Emit `metadata` instead of `link` #76

ojeda · 2021-01-21T17:58:21Z

It allows us to save a bit of space, ignore the duplicate object files, and the archiving steps; e.g.:

  643544 libcompiler_builtins.rlib
64171752 libcore.rlib

vs.

  530004 libcompiler_builtins.rmeta
63679866 libcore.rmeta

We couldn't do it right away in [1] because rustc required a fix [2,3]. The fix is now in [4] and available since the 2021-01-21 nightly, so now we can go ahead and make the change.

Fixes #75.

[1] #52
[2] rust-lang/rust#81117
[3] rust-lang/rust#81118
[4] rust-lang/rust@f9275e1

Suggested-by: bjorn3
Signed-off-by: Miguel Ojeda [email protected]

alex

Can you update Documentation/rust/quick-start.rst with teh new version too.

ojeda · 2021-01-21T18:09:20Z

Yeah, good catch.

It allows us to save a bit of space, ignore the duplicate object files, and the archiving steps; e.g.: 643544 libcompiler_builtins.rlib 64171752 libcore.rlib vs. 530004 libcompiler_builtins.rmeta 63679866 libcore.rmeta We couldn't do it right away in [1] because `rustc` required a fix [2,3]. The fix is now in [4] and available since the 2021-01-21 nightly, so now we can go ahead and make the change. Fixes #75. [1] #52 [2] rust-lang/rust#81117 [3] rust-lang/rust#81118 [4] rust-lang/rust@f9275e1 Suggested-by: bjorn3 Signed-off-by: Miguel Ojeda <[email protected]>

