linux

iv/linux

History

Sasha Levin 9b81c84235 block: don't access bio->bi_error after bio_put() Commit `4246a0b6` ("block: add a bi_error field to struct bio") has added a few dereferences of 'bio' after a call to bio_put(). This causes use-after-frees such as: [521120.719695] BUG: KASan: use after free in dio_bio_complete+0x2b3/0x320 at addr ffff880f36b38714 [521120.720638] Read of size 4 by task mount.ocfs2/9644 [521120.721212] ============================================================================= [521120.722056] BUG kmalloc-256 (Not tainted): kasan: bad access detected [521120.722968] ----------------------------------------------------------------------------- [521120.722968] [521120.723915] Disabling lock debugging due to kernel taint [521120.724539] INFO: Slab 0xffffea003cdace00 objects=32 used=25 fp=0xffff880f36b38600 flags=0x46fffff80004080 [521120.726037] INFO: Object 0xffff880f36b38700 @offset=1792 fp=0xffff880f36b38800 [521120.726037] [521120.726974] Bytes b4 ffff880f36b386f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [521120.727898] Object ffff880f36b38700: 00 88 b3 36 0f 88 ff ff 00 00 d8 de 0b 88 ff ff ...6............ [521120.728822] Object ffff880f36b38710: 02 00 00 f0 00 00 00 00 00 00 00 00 00 00 00 00 ................ [521120.729705] Object ffff880f36b38720: 01 00 00 00 00 00 00 00 00 00 00 00 01 00 00 00 ................ [521120.730623] Object ffff880f36b38730: 00 00 00 00 00 00 00 00 01 00 00 00 00 02 00 00 ................ [521120.731621] Object ffff880f36b38740: 00 02 00 00 01 00 00 00 d0 f7 87 ad ff ff ff ff ................ [521120.732776] Object ffff880f36b38750: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [521120.733640] Object ffff880f36b38760: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [521120.734508] Object ffff880f36b38770: 01 00 03 00 01 00 00 00 88 87 b3 36 0f 88 ff ff ...........6.... [521120.735385] Object ffff880f36b38780: 00 73 22 ad 02 88 ff ff 40 13 e0 3c 00 ea ff ff .s".....@..<.... [521120.736667] Object ffff880f36b38790: 00 02 00 00 00 04 00 00 00 00 00 00 00 00 00 00 ................ [521120.737596] Object ffff880f36b387a0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [521120.738524] Object ffff880f36b387b0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [521120.739388] Object ffff880f36b387c0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [521120.740277] Object ffff880f36b387d0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [521120.741187] Object ffff880f36b387e0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [521120.742233] Object ffff880f36b387f0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ [521120.743229] CPU: 41 PID: 9644 Comm: mount.ocfs2 Tainted: G B 4.2.0-rc6-next-20150810-sasha-00039-gf909086 #2420 [521120.744274] ffff880f36b38000 ffff880d89c8f638 ffffffffb6e9ba8a ffff880101c0e5c0 [521120.745025] ffff880d89c8f668 ffffffffad76a313 ffff880101c0e5c0 ffffea003cdace00 [521120.745908] ffff880f36b38700 ffff880f36b38798 ffff880d89c8f690 ffffffffad772854 [521120.747063] Call Trace: [521120.747520] dump_stack (lib/dump_stack.c:52) [521120.748053] print_trailer (mm/slub.c:653) [521120.748582] object_err (mm/slub.c:660) [521120.749079] kasan_report_error (include/linux/kasan.h:20 mm/kasan/report.c:152 mm/kasan/report.c:194) [521120.750834] __asan_report_load4_noabort (mm/kasan/report.c:250) [521120.753580] dio_bio_complete (fs/direct-io.c:478) [521120.755752] do_blockdev_direct_IO (fs/direct-io.c:494 fs/direct-io.c:1291) [521120.759765] __blockdev_direct_IO (fs/direct-io.c:1322) [521120.761658] blkdev_direct_IO (fs/block_dev.c:162) [521120.762993] generic_file_read_iter (mm/filemap.c:1738) [521120.767405] blkdev_read_iter (fs/block_dev.c:1649) [521120.768556] __vfs_read (fs/read_write.c:423 fs/read_write.c:434) [521120.772126] vfs_read (fs/read_write.c:454) [521120.773118] SyS_pread64 (fs/read_write.c:607 fs/read_write.c:594) [521120.776062] entry_SYSCALL_64_fastpath (arch/x86/entry/entry_64.S:186) [521120.777375] Memory state around the buggy address: [521120.778118] ffff880f36b38600: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [521120.779211] ffff880f36b38680: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [521120.780315] >ffff880f36b38700: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [521120.781465] ^ [521120.782083] ffff880f36b38780: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [521120.783717] ffff880f36b38800: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [521120.784818] ================================================================== This patch fixes a few of those places that I caught while auditing the patch, but the original patch should be audited further for more occurences of this issue since I'm not too familiar with the code. Signed-off-by: Sasha Levin <sasha.levin@oracle.com> Signed-off-by: Jens Axboe <axboe@fb.com>		2015-08-11 11:34:32 -06:00
..
