asgardius/android_kernel_motorola_sm6225
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
android_kernel_motorola_sm6225/block
History
Sahitya Tummala cf535659b3 block: Fix use-after-free issue accessing struct io_cq 
[ Upstream commit 30a2da7b7e225ef6c87a660419ea04d3cef3f6a7 ]

There is a potential race between ioc_release_fn() and
ioc_clear_queue() as shown below, due to which below kernel
crash is observed. It also can result into use-after-free
issue.

context#1:				context#2:
ioc_release_fn()			__ioc_clear_queue() gets the same icq
->spin_lock(&ioc->lock);		->spin_lock(&ioc->lock);
->ioc_destroy_icq(icq);
  ->list_del_init(&icq->q_node);
  ->call_rcu(&icq->__rcu_head,
  	icq_free_icq_rcu);
->spin_unlock(&ioc->lock);
					->ioc_destroy_icq(icq);
					  ->hlist_del_init(&icq->ioc_node);
					  This results into below crash as this memory
					  is now used by icq->__rcu_head in context#1.
					  There is a chance that icq could be free'd
					  as well.

22150.386550:   <6> Unable to handle kernel write to read-only memory
at virtual address ffffffaa8d31ca50
...
Call trace:
22150.607350:   <2>  ioc_destroy_icq+0x44/0x110
22150.611202:   <2>  ioc_clear_queue+0xac/0x148
22150.615056:   <2>  blk_cleanup_queue+0x11c/0x1a0
22150.619174:   <2>  __scsi_remove_device+0xdc/0x128
22150.623465:   <2>  scsi_forget_host+0x2c/0x78
22150.627315:   <2>  scsi_remove_host+0x7c/0x2a0
22150.631257:   <2>  usb_stor_disconnect+0x74/0xc8
22150.635371:   <2>  usb_unbind_interface+0xc8/0x278
22150.639665:   <2>  device_release_driver_internal+0x198/0x250
22150.644897:   <2>  device_release_driver+0x24/0x30
22150.649176:   <2>  bus_remove_device+0xec/0x140
22150.653204:   <2>  device_del+0x270/0x460
22150.656712:   <2>  usb_disable_device+0x120/0x390
22150.660918:   <2>  usb_disconnect+0xf4/0x2e0
22150.664684:   <2>  hub_event+0xd70/0x17e8
22150.668197:   <2>  process_one_work+0x210/0x480
22150.672222:   <2>  worker_thread+0x32c/0x4c8

Fix this by adding a new ICQ_DESTROYED flag in ioc_destroy_icq() to
indicate this icq is once marked as destroyed. Also, ensure
__ioc_clear_queue() is accessing icq within rcu_read_lock/unlock so
that icq doesn't get free'd up while it is still using it.

