthread_create_on_node+0x4c0/0x4c0
[  701.827167] Memory state around the buggy address:
[  701.827170]  ffff880080b95e80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[  701.827172]  ffff880080b95f00: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[  701.827175] >ffff880080b95f80: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[  701.827177]                          ^
[  701.827179]  ffff880080b96000: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[  701.827182]  ffff880080b96080: ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff
[  701.827183] ==================================================================

The problem is that bio_check_pages_dirty calls bio_put, so we must
not access bio fields after bio_check_pages_dirty.

Fixes: 9b81c84235 ("block: don't access bio->bi_error after bio_put()").
Signed-off-by: Mike Krinkin <krinkin.m.u@gmail.com>
Cc: stable@vger.kernel.org
Signed-off-by: Jens Axboe <axboe@fb.com>
2016-01-30 22:02:10 -07:00
..
9p wrappers for ->i_mutex access 2016-01-22 18:04:28 -05:00
adfs fs/adfs/adfs.h: tidy up comments 2016-01-20 17:09:18 -08:00
affs wrappers for ->i_mutex access 2016-01-22 18:04:28 -05:00
afs wrappers for ->i_mutex access 2016-01-22 18:04:28 -05:00
autofs4 switch ->get_link() to delayed_call, kill ->put_link() 2015-12-30 13:01:03 -05:00
befs kmemcg: account certain kmem allocations to memcg 2016-01-14 16:00:49 -08:00
bfs kmemcg: account certain kmem allocations to memcg 2016-01-14 16:00:49 -08:00
btrfs Merge branch 'for-linus-4.5' of git://git.kernel.org/pub/scm/linux/kernel/git/mason/linux-btrfs 2016-01-29 15:46:49 -08:00
cachefiles wrappers for ->i_mutex access 2016-01-22 18:04:28 -05:00
ceph Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/sage/ceph-client 2016-01-24 12:34:13 -08:00
cifs Merge branch 'for-next' of git://git.samba.org/sfrench/cifs-2.6 2016-01-24 12:31:12 -08:00
coda Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2016-01-23 12:24:56 -08:00
configfs wrappers for ->i_mutex access 2016-01-22 18:04:28 -05:00
cramfs don't put symlink bodies in pagecache into highmem 2015-12-08 22:41:36 -05:00
debugfs wrappers for ->i_mutex access 2016-01-22 18:04:28 -05:00
devpts wrappers for ->i_mutex access 2016-01-22 18:04:28 -05:00
dlm [regression] fix braino in fs/dlm/user.c 2016-01-21 17:45:15 -05:00
ecryptfs wrappers for ->i_mutex access 2016-01-22 18:04:28 -05:00
efivarfs wrappers for ->i_mutex access 2016-01-22 18:04:28 -05:00
efs kmemcg: account certain kmem allocations to memcg 2016-01-14 16:00:49 -08:00
exofs wrappers for ->i_mutex access 2016-01-22 18:04:28 -05:00
exportfs wrappers for ->i_mutex access 2016-01-22 18:04:28 -05:00
ext2 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2016-01-23 12:24:56 -08:00
ext4 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2016-01-23 12:24:56 -08:00
f2fs wrappers for ->i_mutex access 2016-01-22 18:04:28 -05:00
fat wrappers for ->i_mutex access 2016-01-22 18:04:28 -05:00
freevxfs don't put symlink bodies in pagecache into highmem 2015-12-08 22:41:36 -05:00
fscache FS-Cache: Handle a write to the page immediately beyond the EOF marker 2015-11-11 02:11:02 -05:00
fuse wrappers for ->i_mutex access 2016-01-22 18:04:28 -05:00
gfs2 wrappers for ->i_mutex access 2016-01-22 18:04:28 -05:00
hfs wrappers for ->i_mutex access 2016-01-22 18:04:28 -05:00
