From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, yangerkun <yangerkun@huawei.com>,
Pavel Begunkov <asml.silencec@gmail.com>,
Jens Axboe <axboe@kernel.dk>, Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.10 39/47] block: reexpand iov_iter after read/write
Date: Thu, 20 May 2021 11:22:37 +0200 [thread overview]
Message-ID: <20210520092054.806651637@linuxfoundation.org> (raw)
In-Reply-To: <20210520092053.559923764@linuxfoundation.org>
From: yangerkun <yangerkun@huawei.com>
[ Upstream commit cf7b39a0cbf6bf57aa07a008d46cf695add05b4c ]
We get a bug:
BUG: KASAN: slab-out-of-bounds in iov_iter_revert+0x11c/0x404
lib/iov_iter.c:1139
Read of size 8 at addr ffff0000d3fb11f8 by task
CPU: 0 PID: 12582 Comm: syz-executor.2 Not tainted
5.10.0-00843-g352c8610ccd2 #2
Hardware name: linux,dummy-virt (DT)
Call trace:
dump_backtrace+0x0/0x2d0 arch/arm64/kernel/stacktrace.c:132
show_stack+0x28/0x34 arch/arm64/kernel/stacktrace.c:196
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x110/0x164 lib/dump_stack.c:118
print_address_description+0x78/0x5c8 mm/kasan/report.c:385
__kasan_report mm/kasan/report.c:545 [inline]
kasan_report+0x148/0x1e4 mm/kasan/report.c:562
check_memory_region_inline mm/kasan/generic.c:183 [inline]
__asan_load8+0xb4/0xbc mm/kasan/generic.c:252
iov_iter_revert+0x11c/0x404 lib/iov_iter.c:1139
io_read fs/io_uring.c:3421 [inline]
io_issue_sqe+0x2344/0x2d64 fs/io_uring.c:5943
__io_queue_sqe+0x19c/0x520 fs/io_uring.c:6260
io_queue_sqe+0x2a4/0x590 fs/io_uring.c:6326
io_submit_sqe fs/io_uring.c:6395 [inline]
io_submit_sqes+0x4c0/0xa04 fs/io_uring.c:6624
__do_sys_io_uring_enter fs/io_uring.c:9013 [inline]
__se_sys_io_uring_enter fs/io_uring.c:8960 [inline]
__arm64_sys_io_uring_enter+0x190/0x708 fs/io_uring.c:8960
__invoke_syscall arch/arm64/kernel/syscall.c:36 [inline]
invoke_syscall arch/arm64/kernel/syscall.c:48 [inline]
el0_svc_common arch/arm64/kernel/syscall.c:158 [inline]
do_el0_svc+0x120/0x290 arch/arm64/kernel/syscall.c:227
el0_svc+0x1c/0x28 arch/arm64/kernel/entry-common.c:367
el0_sync_handler+0x98/0x170 arch/arm64/kernel/entry-common.c:383
el0_sync+0x140/0x180 arch/arm64/kernel/entry.S:670
Allocated by task 12570:
stack_trace_save+0x80/0xb8 kernel/stacktrace.c:121
kasan_save_stack mm/kasan/common.c:48 [inline]
kasan_set_track mm/kasan/common.c:56 [inline]
__kasan_kmalloc+0xdc/0x120 mm/kasan/common.c:461
kasan_kmalloc+0xc/0x14 mm/kasan/common.c:475
__kmalloc+0x23c/0x334 mm/slub.c:3970
kmalloc include/linux/slab.h:557 [inline]
__io_alloc_async_data+0x68/0x9c fs/io_uring.c:3210
io_setup_async_rw fs/io_uring.c:3229 [inline]
io_read fs/io_uring.c:3436 [inline]
io_issue_sqe+0x2954/0x2d64 fs/io_uring.c:5943
__io_queue_sqe+0x19c/0x520 fs/io_uring.c:6260
io_queue_sqe+0x2a4/0x590 fs/io_uring.c:6326
io_submit_sqe fs/io_uring.c:6395 [inline]
io_submit_sqes+0x4c0/0xa04 fs/io_uring.c:6624
__do_sys_io_uring_enter fs/io_uring.c:9013 [inline]
__se_sys_io_uring_enter fs/io_uring.c:8960 [inline]
__arm64_sys_io_uring_enter+0x190/0x708 fs/io_uring.c:8960
__invoke_syscall arch/arm64/kernel/syscall.c:36 [inline]
invoke_syscall arch/arm64/kernel/syscall.c:48 [inline]
el0_svc_common arch/arm64/kernel/syscall.c:158 [inline]
do_el0_svc+0x120/0x290 arch/arm64/kernel/syscall.c:227
el0_svc+0x1c/0x28 arch/arm64/kernel/entry-common.c:367
el0_sync_handler+0x98/0x170 arch/arm64/kernel/entry-common.c:383
el0_sync+0x140/0x180 arch/arm64/kernel/entry.S:670
Freed by task 12570:
stack_trace_save+0x80/0xb8 kernel/stacktrace.c:121
kasan_save_stack mm/kasan/common.c:48 [inline]
kasan_set_track+0x38/0x6c mm/kasan/common.c:56
kasan_set_free_info+0x20/0x40 mm/kasan/generic.c:355
__kasan_slab_free+0x124/0x150 mm/kasan/common.c:422
kasan_slab_free+0x10/0x1c mm/kasan/common.c:431
slab_free_hook mm/slub.c:1544 [inline]
slab_free_freelist_hook mm/slub.c:1577 [inline]
slab_free mm/slub.c:3142 [inline]
kfree+0x104/0x38c mm/slub.c:4124
io_dismantle_req fs/io_uring.c:1855 [inline]
__io_free_req+0x70/0x254 fs/io_uring.c:1867
io_put_req_find_next fs/io_uring.c:2173 [inline]
__io_queue_sqe+0x1fc/0x520 fs/io_uring.c:6279
__io_req_task_submit+0x154/0x21c fs/io_uring.c:2051
io_req_task_submit+0x2c/0x44 fs/io_uring.c:2063
task_work_run+0xdc/0x128 kernel/task_work.c:151
get_signal+0x6f8/0x980 kernel/signal.c:2562
