GitHub-Mirror/Star64_linux

mirror of https://github.com/Fishwaldo/Star64_linux.git synced 2025-03-15 19:55:32 +00:00

No description

Find a file

Baokun Li 3c6fc37be2 writeback, cgroup: fix null-ptr-deref write in bdi_split_work_to_wbs [ Upstream commit `1ba1199ec5` ] KASAN report null-ptr-deref: ================================================================== BUG: KASAN: null-ptr-deref in bdi_split_work_to_wbs+0x5c5/0x7b0 Write of size 8 at addr 0000000000000000 by task sync/943 CPU: 5 PID: 943 Comm: sync Tainted: 6.3.0-rc5-next-20230406-dirty #461 Call Trace: <TASK> dump_stack_lvl+0x7f/0xc0 print_report+0x2ba/0x340 kasan_report+0xc4/0x120 kasan_check_range+0x1b7/0x2e0 __kasan_check_write+0x24/0x40 bdi_split_work_to_wbs+0x5c5/0x7b0 sync_inodes_sb+0x195/0x630 sync_inodes_one_sb+0x3a/0x50 iterate_supers+0x106/0x1b0 ksys_sync+0x98/0x160 [...] ================================================================== The race that causes the above issue is as follows: cpu1 cpu2 -------------------------\|------------------------- inode_switch_wbs INIT_WORK(&isw->work, inode_switch_wbs_work_fn) queue_rcu_work(isw_wq, &isw->work) // queue_work async inode_switch_wbs_work_fn wb_put_many(old_wb, nr_switched) percpu_ref_put_many ref->data->release(ref) cgwb_release queue_work(cgwb_release_wq, &wb->release_work) // queue_work async &wb->release_work cgwb_release_workfn ksys_sync iterate_supers sync_inodes_one_sb sync_inodes_sb bdi_split_work_to_wbs kmalloc(sizeof(*work), GFP_ATOMIC) // alloc memory failed percpu_ref_exit ref->data = NULL kfree(data) wb_get(wb) percpu_ref_get(&wb->refcnt) percpu_ref_get_many(ref, 1) atomic_long_add(nr, &ref->data->count) atomic64_add(i, v) // trigger null-ptr-deref bdi_split_work_to_wbs() traverses &bdi->wb_list to split work into all wbs. If the allocation of new work fails, the on-stack fallback will be used and the reference count of the current wb is increased afterwards. If cgroup writeback membership switches occur before getting the reference count and the current wb is released as old_wd, then calling wb_get() or wb_put() will trigger the null pointer dereference above. This issue was introduced in v4.3-rc7 (see fix tag1). Both sync_inodes_sb() and __writeback_inodes_sb_nr() calls to bdi_split_work_to_wbs() can trigger this issue. For scenarios called via sync_inodes_sb(), originally commit `7fc5854f8c` ("writeback: synchronize sync(2) against cgroup writeback membership switches") reduced the possibility of the issue by adding wb_switch_rwsem, but in v5.14-rc1 (see fix tag2) removed the "inode_io_list_del_locked(inode, old_wb)" from inode_switch_wbs_work_fn() so that wb->state contains WB_has_dirty_io, thus old_wb is not skipped when traversing wbs in bdi_split_work_to_wbs(), and the issue becomes easily reproducible again. To solve this problem, percpu_ref_exit() is called under RCU protection to avoid race between cgwb_release_workfn() and bdi_split_work_to_wbs(). Moreover, replace wb_get() with wb_tryget() in bdi_split_work_to_wbs(), and skip the current wb if wb_tryget() fails because the wb has already been shutdown. Link: https://lkml.kernel.org/r/20230410130826.1492525-1-libaokun1@huawei.com Fixes: `b817525a4a` ("writeback: bdi_writeback iteration must not skip dying ones") Signed-off-by: Baokun Li <libaokun1@huawei.com> Reviewed-by: Jan Kara <jack@suse.cz> Acked-by: Tejun Heo <tj@kernel.org> Cc: Alexander Viro <viro@zeniv.linux.org.uk> Cc: Andreas Dilger <adilger.kernel@dilger.ca> Cc: Christian Brauner <brauner@kernel.org> Cc: Dennis Zhou <dennis@kernel.org> Cc: Hou Tao <houtao1@huawei.com> Cc: yangerkun <yangerkun@huawei.com> Cc: Zhang Yi <yi.zhang@huawei.com> Cc: Jens Axboe <axboe@kernel.dk> Cc: <stable@vger.kernel.org> Signed-off-by: Andrew Morton <akpm@linux-foundation.org> Signed-off-by: Sasha Levin <sashal@kernel.org>		2023-06-06 18:34:53 +08:00