9p	9p: don't leave a half-initialized inode sitting around	2015-07-12 11:22:05 -04:00
adfs	fs/adfs: remove unneeded cast	2015-06-30 19:44:57 -07:00
affs	Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs	2015-07-04 19:36:06 -07:00
afs	net: Add a struct net parameter to sock_create_kern	2015-05-11 10:50:17 -04:00
autofs4	make simple_positive() public	2015-06-23 18:02:01 -04:00
befs	Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs	2015-07-04 19:36:06 -07:00
bfs	Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs	2015-04-26 17:22:07 -07:00
btrfs	block: add a bi_error field to struct bio	2015-07-29 08:55:15 -06:00
cachefiles	Merge branch 'fscache-fixes' into for-next	2015-06-23 18:01:30 -04:00
ceph	Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs	2015-07-04 19:36:06 -07:00
cifs	cifs: Unset CIFS_MOUNT_POSIX_PATHS flag when following dfs mounts	2015-06-29 14:50:22 -05:00
coda	fs: cleanup slight list_entry abuse	2015-06-23 18:01:59 -04:00
configfs	Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs	2015-07-04 19:36:06 -07:00
cramfs
debugfs	Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs	2015-07-04 19:36:06 -07:00
devpts	devpts: if initialization failed, don't crash when opening /dev/ptmx	2015-06-30 19:44:58 -07:00
dlm	net: Add a struct net parameter to sock_create_kern	2015-05-11 10:50:17 -04:00
ecryptfs	ioctl_compat: handle FITRIM	2015-07-09 11:42:21 -07:00
efivarfs	Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip	2015-05-06 10:57:37 -07:00
efs	fs/efs: femove unneeded cast	2015-06-25 17:00:42 -07:00
exofs	pagemap.h: move dir_pages() over there	2015-06-23 18:02:00 -04:00
exportfs
ext2	Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs	2015-07-04 19:36:06 -07:00
ext3	Merge branch 'for_linus' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs	2015-06-24 20:07:10 -07:00
ext4	block: add a bi_error field to struct bio	2015-07-29 08:55:15 -06:00
f2fs	block: add a bi_error field to struct bio	2015-07-29 08:55:15 -06:00
fat	writeback: separate out include/linux/backing-dev-defs.h	2015-06-02 08:33:34 -06:00
freevxfs	pagemap.h: move dir_pages() over there	2015-06-23 18:02:00 -04:00
fscache
fuse	Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs	2015-07-04 19:36:06 -07:00
gfs2	block: add a bi_error field to struct bio	2015-07-29 08:55:15 -06:00
hfs	Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs	2015-07-04 19:36:06 -07:00
hfsplus	Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs	2015-07-04 19:36:06 -07:00
hostfs	Merge branch 'for-linus-1' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs	2015-06-22 12:51:21 -07:00
hpfs	hpfs: hpfs_error: Remove static buffer, use vsprintf extension %pV instead	2015-07-09 13:35:31 -07:00
hugetlbfs	mm/hugetlb: reduce arch dependent code about hugetlb_prefault_arch_hook	2015-06-24 17:49:41 -07:00
isofs
jbd
jbd2	Revert "jbd2: speedup jbd2_journal_dirty_metadata()"	2015-06-27 09:41:50 -07:00
jffs2	Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs	2015-07-04 19:36:06 -07:00
jfs	block: add a bi_error field to struct bio	2015-07-29 08:55:15 -06:00
kernfs	Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace	2015-07-03 15:20:57 -07:00
lockd	nfsd: eliminate NFSD_DEBUG	2015-04-21 16:16:02 -04:00
logfs	block: add a bi_error field to struct bio	2015-07-29 08:55:15 -06:00
minix	Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs	2015-07-04 19:36:06 -07:00
ncpfs	ncpfs: successful rename() should invalidate caches for parents	2015-06-14 11:31:39 -04:00
nfs	block: add a bi_error field to struct bio	2015-07-29 08:55:15 -06:00
nfs_common
nfsd	nfsd: wrap too long lines in nfsd4_encode_read	2015-06-22 14:15:05 -04:00
nilfs2	block: add a bi_error field to struct bio	2015-07-29 08:55:15 -06:00
nls
notify	fs/notify: don't use module_init for non-modular inotify_user code	2015-06-16 14:12:34 -04:00
ntfs	Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs	2015-07-04 19:36:06 -07:00
ocfs2	block: add a bi_error field to struct bio	2015-07-29 08:55:15 -06:00
omfs	omfs: fix potential integer overflow in allocator	2015-05-28 18:25:19 -07:00
openpromfs
overlayfs	fix a braino in ovl_d_select_inode()	2015-07-12 11:22:05 -04:00
proc	Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs	2015-07-04 19:36:06 -07:00