do_signal+0x108/0x3a4 arch/arm64/kernel/signal.c:658
do_notify_resume+0xbc/0x25c arch/arm64/kernel/signal.c:722
work_pending+0xc/0x180
blkdev_read_iter can truncate iov_iter's count since the count + pos may
exceed the size of the blkdev. This will confuse io_read that we have
consume the iovec. And once we do the iov_iter_revert in io_read, we
will trigger the slab-out-of-bounds. Fix it by reexpand the count with
size has been truncated.
blkdev_write_iter can trigger the problem too.
Signed-off-by: yangerkun <yangerkun@huawei.com>
Acked-by: Pavel Begunkov <asml.silencec@gmail.com>
Link: https://lore.kernel.org/r/20210401071807.3328235-1-yangerkun@huawei.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
fs/block_dev.c | 20 +++++++++++++++++---
1 file changed, 17 insertions(+), 3 deletions(-)
diff --git a/fs/block_dev.c b/fs/block_dev.c
index 718533f0fb90..cacea6bafc22 100644
--- a/fs/block_dev.c
+++ b/fs/block_dev.c
@@ -1903,6 +1903,7 @@ ssize_t blkdev_write_iter(struct kiocb *iocb, struct iov_iter *from)
struct inode *bd_inode = bdev_file_inode(file);
loff_t size = i_size_read(bd_inode);
struct blk_plug plug;
+ size_t shorted = 0;
ssize_t ret;
if (bdev_read_only(I_BDEV(bd_inode)))
@@ -1920,12 +1921,17 @@ ssize_t blkdev_write_iter(struct kiocb *iocb, struct iov_iter *from)
if ((iocb->ki_flags & (IOCB_NOWAIT | IOCB_DIRECT)) == IOCB_NOWAIT)
return -EOPNOTSUPP;
- iov_iter_truncate(from, size - iocb->ki_pos);
+ size -= iocb->ki_pos;
+ if (iov_iter_count(from) > size) {
+ shorted = iov_iter_count(from) - size;
+ iov_iter_truncate(from, size);
+ }
blk_start_plug(&plug);
ret = __generic_file_write_iter(iocb, from);
if (ret > 0)
ret = generic_write_sync(iocb, ret);
+ iov_iter_reexpand(from, iov_iter_count(from) + shorted);
blk_finish_plug(&plug);
return ret;
}
@@ -1937,13 +1943,21 @@ ssize_t blkdev_read_iter(struct kiocb *iocb, struct iov_iter *to)
struct inode *bd_inode = bdev_file_inode(file);
loff_t size = i_size_read(bd_inode);
loff_t pos = iocb->ki_pos;
+ size_t shorted = 0;
+ ssize_t ret;
if (pos >= size)
return 0;
size -= pos;
- iov_iter_truncate(to, size);
- return generic_file_read_iter(iocb, to);
+ if (iov_iter_count(to) > size) {
+ shorted = iov_iter_count(to) - size;
+ iov_iter_truncate(to, size);
+ }
+
+ ret = generic_file_read_iter(iocb, to);
+ iov_iter_reexpand(to, iov_iter_count(to) + shorted);
+ return ret;
}
EXPORT_SYMBOL_GPL(blkdev_read_iter);
--
2.30.2
next prev parent reply other threads:[~2021-05-20 9:30 UTC|newest]
Thread overview: 53+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-05-20 9:21 [PATCH 5.10 00/47] 5.10.39-rc1 review Greg Kroah-Hartman
2021-05-20 9:21 ` [PATCH 5.10 01/47] x86/msr: Fix wr/rdmsr_safe_regs_on_cpu() prototypes Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.10 02/47] drm/i915/display: fix compiler warning about array overrun Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.10 03/47] airo: work around stack usage warning Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.10 04/47] kgdb: fix gcc-11 warning on indentation Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.10 05/47] usb: sl811-hcd: improve misleading indentation Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.10 06/47] cxgb4: Fix the -Wmisleading-indentation warning Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.10 07/47] isdn: capi: fix mismatched prototypes Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.10 08/47] virtio_net: Do not pull payload in skb->head Greg Kroah-Hartman
2021-05-20 9:22 ` Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.10 09/47] ARM: 9058/1: cache-v7: refactor v7_invalidate_l1 to avoid clobbering r5/r6 Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.10 10/47] PCI: thunder: Fix compile testing Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.10 11/47] dmaengine: dw-edma: Fix crash on loading/unloading driver Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.10 12/47] ARM: 9066/1: ftrace: pause/unpause function graph tracer in cpu_suspend() Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.10 13/47] ACPI / hotplug / PCI: Fix reference count leak in enable_slot() Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.10 14/47] PCI: tegra: Fix runtime PM imbalance in