arch	KVM: nVMX: Emulate NOPs in L2, and PAUSE if it's not intercepted	2023-06-06 18:34:53 +08:00
block	blk-crypto: make blk_crypto_evict_key() more robust	2023-06-06 18:34:51 +08:00
certs	certs/blacklist_hashes.c: fix const confusion in certs blacklist	2023-04-19 17:50:34 +08:00
crypto	crypto: api - Demote BUG_ON() in crypto_unregister_alg() to a WARN_ON()	2023-06-06 18:34:52 +08:00
Documentation	riscv: Move early dtb mapping into the fixmap region	2023-06-06 18:19:52 +08:00
drivers	crypto: safexcel - Cleanup ring IRQ workqueues on load failure	2023-06-06 18:34:52 +08:00
fs	writeback, cgroup: fix null-ptr-deref write in bdi_split_work_to_wbs	2023-06-06 18:34:53 +08:00
include	tick/nohz: Fix cpu_is_hotpluggable() by checking with nohz subsystem	2023-06-06 18:34:51 +08:00
init	kbuild: Add CONFIG_PAHOLE_VERSION	2023-04-19 17:59:33 +08:00
io_uring	io_uring: avoid null-ptr-deref in io_arm_poll_handler	2023-04-19 18:00:57 +08:00
ipc	ipc/sem: Fix dangling sem_array access in semtimedop race	2023-04-19 17:56:54 +08:00
kernel	relayfs: fix out-of-bounds access in relay_file_read	2023-06-06 18:34:53 +08:00
lib	kobject: Fix slab-out-of-bounds in fill_kobj_path()	2023-04-19 18:00:00 +08:00
LICENSES	LICENSES/dual/CC-BY-4.0: Git rid of "smart quotes"	2021-07-15 06:31:24 -06:00
mm	writeback, cgroup: fix null-ptr-deref write in bdi_split_work_to_wbs	2023-06-06 18:34:53 +08:00
net	bluetooth: Perform careful capability checks in hci_sock_ioctl()	2023-06-06 18:07:05 +08:00
samples	samples: vfio-mdev: Fix missing pci_disable_device() in mdpy_fb_probe()	2023-04-19 17:57:46 +08:00
scripts	ASN.1: Fix check for strdup() success	2023-06-06 18:06:47 +08:00
security	IMA: allow/fix UML builds	2023-06-06 18:34:50 +08:00
sound	ASoC: Intel: bytcr_rt5640: Add quirk for the Acer Iconia One 7 B1-750	2023-06-06 18:34:49 +08:00
tools	selftests mount: Fix mount_setattr_test builds failed	2023-06-06 18:34:49 +08:00
usr	usr/include/Makefile: add linux/nfc.h to the compile-test coverage	2023-04-19 17:44:58 +08:00
virt	KVM: fix memoryleak in kvm_init()	2023-04-19 18:00:47 +08:00
.clang-format	clang-format: Update with the latest for_each macro list	2021-05-12 23:32:39 +02:00
.cocciconfig
.get_maintainer.ignore
.gitattributes	.gitattributes: use 'dts' diff driver for dts files	2019-12-04 19:44:11 -08:00
.gitignore	.gitignore: ignore only top-level modules.builtin	2021-05-02 00:43:35 +09:00
.mailmap	mailmap: add Andrej Shadura	2021-10-18 20:22:03 -10:00
COPYING	COPYING: state that all contributions really are covered by this file	2020-02-10 13:32:20 -08:00
CREDITS	MAINTAINERS: Move Daniel Drake to credits	2021-09-21 08:34:58 +03:00
Kbuild	kbuild: rename hostprogs-y/always to hostprogs/always-y	2020-02-04 01:53:07 +09:00
Kconfig	kbuild: ensure full rebuild when the compiler is updated	2020-05-12 13:28:33 +09:00
MAINTAINERS	counter: Internalize sysfs interface code	2023-06-06 18:05:09 +08:00
Makefile	Linux 5.15.110	2023-06-06 18:19:52 +08:00
README

README

Linux kernel
============

There are several guides for kernel developers and users. These guides can
be rendered in a number of formats, like HTML and PDF. Please read
Documentation/admin-guide/README.rst first.

In order to build the documentation, use ``make htmldocs`` or
``make pdfdocs``.  The formatted documentation can also be read online at:

    https://www.kernel.org/doc/html/latest/

There are various text files in the Documentation/ subdirectory,
several of them using the Restructured Text markup notation.

Please read the Documentation/process/changes.rst file, as it contains the
requirements for building and running the kernel, and information about
the problems which may result by upgrading your kernel.