In the case of MDIO bus registration failure due to no external PHY devices is connected to the MAC, clk_disable_unprepare() is called in stmmac_bus_clk_config() and intel_eth_pci_probe() respectively. The second call in intel_eth_pci_probe() will caused the following:- [ 16.578605] intel-eth-pci 0000:00:1e.5: No PHY found [ 16.583778] intel-eth-pci 0000:00:1e.5: stmmac_dvr_probe: MDIO bus (id: 2) registration failed [ 16.680181] ------------[ cut here ]------------ [ 16.684861] stmmac-0000:00:1e.5 already disabled [ 16.689547] WARNING: CPU: 13 PID: 2053 at drivers/clk/clk.c:952 clk_core_disable+0x96/0x1b0 [ 16.697963] Modules linked in: dwc3 iTCO_wdt mei_hdcp iTCO_vendor_support udc_core x86_pkg_temp_thermal kvm_intel marvell10g kvm sch_fq_codel nfsd irqbypass dwmac_intel(+) stmmac uio ax88179_178a pcs_xpcs phylink uhid spi_pxa2xx_platform usbnet mei_me pcspkr tpm_crb mii i2c_i801 dw_dmac dwc3_pci thermal dw_dmac_core intel_rapl_msr libphy i2c_smbus mei tpm_tis intel_th_gth tpm_tis_core tpm intel_th_acpi intel_pmc_core intel_th i915 fuse configfs snd_hda_intel snd_intel_dspcfg snd_intel_sdw_acpi snd_hda_codec snd_hda_core snd_pcm snd_timer snd soundcore [ 16.746785] CPU: 13 PID: 2053 Comm: systemd-udevd Tainted: G U 5.13.0-rc3-intel-lts Rust-for-Linux#76 [ 16.756134] Hardware name: Intel Corporation Alder Lake Client Platform/AlderLake-S ADP-S DRR4 CRB, BIOS ADLIFSI1.R00.1494.B00.2012031421 12/03/2020 [ 16.769465] RIP: 0010:clk_core_disable+0x96/0x1b0 [ 16.774222] Code: 00 8b 05 45 96 17 01 85 c0 7f 24 48 8b 5b 30 48 85 db 74 a5 8b 43 7c 85 c0 75 93 48 8b 33 48 c7 c7 6e 32 cc b7 e8 b2 5d 52 00 <0f> 0b 5b 5d c3 65 8b 05 76 31 18 49 89 c0 48 0f a3 05 bc 92 1a 01 [ 16.793016] RSP: 0018:ffffa44580523aa0 EFLAGS: 00010086 [ 16.798287] RAX: 0000000000000000 RBX: ffff8d7d0eb70a00 RCX: 0000000000000000 [ 16.805435] RDX: 0000000000000002 RSI: ffffffffb7c62d5f RDI: 00000000ffffffff [ 16.812610] RBP: 0000000000000287 R08: 0000000000000000 R09: ffffa445805238d0 [ 16.819759] R10: 0000000000000001 R11: 0000000000000001 R12: ffff8d7d0eb70a00 [ 16.826904] R13: ffff8d7d027370c8 R14: 0000000000000006 R15: ffffa44580523ad0 [ 16.834047] FS: 00007f9882fa2600(0000) GS:ffff8d80a0940000(0000) knlGS:0000000000000000 [ 16.842177] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 16.847966] CR2: 00007f9882bea3d8 CR3: 000000010b126001 CR4: 0000000000370ee0 [ 16.855144] Call Trace: [ 16.857614] clk_core_disable_lock+0x1b/0x30 [ 16.861941] intel_eth_pci_probe.cold+0x11d/0x136 [dwmac_intel] [ 16.867913] pci_device_probe+0xcf/0x150 [ 16.871890] really_probe+0xf5/0x3e0 [ 16.875526] driver_probe_device+0x64/0x150 [ 16.879763] device_driver_attach+0x53/0x60 [ 16.883998] __driver_attach+0x9f/0x150 [ 16.887883] ? device_driver_attach+0x60/0x60 [ 16.892288] ? device_driver_attach+0x60/0x60 [ 16.896698] bus_for_each_dev+0x77/0xc0 [ 16.900583] bus_add_driver+0x184/0x1f0 [ 16.904469] driver_register+0x6c/0xc0 [ 16.908268] ? 0xffffffffc07ae000 [ 16.911598] do_one_initcall+0x4a/0x210 [ 16.915489] ? kmem_cache_alloc_trace+0x305/0x4e0 [ 16.920247] do_init_module+0x5c/0x230 [ 16.924057] load_module+0x2894/0x2b70 [ 16.927857] ? __do_sys_finit_module+0xb5/0x120 [ 16.932441] __do_sys_finit_module+0xb5/0x120 [ 16.936845] do_syscall_64+0x42/0x80 [ 16.940476] entry_SYSCALL_64_after_hwframe+0x44/0xae [ 16.945586] RIP: 0033:0x7f98830e5ccd [ 16.949177] Code: 00 c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 93 31 0c 00 f7 d8 64 89 01 48 [ 16.967970] RSP: 002b:00007ffc66b60168 EFLAGS: 00000246 ORIG_RAX: 0000000000000139 [ 16.975583] RAX: ffffffffffffffda RBX: 000055885de35ef0 RCX: 00007f98830e5ccd [ 16.982725] RDX: 0000000000000000 RSI: 00007f98832541e3 RDI: 0000000000000012 [ 16.989868] RBP: 0000000000020000 R08: 0000000000000000 R09: 0000000000000000 [ 16.997042] R10: 0000000000000012 R11: 0000000000000246 R12: 00007f98832541e3 [ 17.004222] R13: 0000000000000000 R14: 0000000000000000 R15: 00007ffc66b60328 [ 17.011369] ---[ end trace df06a3dab26b988c ]--- [ 17.016062] ------------[ cut here ]------------ [ 17.020701] stmmac-0000:00:1e.5 already unprepared Removing the stmmac_bus_clks_config() call in stmmac_dvr_probe and let dwmac-intel to handle the unprepare and disable of the clk device. Fixes: 5ec5582 ("net: stmmac: add clocks management for gmac driver") Cc: Joakim Zhang <[email protected]> Signed-off-by: Wong Vee Khee <[email protected]> Reviewed-by: Joakim Zhang <[email protected]> Signed-off-by: David S. Miller <[email protected]>

