[PATCH v2] erofs: fix use-after-free of on-stack io[]

Gao Xiang hsiangkao at linux.alibaba.com
Sat Apr 2 13:53:27 AEDT 2022 

On Fri, Apr 01, 2022 at 07:55:27PM +0800, Hongyu Jin wrote:
> From: Hongyu Jin <hongyu.jin at unisoc.com>
> 
> The root cause is the race as follows:
> Thread #1                              Thread #2(irq ctx)
> 
> z_erofs_runqueue()
>   struct z_erofs_decompressqueue io_A[];
>   submit bio A
>   z_erofs_decompress_kickoff(,,1)
>                                        z_erofs_decompressqueue_endio(bio A)
>                                        z_erofs_decompress_kickoff(,,-1)
>                                        spin_lock_irqsave()
>                                        atomic_add_return()
>   io_wait_event()   -> pending_bios is already 0
>   [end of function]
>                                        wake_up_locked(io_A[]) // crash

Actually I think it can be written like this to simplify the case a
bit.

> 
> Backtrace in kernel5.4:
> [   10.129413] 8<--- cut here ---
> [   10.129422] Unable to handle kernel paging request at virtual address eb0454a4
> [   10.364157] CPU: 0 PID: 709 Comm: getprop Tainted: G        WC O      5.4.147-ab09225 #1
> [   11.556325] [<c01b33b8>] (__wake_up_common) from [<c01b3300>] (__wake_up_locked+0x40/0x48)
> [   11.565487] [<c01b3300>] (__wake_up_locked) from [<c044c8d0>] (z_erofs_vle_unzip_kickoff+0x6c/0xc0)
> [   11.575438] [<c044c8d0>] (z_erofs_vle_unzip_kickoff) from [<c044c854>] (z_erofs_vle_read_endio+0x16c/0x17c)
> [   11.586082] [<c044c854>] (z_erofs_vle_read_endio) from [<c06a80e8>] (clone_endio+0xb4/0x1d0)
> [   11.595428] [<c06a80e8>] (clone_endio) from [<c04a1280>] (blk_update_request+0x150/0x4dc)
> [   11.604516] [<c04a1280>] (blk_update_request) from [<c06dea28>] (mmc_blk_cqe_complete_rq+0x144/0x15c)
> [   11.614640] [<c06dea28>] (mmc_blk_cqe_complete_rq) from [<c04a5d90>] (blk_done_softirq+0xb0/0xcc)
> [   11.624419] [<c04a5d90>] (blk_done_softirq) from [<c010242c>] (__do_softirq+0x184/0x56c)
> [   11.633419] [<c010242c>] (__do_softirq) from [<c01051e8>] (irq_exit+0xd4/0x138)
> [   11.641640] [<c01051e8>] (irq_exit) from [<c010c314>] (__handle_domain_irq+0x94/0xd0)
> [   11.650381] [<c010c314>] (__handle_domain_irq) from [<c04fde70>] (gic_handle_irq+0x50/0xd4)
> [   11.659641] [<c04fde70>] (gic_handle_irq) from [<c0101b70>] (__irq_svc+0x70/0xb0)
> 
> Signed-off-by: Hongyu Jin <hongyu.jin at unisoc.com>

Looks good to me!
Reviewed-by: Gao Xiang <hsiangkao at linux.alibaba.com>

Let me test it this weekend and upstream it this cycle.

Thanks,
Gao Xiang

More information about the Linux-erofs mailing list