linux/block
Pavel Begunkov 75feae73a2 block: fix single bio async DIO error handling
BUG: KASAN: use-after-free in io_submit_one+0x496/0x2fe0 fs/aio.c:1882
CPU: 2 PID: 15100 Comm: syz-executor873 Not tainted 5.16.0-rc1-syzk #1
Hardware name: Red Hat KVM, BIOS 1.13.0-2.module+el8.3.0+7860+a7792d29
04/01/2014
Call Trace:
  [...]
  refcount_dec_and_test include/linux/refcount.h:333 [inline]
  iocb_put fs/aio.c:1161 [inline]
  io_submit_one+0x496/0x2fe0 fs/aio.c:1882
  __do_sys_io_submit fs/aio.c:1938 [inline]
  __se_sys_io_submit fs/aio.c:1908 [inline]
  __x64_sys_io_submit+0x1c7/0x4a0 fs/aio.c:1908
  do_syscall_x64 arch/x86/entry/common.c:50 [inline]
  do_syscall_64+0x3a/0x80 arch/x86/entry/common.c:80
  entry_SYSCALL_64_after_hwframe+0x44/0xae

__blkdev_direct_IO_async() returns errors from bio_iov_iter_get_pages()
directly, in which case upper layers won't be expecting ->ki_complete
to be called by the block layer and will terminate the request. However,
there is also bio_endio() leading to a second ->ki_complete and a double
free.

Fixes: 54a88eb838 ("block: add single bio async direct IO helper")
Reported-by: George Kennedy <george.kennedy@oracle.com>
Signed-off-by: Pavel Begunkov <asml.silence@gmail.com>
Link: https://lore.kernel.org/r/c9eb786f6cef041e159e6287de131bec0719ad5c.1638907997.git.asml.silence@gmail.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2021-12-07 15:07:40 -07:00
..
partitions for-5.16/bdev-size-2021-10-29 2021-11-01 09:50:37 -07:00
badblocks.c treewide: Use fallthrough pseudo-keyword 2020-08-23 17:36:59 -05:00
bdev.c block: avoid to touch unloaded module instance when opening bdev 2021-11-22 18:35:37 -07:00
bfq-cgroup.c block, bfq: fix UAF problem in bfqg_stats_init() 2021-10-19 15:18:30 -06:00
bfq-iosched.c blk-mq: Stop using pointers for blk_mq_tags bitmap tags 2021-10-18 06:17:03 -06:00
bfq-iosched.h block, bfq: cleanup the repeated declaration 2021-08-25 06:45:33 -06:00
bfq-wf2q.c block: Introduce IOPRIO_NR_LEVELS 2021-08-18 07:21:12 -06:00
bio-integrity.c block: convert the rest of block to bdev_get_queue 2021-10-18 06:17:37 -06:00
bio.c block: avoid extra iter advance with async iocb 2021-10-27 06:54:58 -06:00
blk-cgroup-rwstat.c blk-cgroup: Fix the recursive blkg rwstat 2021-03-05 11:32:15 -07:00
blk-cgroup-rwstat.h blk-cgroup: separate out blkg_rwstat under CONFIG_BLK_CGROUP_RWSTAT 2019-11-07 12:28:13 -07:00
blk-cgroup.c blk-cgroup: fix missing put device in error path from blkg_conf_pref() 2021-11-19 06:26:45 -07:00
blk-core.c block: fix parameter not described warning 2021-11-25 09:32:19 -07:00
blk-crypto-fallback.c blk-crypto: rename blk_keyslot_manager to blk_crypto_profile 2021-10-21 10:49:32 -06:00
blk-crypto-internal.h block: move struct request to blk-mq.h 2021-10-18 06:17:02 -06:00
blk-crypto-profile.c blk-crypto: rename blk_keyslot_manager to blk_crypto_profile 2021-10-21 10:49:32 -06:00
blk-crypto.c blk-crypto: rename blk_keyslot_manager to blk_crypto_profile 2021-10-21 10:49:32 -06:00
blk-exec.c block: add a struct io_comp_batch argument to fops->iopoll() 2021-10-18 14:40:40 -06:00
blk-flush.c blk-mq: don't insert FUA request with data into scheduler queue 2021-11-19 06:28:18 -07:00
blk-ia-ranges.c block: fix kerneldoc for disk_register_independent_access__ranges() 2021-11-11 11:52:30 -07:00
blk-integrity.c blk-crypto: rename blk_keyslot_manager to blk_crypto_profile 2021-10-21 10:49:32 -06:00
blk-ioc.c block: remove retry loop in ioc_release_fn() 2020-07-16 10:22:15 -06:00
blk-iocost.c block: convert the rest of block to bdev_get_queue 2021-10-18 06:17:37 -06:00
blk-iolatency.c mm: don't include <linux/blk-cgroup.h> in <linux/backing-dev.h> 2021-10-18 06:17:01 -06:00
blk-ioprio.c block: Introduce the ioprio rq-qos policy 2021-06-21 15:03:40 -06:00
blk-ioprio.h block: Introduce the ioprio rq-qos policy 2021-06-21 15:03:40 -06:00
blk-lib.c block: export blk_next_bio() 2021-06-17 15:51:20 +02:00
blk-map.c Merge branch 'akpm' (patches from Andrew) 2021-09-03 10:08:28 -07:00
blk-merge.c blk-mq: only try to run plug merge if request has same queue with incoming bio 2021-11-03 09:27:57 -06:00
blk-mq-cpumap.c blk-mq: remove the calling of local_memory_node() 2020-10-20 07:08:17 -06:00
