Re: mainline boot is broken: KASAN: use-after-free in blk_flush_complete_seq
From: Dmitry Vyukov
Date: Mon Jun 11 2018 - 04:24:11 EST
On Sat, Jun 9, 2018 at 2:33 PM, Jens Axboe <axboe@xxxxxxxxx> wrote:
> On 6/9/18 3:34 AM, Dmitry Vyukov wrote:
>> Hi,
>>
>> Boot of mainline kernel is currently broken.
>> On commit 7d3bf613e99abbd96ac7b90ee3694a246c975021.
>> Config:
>> https://gist.githubusercontent.com/dvyukov/9f7f1fd9e477efd85b221b3a21036c20/raw/7c56ede0840494b26045976960866f2b265c6f64/gistfile1.txt
>> Should have been introduced very recently.
>
> Can you try the below?
Yes, this fixes the use-after-free:
Tested-by: Dmitry Vyukov <dvyukov@xxxxxxxxxx>
>> You may need to also patch "umh: fix race condition", because that's
>> another boot crasher currently present in tree.
>
> Not sure that that refers to.
Currently there are 2 boot bugs present in upstream tree: this block
bug and an umh bug. I assumed that anybody who will be fixing the
block bug will want to first reproduce it and then test the fix
locally. But if one would try to do it, they will actually hit the umh
bug first. So I provided the fixing commit for the umh bug to simplify
things for whoever would be fixing this block bug.
> diff --git a/block/blk-flush.c b/block/blk-flush.c
> index 058abdb50f31..ce41f666de3e 100644
> --- a/block/blk-flush.c
> +++ b/block/blk-flush.c
> @@ -169,9 +169,11 @@ static bool blk_flush_complete_seq(struct request *rq,
> struct request_queue *q = rq->q;
> struct list_head *pending = &fq->flush_queue[fq->flush_pending_idx];
> bool queued = false, kicked;
> + unsigned int cmd_flags;
>
> BUG_ON(rq->flush.seq & seq);
> rq->flush.seq |= seq;
> + cmd_flags = rq->cmd_flags;
>
> if (likely(!error))
> seq = blk_flush_cur_seq(rq);
> @@ -212,7 +214,7 @@ static bool blk_flush_complete_seq(struct request *rq,
> BUG();
> }
>
> - kicked = blk_kick_flush(q, fq, rq->cmd_flags);
> + kicked = blk_kick_flush(q, fq, cmd_flags);
> return kicked | queued;
> }
>
>
> --
> Jens Axboe
>