With latest clang18, I hit test_progs failures for the following test: #13/2 bpf_cookie/multi_kprobe_link_api:FAIL #13/3 bpf_cookie/multi_kprobe_attach_api:FAIL #13 bpf_cookie:FAIL #75 fentry_fexit:FAIL #76/1 fentry_test/fentry:FAIL #76 fentry_test:FAIL #80/1 fexit_test/fexit:FAIL #80 fexit_test:FAIL #110/1 kprobe_multi_test/skel_api:FAIL #110/2 kprobe_multi_test/link_api_addrs:FAIL #110/3 kprobe_multi_test/link_api_syms:FAIL #110/4 kprobe_multi_test/attach_api_pattern:FAIL #110/5 kprobe_multi_test/attach_api_addrs:FAIL #110/6 kprobe_multi_test/attach_api_syms:FAIL #110 kprobe_multi_test:FAIL For example, for #13/2, the error messages are: [...] kprobe_multi_test_run:FAIL:kprobe_test7_result unexpected kprobe_test7_result: actual 0 != expected 1 [...] kprobe_multi_test_run:FAIL:kretprobe_test7_result unexpected kretprobe_test7_result: actual 0 != expected 1 clang17 does not have this issue. Further investigation shows that kernel func bpf_fentry_test7(), used in the above tests, is inlined by the compiler although it is marked as noinline. int noinline bpf_fentry_test7(struct bpf_fentry_test_t *arg) { return (long)arg; } It is known that for simple functions like the above (e.g. just returning a constant or an input argument), the clang compiler may still do inlining for a noinline function. Adding 'asm volatile ("")' in the beginning of the bpf_fentry_test7() can prevent inlining. Signed-off-by: Yonghong Song <[email protected]> Signed-off-by: Daniel Borkmann <[email protected]> Tested-by: Eduard Zingerman <[email protected]> Link: https://lore.kernel.org/bpf/[email protected]

