rnbd-clt: fix refcount underflow in device unmap path#478
Closed
blktests-ci[bot] wants to merge 2 commits intolinus-master_basefrom
Closed
rnbd-clt: fix refcount underflow in device unmap path#478blktests-ci[bot] wants to merge 2 commits intolinus-master_basefrom
blktests-ci[bot] wants to merge 2 commits intolinus-master_basefrom
Conversation
Author
|
Upstream branch: 623fb99 |
blktests-ci
bot
force-pushed
the
linus-master_base
branch
from
f962a4d to
06634b5
Compare
Author
|
Upstream branch: b543459 |
blktests-ci
bot
force-pushed
the
series/1041453=>linus-master
branch
from
3194b22 to
99bd498
Compare
Author
|
Upstream branch: b543459 |
blktests-ci
bot
force-pushed
the
series/1041453=>linus-master
branch
from
99bd498 to
f42d945
Compare
blktests-ci
bot
force-pushed
the
linus-master_base
branch
from
06634b5 to
8a473ad
Compare
Author
|
Upstream branch: 944aacb |
blktests-ci
bot
force-pushed
the
series/1041453=>linus-master
branch
from
f42d945 to
026b448
Compare
blktests-ci
bot
force-pushed
the
linus-master_base
branch
from
8a473ad to
fa94b37
Compare
Author
|
Upstream branch: 944aacb |
blktests-ci
bot
force-pushed
the
series/1041453=>linus-master
branch
from
026b448 to
1444927
Compare
blktests-ci
bot
force-pushed
the
linus-master_base
branch
2 times, most recently
from
41a5848 to
30680e5
Compare
Author
|
Upstream branch: a66191c Pull request is NOT updated. Failed to apply https://patchwork.kernel.org/project/linux-block/list/?series=1041453 conflict: |
blktests-ci
bot
force-pushed
the
linus-master_base
branch
4 times, most recently
from
b44af19 to
483aa43
Compare
blktests-ci
bot
force-pushed
the
linus-master_base
branch
from
483aa43 to
9d3c6de
Compare
Author
|
Upstream branch: de0674d |
blktests-ci
bot
force-pushed
the
series/1041453=>linus-master
branch
from
1444927 to
5ca6b4e
Compare
blktests-ci
bot
force-pushed
the
linus-master_base
branch
from
9d3c6de to
7c2ae0a
Compare
Author
|
Upstream branch: f14faaf |
blktests-ci
bot
force-pushed
the
series/1041453=>linus-master
branch
from
5ca6b4e to
f3f05e7
Compare
blktests-ci
bot
force-pushed
the
linus-master_base
branch
from
7c2ae0a to
54294d6
Compare
Author
|
Upstream branch: b7ff715 |
blktests-ci
bot
force-pushed
the
series/1041453=>linus-master
branch
from
f3f05e7 to
cbae1f8
Compare
blktests-ci
bot
force-pushed
the
linus-master_base
branch
from
54294d6 to
eb49f7b
Compare
Author
|
Upstream branch: e7aa572 |
blktests-ci
bot
force-pushed
the
series/1041453=>linus-master
branch
from
cbae1f8 to
2ad69c0
Compare
blktests-ci
bot
force-pushed
the
linus-master_base
branch
from
eb49f7b to
30e5c22
Compare
During device unmapping (triggered by module unload or explicit unmap), a refcount underflow occurs causing a use-after-free warning: [14747.574913] ------------[ cut here ]------------ [14747.574916] refcount_t: underflow; use-after-free. [14747.574917] WARNING: lib/refcount.c:28 at refcount_warn_saturate+0x55/0x90, CPU#9: kworker/9:1/378 [14747.574924] Modules linked in: rnbd_client(-) rtrs_client rnbd_server rtrs_server rtrs_core ... [14747.574998] CPU: 9 UID: 0 PID: 378 Comm: kworker/9:1 Tainted: G O N 6.19.0-rc3lblk-fnext+ #42 PREEMPT(voluntary) [14747.575005] Workqueue: rnbd_clt_wq unmap_device_work [rnbd_client] [14747.575010] RIP: 0010:refcount_warn_saturate+0x55/0x90 [14747.575037] Call Trace: [14747.575038] <TASK> [14747.575038] rnbd_clt_unmap_device+0x170/0x1d0 [rnbd_client] [14747.575044] process_one_work+0x211/0x600 [14747.575052] worker_thread+0x184/0x330 [14747.575055] ? __pfx_worker_thread+0x10/0x10 [14747.575058] kthread+0x10d/0x250 [14747.575062] ? __pfx_kthread+0x10/0x10 [14747.575066] ret_from_fork+0x319/0x390 [14747.575069] ? __pfx_kthread+0x10/0x10 [14747.575072] ret_from_fork_asm+0x1a/0x30 [14747.575083] </TASK> [14747.575096] ---[ end trace 0000000000000000 ]--- Befor this patch :- The bug is a double kobject_put() on dev->kobj during device cleanup. Kobject Lifecycle: kobject_init_and_add() sets kobj.kref = 1 (initialization) kobject_put() sets kobj.kref = 0 (should be called once) * Before this patch: rnbd_clt_unmap_device() rnbd_destroy_sysfs() kobject_del(&dev->kobj) [remove from sysfs] kobject_put(&dev->kobj) PUT #1 (WRONG!) kref: 1 to 0 rnbd_dev_release() kfree(dev) [DEVICE FREED!] rnbd_destroy_gen_disk() [use-after-free!] rnbd_clt_put_dev() refcount_dec_and_test(&dev->refcount) kobject_put(&dev->kobj) PUT #2 (UNDERFLOW!) kref: 0 to -1 [WARNING!] The first kobject_put() in rnbd_destroy_sysfs() prematurely frees the device via rnbd_dev_release(), then the second kobject_put() in rnbd_clt_put_dev() causes refcount underflow. * After this patch :- Remove kobject_put() from rnbd_destroy_sysfs(). This function should only remove sysfs visibility (kobject_del), not manage object lifetime. Call Graph (FIXED): rnbd_clt_unmap_device() rnbd_destroy_sysfs() kobject_del(&dev->kobj) [remove from sysfs only] [kref unchanged: 1] rnbd_destroy_gen_disk() [device still valid] rnbd_clt_put_dev() refcount_dec_and_test(&dev->refcount) kobject_put(&dev->kobj) ONLY PUT (CORRECT!) kref: 1 to 0 [BALANCED] rnbd_dev_release() kfree(dev) [CLEAN DESTRUCTION] This follows the kernel pattern where sysfs removal (kobject_del) is separate from object destruction (kobject_put). Fixes: 581cf83 ("block: rnbd: add .release to rnbd_dev_ktype") Signed-off-by: Chaitanya Kulkarni <[email protected]> Acked-by: Jack Wang <[email protected]> Reviewed-by: Jack Wang <[email protected]>
Author
|
Upstream branch: 05f7e89 |
blktests-ci
bot
force-pushed
the
series/1041453=>linus-master
branch
from
2ad69c0 to
6fab997
Compare
blktests-ci
bot
force-pushed
the
linus-master_base
branch
from
30e5c22 to
519f160
Compare
Author
|
At least one diff in series https://patchwork.kernel.org/project/linux-block/list/?series=1041453 irrelevant now for [{'archived': False, 'project': 241}] search patterns |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Pull request for series with
subject: rnbd-clt: fix refcount underflow in device unmap path
version: 1
url: https://patchwork.kernel.org/project/linux-block/list/?series=1041453