Signed-off-by: Sahitya Tummala <stummala@codeaurora.org>
Co-developed-by: Pradeep P V K <ppvk@codeaurora.org>
Signed-off-by: Pradeep P V K <ppvk@codeaurora.org>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2020-04-17 10:48:41 +02:00
..
partitions partitions/aix: append null character to print data from disk 2018-07-27 09:17:41 -06:00
badblocks.c
bfq-cgroup.c block, bfq: fix overwrite of bfq_group pointer in bfq_find_set_group() 2020-03-25 08:06:08 +01:00
bfq-iosched.c blok, bfq: do not plug I/O if all queues are weight-raised 2019-11-20 18:46:44 +01:00
bfq-iosched.h block, bfq: inject other-queue I/O into seeky idle queues on NCQ flash 2019-11-20 18:46:44 +01:00
bfq-wf2q.c block, bfq: correctly charge and reset entity service in all cases 2018-11-13 11:08:28 -08:00
bio-integrity.c block/bio-integrity: fix a memory leak bug 2019-07-31 07:27:08 +02:00
bio.c block: do not leak memory in bio_copy_user_iov() 2019-04-17 08:38:51 +02:00
blk-cgroup.c blkcg: make blkcg_print_stat() print stats only for online blkgs 2019-11-12 19:21:19 +01:00
blk-core.c block: call rq_qos_exit() after queue is frozen 2019-12-01 09:17:06 +01:00
blk-exec.c
blk-flush.c block: fix null pointer dereference in blk_mq_rq_timed_out() 2019-10-05 13:10:08 +02:00
blk-integrity.c
blk-ioc.c block: Fix use-after-free issue accessing struct io_cq 2020-04-17 10:48:41 +02:00
blk-iolatency.c blk-iolatency: fix STS_AGAIN handling 2019-09-16 08:21:41 +02:00
blk-lib.c block: fix 32 bit overflow in __blkdev_issue_discard() 2020-02-01 09:37:12 +00:00
blk-map.c block: fix memleak when __blk_rq_map_user_iov() is failed 2020-01-12 12:17:22 +01:00
blk-merge.c block: don't use bio->bi_vcnt to figure out segment number 2020-01-27 14:50:23 +01:00
blk-mq-cpumap.c
blk-mq-debugfs-zoned.c
blk-mq-debugfs.c block, scsi: Change the preempt-only flag into a counter 2019-08-04 09:30:57 +02:00
blk-mq-debugfs.h
blk-mq-pci.c blk-mq: code clean-up by adding an API to clear set->mq_map 2018-07-09 09:07:53 -06:00
blk-mq-rdma.c
blk-mq-sched.c block: mq-deadline: Fix write completion handling 2019-01-13 09:51:07 +01:00
blk-mq-sched.h block: mq-deadline: Fix write completion handling 2019-01-13 09:51:07 +01:00
blk-mq-sysfs.c blk-mq: make sure that line break can be printed 2019-12-17 20:35:48 +01:00
blk-mq-tag.c blk-mq: Allow blocking queue tag iter callbacks 2018-09-25 20:17:59 -06:00
blk-mq-tag.h
blk-mq-virtio.c
blk-mq.c block: fix null pointer dereference in blk_mq_rq_timed_out() 2019-10-05 13:10:08 +02:00
blk-mq.h blk-mq: free hw queue's resource in hctx's release handler 2019-09-16 08:22:13 +02:00
blk-rq-qos.c blk-wbt: fix performance regression in wbt scale_up/scale_down 2019-10-17 13:45:16 -07:00
blk-rq-qos.h blk-rq-qos: fix first node deletion of rq_qos_del() 2019-10-29 09:20:09 +01:00
blk-settings.c block: keep bdi->io_pages in sync with max_sectors_kb for stacked devices 2020-04-17 10:48:39 +02:00
blk-softirq.c
blk-stat.c blk-stat: export helpers for modifying blk_rq_stat 2018-07-09 09:07:54 -06:00
blk-stat.h block: deactivate blk_stat timer in wbt_disable_default() 2019-01-13 09:51:06 +01:00
blk-sysfs.c block: call rq_qos_exit() after queue is frozen 2019-12-01 09:17:06 +01:00
blk-tag.c
blk-throttle.c blk-throttle: fix zero wait time for iops throttled group 2019-07-26 09:14:30 +02:00
blk-timeout.c
blk-wbt.c blk-wbt: fix performance regression in wbt scale_up/scale_down 2019-10-17 13:45:16 -07:00
blk-wbt.h block: remove external dependency on wbt_flags 2018-07-09 09:07:54 -06:00
blk-zoned.c
blk.h block: fix null pointer dereference in blk_mq_rq_timed_out() 2019-10-05 13:10:08 +02:00
bounce.c block: copy ioprio in __bio_clone_fast() and bounce 2018-12-01 09:37:32 +01:00
bsg-lib.c block/bsg-lib: use PTR_ERR_OR_ZERO to simplify the flow path 2018-08-01 09:13:03 -06:00
bsg.c block: bsg: move atomic_t ref_count variable to refcount API 2018-08-27 19:17:02 -06:00
cfq-iosched.c cfq: Suppress compiler warnings about comparisons 2018-08-07 17:57:13 -06:00
cmdline-parser.c
compat_ioctl.c compat_ioctl: block: handle BLKREPORTZONE/BLKRESETZONE 2020-01-09 10:19:01 +01:00
deadline-iosched.c
elevator.c block: fix deadline elevator drain for zoned block devices 2018-09-26 19:57:24 -06:00
genhd.c block: fix use-after-free on gendisk 2019-05-31 06:46:18 -07:00
ioctl.c
ioprio.c
Kconfig block: introduce blk-iolatency io controller 2018-07-09 09:07:54 -06:00
Kconfig.iosched
kyber-iosched.c
Makefile block: introduce blk-iolatency io controller 2018-07-09 09:07:54 -06:00
mq-deadline.c block: mq-deadline: Fix queue restart handling 2019-10-07 18:57:19 +02:00
noop-iosched.c
opal_proto.h
partition-generic.c block: fix use-after-free on gendisk 2019-05-31 06:46:18 -07:00
scsi_ioctl.c
sed-opal.c block: sed-opal: fix IOC_OPAL_ENABLE_DISABLE_MBR 2019-05-31 06:46:24 -07:00
t10-pi.c block: move dif_prepare/dif_complete functions to block layer 2018-07-30 08:27:02 -06:00