It uses Opaque type to get the mutable reference to an object inside of super object wrapped with Arc. Opaque::raw_get() function returns mutable pointer. But it still has a problem as below. A spinlock in the completion object might not be initialized correctly. / # insmod share/rust_ldd06.ko [ 8.838768] rust_ldd06: module verification failed: signature and/or required key missing - tal [ 8.841700] rust_completion: rust_ldd06 is loaded [ 8.842994] rust_completion: completion_dev created / # mknod /dev/rust_ldd06 c 10 124 / # cat /dev/rust_ldd06 & / # [ 28.024130] rust_completion: open is invoked [ 28.025404] rust_completion: read is invoked / # echo "asdf" > /dev/rust_ldd06 [ 34.750500] rust_completion: open is invoked [ 34.751870] rust_completion: write is invoked [ 34.753140] BUG: unable to handle page fault for address: ffffc90000594743 [ 34.754996] #PF: supervisor write access in kernel mode [ 34.756442] #PF: error_code(0x0002) - not-present page [ 34.757111] PGD 3000067 P4D 3000067 PUD 31a7067 PMD 414b067 PTE 0 [ 34.757111] Oops: 0002 [#1] PREEMPT SMP NOPTI [ 34.757111] CPU: 0 PID: 1 Comm: sh Tainted: G E 6.6.0-rc4+ Rust-for-Linux#76 [ 34.757111] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.15.0-1 04/01/2014 [ 34.757111] RIP: 0010:_raw_spin_lock_irqsave+0x32/0xa0 [ 34.757111] Code: e5 41 57 41 56 41 54 53 49 89 ff 9c 58 0f 1f 40 00 49 89 c6 fa 0f 1f 44 00 01 [ 34.757111] RSP: 0018:ffffc9000000bd30 EFLAGS: 00010046 [ 34.757111] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000001 [ 34.757111] RDX: 0000000000000000 RSI: 0000000000000003 RDI: ffffc90000594743 [ 34.757111] RBP: ffffc9000000bd50 R08: 0000000000000000 R09: 0000000000000000 [ 34.757111] R10: ffffc9000000bca8 R11: 3fffffffffffffff R12: 0000000000000000 [ 34.757111] R13: 0000000000000005 R14: 0000000000000097 R15: ffffc90000594743 [ 34.757111] FS: 0000000001d1c3c0(0000) GS:ffff888007a00000(0000) knlGS:0000000000000000 [ 34.757111] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 34.757111] CR2: ffffc90000594743 CR3: 0000000004322000 CR4: 00000000000006f0 [ 34.757111] Call Trace: [ 34.757111] <TASK> [ 34.757111] ? __die_body+0x6b/0xb0 [ 34.757111] ? __die+0x9b/0xb0 [ 34.757111] ? page_fault_oops+0x24c/0x370 [ 34.757111] ? prb_read_valid+0x19/0x20 [ 34.757111] ? printk_get_next_message+0x72/0x320 [ 34.757111] ? kernelmode_fixup_or_oops+0xd7/0x100 [ 34.757111] ? __bad_area_nosemaphore+0x69/0x290 [ 34.757111] ? io_serial_in+0x50/0x50 [ 34.757111] ? bad_area_nosemaphore+0x16/0x20 [ 34.757111] ? do_kern_addr_fault+0x7c/0x90 [ 34.757111] ? exc_page_fault+0xcf/0xf0 [ 34.757111] ? asm_exc_page_fault+0x27/0x30 [ 34.757111] ? _raw_spin_lock_irqsave+0x32/0xa0 [ 34.757111] try_to_wake_up+0x46/0x860 [ 34.757111] ? vprintk+0x52/0x60 [ 34.757111] ? _printk+0x4b/0x50 [ 34.757111] complete+0x4c/0x80 [ 34.757111] _RNvMs3_NtCshlmskAEPslc_6kernel4fileINtB5_16OperationsVtableINtNtB7_7miscdev12Reg] [ 34.757111] vfs_write+0x111/0x3d0 [ 34.757111] ? handle_mm_fault+0x1e5/0x2e0 [ 34.757111] ksys_write+0x5f/0xb0 [ 34.757111] __x64_sys_write+0x1b/0x20 [ 34.757111] do_syscall_64+0x35/0x50 [ 34.757111] entry_SYSCALL_64_after_hwframe+0x63/0xcd [ 34.757111] RIP: 0033:0x4ad317 [ 34.757111] Code: ff ff f7 d8 64 89 02 48 c7 c0 ff ff ff ff eb b7 0f 1f 00 f3 0f 1e fa 64 8b 04 [ 34.757111] RSP: 002b:00007ffc77a92d48 EFLAGS: 00000246 ORIG_RAX: 0000000000000001 [ 34.757111] RAX: ffffffffffffffda RBX: 0000000000000001 RCX: 00000000004ad317 [ 34.757111] RDX: 0000000000000005 RSI: 0000000001d21a50 RDI: 0000000000000001 [ 34.757111] RBP: 0000000001d21a50 R08: fefefefefefefeff R09: feff86ff65637260 [ 34.757111] R10: 00000000000001b6 R11: 0000000000000246 R12: 0000000000000005 [ 34.757111] R13: 0000000001d1c3a0 R14: 00007ffc77a92f01 R15: 00007ffc77a92db0 [ 34.757111] </TASK> [ 34.757111] Modules linked in: rust_ldd06(E) [ 34.757111] CR2: ffffc90000594743 [ 34.757111] ---[ end trace 0000000000000000 ]--- [ 34.757111] RIP: 0010:_raw_spin_lock_irqsave+0x32/0xa0 [ 34.757111] Code: e5 41 57 41 56 41 54 53 49 89 ff 9c 58 0f 1f 40 00 49 89 c6 fa 0f 1f 44 00 01 [ 34.757111] RSP: 0018:ffffc9000000bd30 EFLAGS: 00010046 [ 34.757111] RAX: 0000000000000000 RBX: 0000000000000000 RCX: 0000000000000001 [ 34.757111] RDX: 0000000000000000 RSI: 0000000000000003 RDI: ffffc90000594743 [ 34.757111] RBP: ffffc9000000bd50 R08: 0000000000000000 R09: 0000000000000000 [ 34.757111] R10: ffffc9000000bca8 R11: 3fffffffffffffff R12: 0000000000000000 [ 34.757111] R13: 0000000000000005 R14: 0000000000000097 R15: ffffc90000594743 [ 34.757111] FS: 0000000001d1c3c0(0000) GS:ffff888007a00000(0000) knlGS:0000000000000000 [ 34.757111] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 [ 34.757111] CR2: ffffc90000594743 CR3: 0000000004322000 CR4: 00000000000006f0 [ 34.757111] note: sh[1] exited with irqs disabled [ 34.818149] note: sh[1] exited with preempt_count 3 [ 34.818663] Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000009 [ 34.819478] Kernel Offset: disabled [ 34.819864] ---[ end Kernel panic - not syncing: Attempted to kill init! exitcode=0x00000009 ]- QEMU 6.2.0 monitor - type 'help' for more information Signed-off-by: Gioh Kim <[email protected]>