pex_ep_event_pex_rst_deassert() Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.10 15/47] Input: elants_i2c - do not bind to i2c-hid compatible ACPI instantiated devices Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.10 16/47] Input: silead - add workaround for x86 BIOS-es which bring the chip up in a stuck state Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.10 17/47] NFS: NFS_INO_REVAL_PAGECACHE should mark the change attribute invalid Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.10 18/47] um: Mark all kernel symbols as local Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.10 19/47] um: Disable CONFIG_GCOV with MODULES Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.10 20/47] PCI: tegra: Add Tegra194 MCFG quirks for ECAM errata Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.10 21/47] ARM: 9075/1: kernel: Fix interrupted SMC calls Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.10 22/47] platform/chrome: cros_ec_typec: Add DP mode check Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.10 23/47] riscv: Use $(LD) instead of $(CC) to link vDSO Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.10 24/47] scripts/recordmcount.pl: Fix RISC-V regex for clang Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.10 25/47] riscv: Workaround mcount name prior to clang-13 Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.10 26/47] scsi: lpfc: Fix illegal memory access on Abort IOCBs Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.10 27/47] ceph: fix fscache invalidation Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.10 28/47] ceph: dont clobber i_snap_caps on non-I_NEW inode Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.10 29/47] ceph: dont allow access to MDS-private inodes Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.10 30/47] scsi: target: tcmu: Return from tcmu_handle_completions() if cmd_id not found Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.10 31/47] amdgpu/pm: Prevent force of DCEFCLK on NAVI10 and SIENNA_CICHLID Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.10 32/47] bridge: Fix possible races between assigning rx_handler_data and setting IFF_BRIDGE_PORT bit Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.10 33/47] net: hsr: check skb can contain struct hsr_ethhdr in fill_frame_info Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.10 34/47] nvmet: remove unsupported command noise Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.10 35/47] drm/amd/display: Fix two cursor duplication when using overlay Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.10 36/47] gpiolib: acpi: Add quirk to ignore EC wakeups on Dell Venue 10 Pro 5055 Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.10 37/47] net:CXGB4: fix leak if sk_buff is not used Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.10 38/47] ALSA: hda: generic: change the DAC ctl name for LO+SPK or LO+HP Greg Kroah-Hartman
2021-05-20 9:22 ` Greg Kroah-Hartman [this message]
2021-05-20 9:22 ` [PATCH 5.10 40/47] lib: stackdepot: turn depot_lock spinlock to raw_spinlock Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.10 41/47] net: stmmac: Do not enable RX FIFO overflow interrupts Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.10 42/47] ip6_gre: proper dev_{hold|put} in ndo_[un]init methods Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.10 43/47] sit: " Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.10 44/47] ip6_tunnel: " Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.10 45/47] ipv6: remove extra dev_hold() for fallback tunnels Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.10 46/47] tweewide: Fix most Shebang lines Greg Kroah-Hartman
2021-05-20 9:22 ` [PATCH 5.10 47/47] scripts: switch explicitly to Python 3 Greg Kroah-Hartman
2021-05-20 11:24 ` [PATCH 5.10 00/47] 5.10.39-rc1 review Pavel Machek
2021-05-20 12:32 ` Jon Hunter
2021-05-20 12:59 ` Greg Kroah-Hartman
2021-05-20 14:07 ` Fox Chen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210520092054.806651637@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=asml.silencec@gmail.com \
--cc=axboe@kernel.dk \
--cc=linux-kernel@vger.kernel.org \
--cc=sashal@kernel.org \
--cc=stable@vger.kernel.org \
--cc=yangerkun@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.