blk-mq-debugfs-zoned.c
blk-mq-debugfs.c for-5.16/block-2021-11-09 2021-11-09 11:20:07 -08:00
blk-mq-debugfs.h blk-mq: no need to check return value of debugfs_create functions 2019-06-13 03:00:30 -06:00
blk-mq-pci.c block: Fix blk_mq_*_map_queues() kernel-doc headers 2019-05-31 15:12:34 -06:00
blk-mq-rdma.c block: Fix blk_mq_*_map_queues() kernel-doc headers 2019-05-31 15:12:34 -06:00
blk-mq-sched.c blk-mq: don't grab ->q_usage_counter in blk_mq_sched_bio_merge 2021-11-11 11:52:33 -07:00
blk-mq-sched.h block: clean up blk_mq_submit_bio() merging 2021-10-21 08:27:17 -06:00
blk-mq-sysfs.c block: remove blk-mq-sysfs dead code 2021-08-02 13:37:29 -06:00
blk-mq-tag.c blk-mq: Fix blk_mq_tagset_busy_iter() for shared tags 2021-10-21 08:21:52 -06:00
blk-mq-tag.h block: move blk_mq_tag_to_rq() inline 2021-10-19 05:55:41 -06:00
blk-mq-virtio.c blk-mq: Fix typo in comment 2020-03-17 20:55:21 +01:00
blk-mq.c block: call rq_qos_done() before ref check in batch completions 2021-11-26 09:53:23 -07:00
blk-mq.h blk-mq: cancel blk-mq dispatch work in both blk_cleanup_queue and disk_release() 2021-11-15 19:22:13 -07:00
blk-pm.c scsi: block: Fix a race in the runtime power management code 2020-12-09 11:41:41 -05:00
blk-pm.h block: Remove unused blk_pm_*() function definitions 2021-02-22 06:33:48 -07:00
blk-rq-qos.c rq-qos: fix missed wake-ups in rq_qos_throttle try two 2021-06-08 15:12:57 -06:00
blk-rq-qos.h block: only mark bio as tracked if it really is tracked 2021-10-18 08:50:47 -06:00
blk-settings.c block: Fix partition check for host-aware zoned block devices 2021-10-27 06:58:01 -06:00
blk-stat.c blk-stat: make q->stats->lock irqsafe 2020-09-01 16:48:46 -06:00
blk-stat.h
blk-sysfs.c blk-mq: cancel blk-mq dispatch work in both blk_cleanup_queue and disk_release() 2021-11-15 19:22:13 -07:00
blk-throttle.c block: convert the rest of block to bdev_get_queue 2021-10-18 06:17:37 -06:00
blk-throttle.h block: move blk-throtl fast path inline 2021-10-18 06:17:03 -06:00
blk-timeout.c block: blk-timeout: delete duplicated word 2020-07-31 16:29:47 -06:00
blk-wbt.c blk-wbt: prevent NULL pointer dereference in wb_timer_fn 2021-10-19 06:13:41 -06:00
blk-wbt.h blk-wbt: introduce a new disable state to prevent false positive by rwb_enabled() 2021-06-21 15:03:41 -06:00
blk-zoned.c block: Hold invalidate_lock in BLKRESETZONE ioctl 2021-11-11 11:52:46 -07:00
blk.h blk-mq: don't insert FUA request with data into scheduler queue 2021-11-19 06:28:18 -07:00
bounce.c mm: don't include <linux/blk-cgroup.h> in <linux/backing-dev.h> 2021-10-18 06:17:01 -06:00
bsg-lib.c bsg-lib: initialize the bsg_job in bsg_transport_sg_io_fn 2021-10-22 08:33:57 -06:00
bsg.c scsi: bsg: Fix device unregistration 2021-09-14 00:22:15 -04:00
disk-events.c block: return errors from disk_alloc_events 2021-08-23 12:55:45 -06:00
elevator.c block: avoid to quiesce queue in elevator_init_mq 2021-11-17 07:43:26 -07:00
elevator.h block: move elevator.h to block/ 2021-10-18 06:17:01 -06:00
fops.c block: fix single bio async DIO error handling 2021-12-07 15:07:40 -07:00
genhd.c blk-mq: cancel blk-mq dispatch work in both blk_cleanup_queue and disk_release() 2021-11-15 19:22:13 -07:00
holder.c block: drop unused includes in <linux/genhd.h> 2021-10-18 06:17:02 -06:00
ioctl.c block: Hold invalidate_lock in BLKZEROOUT ioctl 2021-11-09 12:41:12 -07:00
ioprio.c block: Check ADMIN before NICE for IOPRIO_CLASS_RT 2021-11-15 14:28:59 -07:00
Kconfig block: move menu "Partition type" to block/partitions/Kconfig 2021-10-18 06:17:35 -06:00
Kconfig.iosched block: simplify Kconfig files 2021-10-18 06:17:35 -06:00
kyber-iosched.c blk-mq: Stop using pointers for blk_mq_tags bitmap tags 2021-10-18 06:17:03 -06:00
Makefile block: Add independent access ranges support 2021-10-26 20:36:47 -06:00
mq-deadline.c blk-mq: Stop using pointers for blk_mq_tags bitmap tags 2021-10-18 06:17:03 -06:00
opal_proto.h block: sed-opal: Change the check condition for regular session validity 2020-03-12 08:00:10 -06:00
sed-opal.c block: sed-opal: Change the check condition for regular session validity 2020-03-12 08:00:10 -06:00
t10-pi.c block: move integrity handling out of <linux/blkdev.h> 2021-10-18 06:17:02 -06:00