pstore	Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace	2015-07-03 15:20:57 -07:00
qnx4
qnx6	pagemap.h: move dir_pages() over there	2015-06-23 18:02:00 -04:00
quota	Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs	2015-04-26 17:22:07 -07:00
ramfs
reiserfs	Merge branch 'akpm' (patches from Andrew)	2015-06-26 09:52:05 -07:00
romfs
squashfs	fs: cleanup slight list_entry abuse	2015-06-23 18:01:59 -04:00
sysfs	Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace	2015-07-03 15:20:57 -07:00
sysv	pagemap.h: move dir_pages() over there	2015-06-23 18:02:00 -04:00
tracefs	Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs	2015-07-04 19:36:06 -07:00
ubifs	This pull request includes the following UBI/UBIFS changes:	2015-06-25 14:11:34 -07:00
udf	Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs	2015-07-04 19:36:06 -07:00
ufs	Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs	2015-07-04 19:36:06 -07:00
xfs	block: add a bi_error field to struct bio	2015-07-29 08:55:15 -06:00
aio.c
anon_inodes.c
attr.c
bad_inode.c
binfmt_aout.c
binfmt_elf_fdpic.c
binfmt_elf.c	Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs	2015-07-04 19:36:06 -07:00
binfmt_em86.c
binfmt_flat.c
binfmt_misc.c	Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs	2015-04-26 17:22:07 -07:00
binfmt_script.c
block_dev.c	Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs	2015-07-04 19:36:06 -07:00
buffer.c	block: manipulate bio->bi_flags through helpers	2015-07-29 08:55:20 -06:00
char_dev.c
compat_binfmt_elf.c
compat_ioctl.c	ioctl_compat: handle FITRIM	2015-07-09 11:42:21 -07:00
compat.c
coredump.c	Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs	2015-07-04 19:36:06 -07:00
dax.c	Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs	2015-07-04 19:36:06 -07:00
dcache.c	freeing unlinked file indefinitely delayed	2015-07-12 11:27:04 -04:00
dcookies.c
direct-io.c	block: don't access bio->bi_error after bio_put()	2015-08-11 11:34:32 -06:00
drop_caches.c
eventfd.c
eventpoll.c
exec.c	parisc,metag: Fix crashes due to stack randomization on stack-grows-upwards architectures	2015-05-12 22:03:44 +02:00
fcntl.c
fhandle.c	vfs: read file_handle only once in handle_to_path	2015-06-02 10:29:07 -07:00
file_table.c	remove the pointless include of lglock.h	2015-06-23 18:02:00 -04:00
file.c	fs/file.c: __fget() and dup2() atomicity rules	2015-07-01 02:31:08 -04:00
filesystems.c
fs_pin.c
fs_struct.c
fs-writeback.c	writeback: do foreign inode detection iff cgroup writeback is enabled	2015-06-17 12:47:37 -06:00
inode.c	Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs	2015-07-04 19:36:06 -07:00
internal.h	overlayfs: Make f_path always point to the overlay and f_inode to the underlay	2015-06-19 03:19:32 -04:00
ioctl.c
Kconfig
Kconfig.binfmt
libfs.c	Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs	2015-07-04 19:36:06 -07:00
locks.c	locks: inline posix_lock_file_wait and flock_lock_file_wait	2015-07-13 06:29:11 -04:00
Makefile	um: Remove hppfs	2015-05-31 13:23:08 +02:00
mbcache.c
mount.h	fs: use seq_open_private() for proc_mounts	2015-06-30 19:44:56 -07:00
mpage.c	block: add a bi_error field to struct bio	2015-07-29 08:55:15 -06:00
namei.c	namei: make set_root_rcu() return void	2015-06-29 12:07:04 -04:00
namespace.c	Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/ebiederm/user-namespace	2015-07-03 15:20:57 -07:00
no-block.c
nsfs.c
open.c	fs: Call security_ops->inode_killpriv on truncate	2015-06-23 18:01:09 -04:00
pipe.c
pnode.c
pnode.h
posix_acl.c	fs/posix_acl.c: make posix_acl_create() safer and cleaner	2015-06-23 18:01:07 -04:00
proc_namespace.c	fs: use seq_open_private() for proc_mounts	2015-06-30 19:44:56 -07:00
read_write.c
readdir.c
select.c	locking/arch: Rename set_mb() to smp_store_mb()	2015-05-19 08:32:00 +02:00
seq_file.c	Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs	2015-07-04 19:36:06 -07:00
signalfd.c
splice.c	Merge branch 'akpm' (patches from Andrew)	2015-06-24 20:47:21 -07:00
stack.c
stat.c
statfs.c
super.c	fs:super:get_anon_bdev: fix race condition could cause dev exceed its upper limitation	2015-07-01 01:50:06 -04:00
sync.c
timerfd.c
utimes.c
xattr.c	evm: fix potential race when removing xattrs	2015-05-21 13:28:47 -04:00