On arm64 machines, swsusp_save() faults if it attempts to access MEMBLOCK_NOMAP memory ranges. This can be reproduced in QEMU using UEFI when booting with rodata=off debug_pagealloc=off and CONFIG_KFENCE=n: Unable to handle kernel paging request at virtual address ffffff8000000000 Mem abort info: ESR = 0x0000000096000007 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x07: level 3 translation fault Data abort info: ISV = 0, ISS = 0x00000007, ISS2 = 0x00000000 CM = 0, WnR = 0, TnD = 0, TagAccess = 0 GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 swapper pgtable: 4k pages, 39-bit VAs, pgdp=00000000eeb0b000 [ffffff8000000000] pgd=180000217fff9803, p4d=180000217fff9803, pud=180000217fff9803, pmd=180000217fff8803, pte=0000000000000000 Internal error: Oops: 0000000096000007 [#1] SMP Internal error: Oops: 0000000096000007 [#1] SMP Modules linked in: xt_multiport ipt_REJECT nf_reject_ipv4 xt_conntrack nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c iptable_filter bpfilter rfkill at803x snd_hda_codec_hdmi snd_hda_intel snd_intel_dspcfg dwmac_generic stmmac_platform snd_hda_codec stmmac joydev pcs_xpcs snd_hda_core phylink ppdev lp parport ramoops reed_solomon ip_tables x_tables nls_iso8859_1 vfat multipath linear amdgpu amdxcp drm_exec gpu_sched drm_buddy hid_generic usbhid hid radeon video drm_suballoc_helper drm_ttm_helper ttm i2c_algo_bit drm_display_helper cec drm_kms_helper drm CPU: 0 PID: 3663 Comm: systemd-sleep Not tainted 6.6.2+ #76 Source Version: 4e22ed63a0a48e7a7cff9b98b7806d8d4add7dc0 Hardware name: Greatwall GW-XXXXXX-XXX/GW-XXXXXX-XXX, BIOS KunLun BIOS V4.0 01/19/2021 pstate: 600003c5 (nZCv DAIF -PAN -UAO -TCO -DIT -SSBS BTYPE=--) pc : swsusp_save+0x280/0x538 lr : swsusp_save+0x280/0x538 sp : ffffffa034a3fa40 x29: ffffffa034a3fa40 x28: ffffff8000001000 x27: 0000000000000000 x26: ffffff8001400000 x25: ffffffc08113e248 x24: 0000000000000000 x23: 0000000000080000 x22: ffffffc08113e280 x21: 00000000000c69f2 x20: ffffff8000000000 x19: ffffffc081ae2500 x18: 0000000000000000 x17: 6666662074736420 x16: 3030303030303030 x15: 3038666666666666 x14: 0000000000000b69 x13: ffffff9f89088530 x12: 00000000ffffffea x11: 00000000ffff7fff x10: 00000000ffff7fff x9 : ffffffc08193f0d0 x8 : 00000000000bffe8 x7 : c0000000ffff7fff x6 : 0000000000000001 x5 : ffffffa0fff09dc8 x4 : 0000000000000000 x3 : 0000000000000027 x2 : 0000000000000000 x1 : 0000000000000000 x0 : 000000000000004e Call trace: swsusp_save+0x280/0x538 swsusp_arch_suspend+0x148/0x190 hibernation_snapshot+0x240/0x39c hibernate+0xc4/0x378 state_store+0xf0/0x10c kobj_attr_store+0x14/0x24 The reason is swsusp_save() -> copy_data_pages() -> page_is_saveable() -> kernel_page_present() assuming that a page is always present when can_set_direct_map() is false (all of rodata_full, debug_pagealloc_enabled() and arm64_kfence_can_set_direct_map() false), irrespective of the MEMBLOCK_NOMAP ranges. Such MEMBLOCK_NOMAP regions should not be saved during hibernation. This problem was introduced by changes to the pfn_valid() logic in commit a7d9f30 ("arm64: drop pfn_valid_within() and simplify pfn_valid()"). Similar to other architectures, drop the !can_set_direct_map() check in kernel_page_present() so that page_is_savable() skips such pages. Fixes: a7d9f30 ("arm64: drop pfn_valid_within() and simplify pfn_valid()") Cc: <[email protected]> # 5.14.x Suggested-by: Mike Rapoport <[email protected]> Suggested-by: Catalin Marinas <[email protected]> Co-developed-by: xiongxin <[email protected]> Signed-off-by: xiongxin <[email protected]> Signed-off-by: Yaxiong Tian <[email protected]> Acked-by: Mike Rapoport (IBM) <[email protected]> Link: https://lore.kernel.org/r/[email protected] [[email protected]: rework commit message] Signed-off-by: Catalin Marinas <[email protected]>

