[PATCH] erofs: fix use-after-free of on-stack io[]
Gao Xiang
hsiangkao at linux.alibaba.com
Fri Apr 1 22:40:48 AEDT 2022
On Fri, Apr 01, 2022 at 07:15:36PM +0800, Gao Xiang wrote:
> On Fri, Apr 01, 2022 at 05:36:23PM +0800, Henry King wrote:
> > Gao Xiang <hsiangkao at linux.alibaba.com> 于2022年4月1日周五 14:55写道:
...
> > > > @@ -1370,8 +1367,7 @@ static void z_erofs_runqueue(struct super_block *sb,
> > > > return;
> > > >
> > > > /* wait until all bios are completed */
> > > > - io_wait_event(io[JQ_SUBMIT].u.wait,
> > > > - !atomic_read(&io[JQ_SUBMIT].pending_bios));
> > > > + wait_for_completion_io(&io[JQ_SUBMIT].u.done);
> > >
> > > Thanks, good catch!
> > >
> > > What if pending_bios is always 0 (nr_bios == 0), is it possible?
> > The pending_bios isn't always 0. If bio is completed faster before
> > io_wait_event() called, the value of pending_bios from 1 to 0,
> > when enter io_wait_event(), it will not acquire lock and return immediately.
>
> nope, IMO, if no io submission, we could run into this case.
>
Ok, after revisiting the code, I think it's impossible as well.
Please help commit another version with commit message updated. I will
test it later (it's a quite rare race I think.)
Thanks,
Gao Xiang
> Thanks,
> Gao Xiang
>
> > >
> > > Thanks,
> > > Gao Xiang
More information about the Linux-erofs
mailing list