hfsplus wrappers for ->i_mutex access 2016-01-22 18:04:28 -05:00
hostfs wrappers for ->i_mutex access 2016-01-22 18:04:28 -05:00
hpfs wrappers for ->i_mutex access 2016-01-22 18:04:28 -05:00
hugetlbfs wrappers for ->i_mutex access 2016-01-22 18:04:28 -05:00
isofs kmemcg: account certain kmem allocations to memcg 2016-01-14 16:00:49 -08:00
jbd2 fs: use block_device name vsprintf helper 2016-01-06 13:03:18 -05:00
jffs2 Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2016-01-23 12:24:56 -08:00
jfs wrappers for ->i_mutex access 2016-01-22 18:04:28 -05:00
kernfs wrappers for ->i_mutex access 2016-01-22 18:04:28 -05:00
lockd lockd: constify nlmsvc_binding structure 2016-01-07 10:10:50 -05:00
logfs wrappers for ->i_mutex access 2016-01-22 18:04:28 -05:00
minix kmemcg: account certain kmem allocations to memcg 2016-01-14 16:00:49 -08:00
ncpfs wrappers for ->i_mutex access 2016-01-22 18:04:28 -05:00
nfs Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2016-01-23 12:24:56 -08:00
nfs_common
nfsd wrappers for ->i_mutex access 2016-01-22 18:04:28 -05:00
nilfs2 wrappers for ->i_mutex access 2016-01-22 18:04:28 -05:00
nls
notify fsnotify: destroy marks with call_srcu instead of dedicated thread 2016-01-14 16:00:49 -08:00
ntfs wrappers for ->i_mutex access 2016-01-22 18:04:28 -05:00
ocfs2 wrappers for ->i_mutex access 2016-01-22 18:04:28 -05:00
omfs
openpromfs kmemcg: account certain kmem allocations to memcg 2016-01-14 16:00:49 -08:00
overlayfs wrappers for ->i_mutex access 2016-01-22 18:04:28 -05:00
proc wrappers for ->i_mutex access 2016-01-22 18:04:28 -05:00
pstore wrappers for ->i_mutex access 2016-01-22 18:04:28 -05:00
qnx4 kmemcg: account certain kmem allocations to memcg 2016-01-14 16:00:49 -08:00
qnx6 kmemcg: account certain kmem allocations to memcg 2016-01-14 16:00:49 -08:00
quota wrappers for ->i_mutex access 2016-01-22 18:04:28 -05:00
ramfs don't put symlink bodies in pagecache into highmem 2015-12-08 22:41:36 -05:00
reiserfs wrappers for ->i_mutex access 2016-01-22 18:04:28 -05:00
romfs kmemcg: account certain kmem allocations to memcg 2016-01-14 16:00:49 -08:00
squashfs kmemcg: account certain kmem allocations to memcg 2016-01-14 16:00:49 -08:00
sysfs platform/chrome: Branch for v4.4 2015-11-13 21:53:18 -08:00
sysv kmemcg: account certain kmem allocations to memcg 2016-01-14 16:00:49 -08:00
tracefs wrappers for ->i_mutex access 2016-01-22 18:04:28 -05:00
ubifs wrappers for ->i_mutex access 2016-01-22 18:04:28 -05:00
udf Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2016-01-23 12:24:56 -08:00
ufs kmemcg: account certain kmem allocations to memcg 2016-01-14 16:00:49 -08:00
xfs Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2016-01-23 12:24:56 -08:00
aio.c
anon_inodes.c
attr.c wrappers for ->i_mutex access 2016-01-22 18:04:28 -05:00
bad_inode.c fs/bad_inode.c: is_bad_inode can be boolean 2015-12-06 21:17:14 -05:00
binfmt_aout.c
binfmt_elf.c ELF: Also pass any interpreter's file header to `arch_check_elf' 2016-01-20 00:39:20 +01:00
binfmt_elf_fdpic.c libnvdimm for 4.4: 2015-11-10 12:07:22 -08:00
binfmt_em86.c
binfmt_flat.c
binfmt_misc.c wrappers for ->i_mutex access 2016-01-22 18:04:28 -05:00
binfmt_script.c
block_dev.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2016-01-23 12:24:56 -08:00