…hunk() [BUG] There is an internal report that KASAN is reporting use-after-free, with the following backtrace: BUG: KASAN: slab-use-after-free in btrfs_check_read_bio+0xa68/0xb70 [btrfs] Read of size 4 at addr ffff8881117cec28 by task kworker/u16:2/45 CPU: 1 UID: 0 PID: 45 Comm: kworker/u16:2 Not tainted 6.11.0-rc2-next-20240805-default+ Rust-for-Linux#76 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-3-gd478f380-rebuilt.opensuse.org 04/01/2014 Workqueue: btrfs-endio btrfs_end_bio_work [btrfs] Call Trace: dump_stack_lvl+0x61/0x80 print_address_description.constprop.0+0x5e/0x2f0 print_report+0x118/0x216 kasan_report+0x11d/0x1f0 btrfs_check_read_bio+0xa68/0xb70 [btrfs] process_one_work+0xce0/0x12a0 worker_thread+0x717/0x1250 kthread+0x2e3/0x3c0 ret_from_fork+0x2d/0x70 ret_from_fork_asm+0x11/0x20 Allocated by task 20917: kasan_save_stack+0x37/0x60 kasan_save_track+0x10/0x30 __kasan_slab_alloc+0x7d/0x80 kmem_cache_alloc_noprof+0x16e/0x3e0 mempool_alloc_noprof+0x12e/0x310 bio_alloc_bioset+0x3f0/0x7a0 btrfs_bio_alloc+0x2e/0x50 [btrfs] submit_extent_page+0x4d1/0xdb0 [btrfs] btrfs_do_readpage+0x8b4/0x12a0 [btrfs] btrfs_readahead+0x29a/0x430 [btrfs] read_pages+0x1a7/0xc60 page_cache_ra_unbounded+0x2ad/0x560 filemap_get_pages+0x629/0xa20 filemap_read+0x335/0xbf0 vfs_read+0x790/0xcb0 ksys_read+0xfd/0x1d0 do_syscall_64+0x6d/0x140 entry_SYSCALL_64_after_hwframe+0x4b/0x53 Freed by task 20917: kasan_save_stack+0x37/0x60 kasan_save_track+0x10/0x30 kasan_save_free_info+0x37/0x50 __kasan_slab_free+0x4b/0x60 kmem_cache_free+0x214/0x5d0 bio_free+0xed/0x180 end_bbio_data_read+0x1cc/0x580 [btrfs] btrfs_submit_chunk+0x98d/0x1880 [btrfs] btrfs_submit_bio+0x33/0x70 [btrfs] submit_one_bio+0xd4/0x130 [btrfs] submit_extent_page+0x3ea/0xdb0 [btrfs] btrfs_do_readpage+0x8b4/0x12a0 [btrfs] btrfs_readahead+0x29a/0x430 [btrfs] read_pages+0x1a7/0xc60 page_cache_ra_unbounded+0x2ad/0x560 filemap_get_pages+0x629/0xa20 filemap_read+0x335/0xbf0 vfs_read+0x790/0xcb0 ksys_read+0xfd/0x1d0 do_syscall_64+0x6d/0x140 entry_SYSCALL_64_after_hwframe+0x4b/0x53 [CAUSE] Although I cannot reproduce the error, the report itself is good enough to pin down the cause. The call trace is the regular endio workqueue context, but the free-by-task trace is showing that during btrfs_submit_chunk() we already hit a critical error, and is calling btrfs_bio_end_io() to error out. And the original endio function called bio_put() to free the whole bio. This means a double freeing thus causing use-after-free, e.g.: 1. Enter btrfs_submit_bio() with a read bio The read bio length is 128K, crossing two 64K stripes. 2. The first run of btrfs_submit_chunk() 2.1 Call btrfs_map_block(), which returns 64K 2.2 Call btrfs_split_bio() Now there are two bios, one referring to the first 64K, the other referring to the second 64K. 2.3 The first half is submitted. 3. The second run of btrfs_submit_chunk() 3.1 Call btrfs_map_block(), which by somehow failed Now we call btrfs_bio_end_io() to handle the error 3.2 btrfs_bio_end_io() calls the original endio function Which is end_bbio_data_read(), and it calls bio_put() for the original bio. Now the original bio is freed. 4. The submitted first 64K bio finished Now we call into btrfs_check_read_bio() and tries to advance the bio iter. But since the original bio (thus its iter) is already freed, we trigger the above use-after free. And even if the memory is not poisoned/corrupted, we will later call the original endio function, causing a double freeing. [FIX] Instead of calling btrfs_bio_end_io(), call btrfs_orig_bbio_end_io(), which has the extra check on split bios and do the proper refcounting for cloned bios. Furthermore there is already one extra btrfs_cleanup_bio() call, but that is duplicated to btrfs_orig_bbio_end_io() call, so remove that label completely. Reported-by: David Sterba <[email protected]> Fixes: 852eee6 ("btrfs: allow btrfs_submit_bio to split bios") CC: [email protected] # 6.6+ Reviewed-by: Josef Bacik <[email protected]> Signed-off-by: Qu Wenruo <[email protected]> Reviewed-by: David Sterba <[email protected]> Signed-off-by: David Sterba <[email protected]>

alex reviewed Jan 21, 2021

View reviewed changes

ojeda force-pushed the metadata branch from f8eac82 to 49c6f04 Compare January 21, 2021 18:11

alex approved these changes Jan 21, 2021

View reviewed changes

ojeda merged commit d8e8a16 into rust Jan 21, 2021

ojeda deleted the metadata branch January 21, 2021 18:28

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Emit `metadata` instead of `link` #76

Emit `metadata` instead of `link` #76

ojeda commented Jan 21, 2021

alex left a comment

ojeda commented Jan 21, 2021

Emit metadata instead of link #76

Emit metadata instead of link #76

Conversation

ojeda commented Jan 21, 2021

alex left a comment

Choose a reason for hiding this comment

ojeda commented Jan 21, 2021

Emit `metadata` instead of `link` #76

Emit `metadata` instead of `link` #76