ublk: clear server ownership before aborting in-flight requests#822
Open
blktests-ci[bot] wants to merge 1 commit into
Open
ublk: clear server ownership before aborting in-flight requests#822blktests-ci[bot] wants to merge 1 commit into
blktests-ci[bot] wants to merge 1 commit into
Conversation
[BUG] A stale UBLK_IO_COMMIT_AND_FETCH_REQ can reach the normal completion path after ublk has already aborted the in-flight request, leading to a use-after-free in map/unmap mode: BUG: KASAN: use-after-free in ublk_copy_io_pages drivers/block/ublk_drv.c:946 [inline] BUG: KASAN: use-after-free in ublk_copy_user_pages+0x83c/0xcc0 drivers/block/ublk_drv.c:1013 Write of size 4096 at addr ffff88800ce2a000 by task ublk.fsfuzz/275 Call Trace: ... ublk_copy_io_pages drivers/block/ublk_drv.c:946 [inline] ublk_copy_user_pages+0x83c/0xcc0 drivers/block/ublk_drv.c:1013 ublk_unmap_io+0x2bb/0x350 drivers/block/ublk_drv.c:1076 __ublk_complete_rq drivers/block/ublk_drv.c:1188 [inline] ublk_ch_uring_cmd_local+0x157c/0x2180 drivers/block/ublk_drv.c:2477 ublk_ch_uring_cmd+0x42/0x640 drivers/block/ublk_drv.c:2561 io_uring_cmd+0x26f/0x570 io_uring/uring_cmd.c:263 __io_issue_sqe+0xc2/0x760 io_uring/io_uring.c:1826 io_issue_sqe+0xdd/0x11e0 io_uring/io_uring.c:1849 io_queue_sqe io_uring/io_uring.c:2076 [inline] io_submit_sqe io_uring/io_uring.c:2336 [inline] io_submit_sqes+0x806/0x2390 io_uring/io_uring.c:2449 __do_sys_io_uring_enter+0x5c0/0x13a0 io_uring/io_uring.c:3516 __se_sys_io_uring_enter io_uring/io_uring.c:3455 [inline] __x64_sys_io_uring_enter+0xe5/0x1c0 io_uring/io_uring.c:3455 x64_sys_call+0x2419/0x26a0 arch/x86/include/generated/asm/syscalls_64.h:427 ... [CAUSE] commit e63d222 ("ublk: simplify aborting ublk request") removed the abort-only completion state and now __ublk_fail_req() fails or requeues the request without first revoking UBLK_IO_FLAG_OWNED_BY_SRV. That leaves the tag looking as if it is still owned by the ublk server, so a stale COMMIT_AND_FETCH_REQ can pass the ownership check, reuse io->req, and call __ublk_complete_rq() after the request has already been ended. In map mode that drives ublk_unmap_io() into freed request pages. [FIX] Clear UBLK_IO_FLAG_OWNED_BY_SRV as soon as abort starts in __ublk_fail_req(). Once ownership is revoked, any stale COMMIT_AND_FETCH_REQ fails before touching io->req, so the completion path can no longer copy into freed bio pages. Fixes: e63d222 ("ublk: simplify aborting ublk request") Signed-off-by: ZhengYuan Huang <gality369@gmail.com>
Author
|
Upstream branch: aa54b1d |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Pull request for series with
subject: ublk: clear server ownership before aborting in-flight requests
version: 1
url: https://patchwork.kernel.org/project/linux-block/list/?series=1093401