buffer.c fs: use block_device name vsprintf helper 2016-01-06 13:03:18 -05:00
char_dev.c
compat.c saner calling conventions for copy_mount_options() 2016-01-04 10:28:32 -05:00
compat_binfmt_elf.c
compat_ioctl.c Merge branch 'work.misc' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2016-01-12 17:11:47 -08:00
coredump.c fs/coredump: prevent "" / "." / ".." core path components 2016-01-20 17:09:18 -08:00
dax.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2016-01-23 12:24:56 -08:00
dcache.c wrappers for ->i_mutex access 2016-01-22 18:04:28 -05:00
dcookies.c
direct-io.c block: fix use-after-free in dio_bio_complete 2016-01-30 22:02:10 -07:00
drop_caches.c
eventfd.c Documentation: filesystem: Fix typo in fs/eventfd.c 2015-12-08 14:52:03 +01:00
eventpoll.c epoll: add EPOLLEXCLUSIVE flag 2016-01-20 17:09:18 -08:00
exec.c wrappers for ->i_mutex access 2016-01-22 18:04:28 -05:00
fcntl.c fcntl: allow to set O_DIRECT flag on pipe 2016-01-09 02:55:37 -05:00
fhandle.c
file.c kmemcg: account certain kmem allocations to memcg 2016-01-14 16:00:49 -08:00
file_table.c
filesystems.c find_filesystem(): simplify comparison 2016-01-19 12:02:23 -05:00
fs-writeback.c cgroup, memcg, writeback: drop spurious rcu locking around mem_cgroup_css_from_page() 2016-01-15 17:56:32 -08:00
fs_pin.c
fs_struct.c
inode.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs 2016-01-23 12:24:56 -08:00
internal.h Merge branch 'for-linus' into work.misc 2016-01-08 21:20:11 -05:00
ioctl.c wrappers for ->i_mutex access 2016-01-22 18:04:28 -05:00
Kconfig dax: re-enable dax pmd mappings 2016-01-15 17:56:32 -08:00
Kconfig.binfmt
libfs.c wrappers for ->i_mutex access 2016-01-22 18:04:28 -05:00
locks.c wrappers for ->i_mutex access 2016-01-22 18:04:28 -05:00
Makefile ext4: promote ext4 over ext2 in the default probe order 2015-10-15 10:33:21 -04:00
mbcache.c
mount.h
mpage.c mm, fs: introduce mapping_gfp_constraint() 2015-11-06 17:50:42 -08:00
namei.c wrappers for ->i_mutex access 2016-01-22 18:04:28 -05:00
namespace.c wrappers for ->i_mutex access 2016-01-22 18:04:28 -05:00
no-block.c
nsfs.c
open.c wrappers for ->i_mutex access 2016-01-22 18:04:28 -05:00
pipe.c pipe: limit the per-user amount of pages allocated in pipes 2016-01-19 19:25:21 -05:00
pnode.c
pnode.h
posix_acl.c xattr handlers: Simplify list operation 2015-12-13 19:46:12 -05:00
proc_namespace.c vfs: show_vfsstat: remove redundant initialization and check of error code 2015-12-06 21:17:16 -05:00
read_write.c vfs: abort dedupe loop if fatal signals are pending 2016-01-22 20:29:55 -05:00
readdir.c wrappers for ->i_mutex access 2016-01-22 18:04:28 -05:00
select.c poll: plug an unused argument to do_poll 2016-01-06 08:26:52 -05:00
seq_file.c fs, seqfile: always allow oom killer 2015-11-06 17:50:42 -08:00
signalfd.c
splice.c fs: __generic_file_splice_read retry lookup on AOP_TRUNCATED_PAGE 2016-01-09 02:55:35 -05:00
stack.c
stat.c fs/stat.c: drop the last new_valid_dev check 2016-01-16 11:17:23 -08:00
statfs.c
super.c Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jikos/trivial 2016-01-14 17:04:19 -08:00
sync.c fs/sync.c: make sync_file_range(2) use WB_SYNC_NONE writeback 2015-11-06 17:50:42 -08:00
timerfd.c
userfaultfd.c
utimes.c wrappers for ->i_mutex access 2016-01-22 18:04:28 -05:00
xattr.c wrappers for ->i_mutex access 2016-01-22 18:04:28 -05:00