lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20201121045523.2692410-1-ztong0001@gmail.com>
Date:   Fri, 20 Nov 2020 23:55:16 -0500
From:   Tong Zhang <ztong0001@...il.com>
To:     Junxiao Bi <junxiao.bi@...cle.com>,
        Al Viro <viro@...iv.linux.org.uk>,
        Joseph Qi <joseph.qi@...ux.alibaba.com>,
        "Matthew Wilcox (Oracle)" <willy@...radead.org>,
        John Hubbard <jhubbard@...dia.com>,
        Tong Zhang <ztong0001@...il.com>, linux-kernel@...r.kernel.org
Subject: [PATCH v1] qnx6: avoid double release bh

set bh to NULL to avoid double release

[   38.848384] qnx6: superblock #1 active
[   38.855489] attempt to access beyond end of device
[   38.855489] sdb: rw=0, want=6359988796, limit=200000
[   38.855852] Buffer I/O error on dev sdb, logical block 3179994397, async page read
[   38.856327] attempt to access beyond end of device
[   38.856327] sdb: rw=0, want=1390132904, limit=200000
[   38.856513] Buffer I/O error on dev sdb, logical block 695066451, async page read
[   38.856800] attempt to access beyond end of device
[   38.856800] sdb: rw=0, want=1646095356, limit=200000
[   38.857059] Buffer I/O error on dev sdb, logical block 823047677, async page read
[   38.857339] attempt to access beyond end of device
[   38.857339] sdb: rw=0, want=2511434484, limit=200000
[   38.857504] Buffer I/O error on dev sdb, logical block 1255717241, async page read
[   38.857911] qnx6: major problem: unable to read inode from dev sdb
[   38.858318] qnx6: get inode failed
[   38.866847] ------------[ cut here ]------------
[   38.866992] VFS: brelse: Trying to free free buffer
[   38.867406] WARNING: CPU: 0 PID: 159 at fs/buffer.c:1177 __brelse+0x31/0x50
[   38.867576] Modules linked in:
[   38.867933] CPU: 0 PID: 159 Comm: mount Not tainted 5.10.0-rc4+ #97
[   38.868068] Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS rel-1.13.0-48-gd9c812d4
[   38.868408] RIP: 0010:__brelse+0x31/0x50
[   38.868562] Code: 00 00 00 53 48 89 fb 48 89 ef e8 ea 89 f8 ff 48 89 ef e8 c2 a6 f8 ff 8b 40
[   38.868877] RSP: 0018:ffff8880042a7b90 EFLAGS: 00000082
[   38.869119] RAX: 0000000000000000 RBX: ffff888002eeaa80 RCX: 0000000000000000
[   38.869286] RDX: dffffc0000000000 RSI: 0000000000000008 RDI: ffffed1000854f64
[   38.869419] RBP: ffff888002eeaae0 R08: 0000000000000000 R09: ffffed1000854f03
[   38.869553] R10: ffff8880042a7817 R11: ffffed1000854f02 R12: ffffffffa8b71460
[   38.869687] R13: 0000000000000000 R14: ffffffffa8b70a10 R15: 0000000000000000
[   38.869854] FS:  00007f2e41c2a6a0(0000) GS:ffff888016200000(0000) knlGS:0000000000000000
[   38.869996] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[   38.870103] CR2: 00000000004ad288 CR3: 00000000027ca000 CR4: 00000000000006f0
[   38.870281] Call Trace:
[   38.870572]  invalidate_bh_lru+0x2d/0x50
[   38.870702]  on_each_cpu_cond_mask+0x64/0x80
[   38.870808]  kill_bdev.isra.0+0x36/0x50
[   38.870904]  __blkdev_put+0x10d/0x370
[   38.871030]  ? freeze_bdev+0xf0/0xf0
[   38.871123]  ? _raw_read_lock_irq+0x30/0x30
[   38.871224]  ? mutex_unlock+0x18/0x40
[   38.871320]  deactivate_locked_super+0x50/0x90
[   38.871420]  mount_bdev+0x20f/0x220
[   38.871513]  ? qnx6_iget+0x460/0x460
[   38.871603]  ? qnx6_readpage+0x10/0x10
[   38.871694]  legacy_get_tree+0x6b/0xa0
[   38.871791]  vfs_get_tree+0x41/0x110
[   38.871887]  path_mount+0x3b3/0xd50
[   38.871984]  ? finish_automount+0x2b0/0x2b0
[   38.872085]  ? getname_flags+0x100/0x2a0
[   38.872182]  do_mount+0xc5/0xe0
[   38.872272]  ? path_mount+0xd50/0xd50
[   38.872366]  ? memdup_user+0x3c/0x80
[   38.872458]  __x64_sys_mount+0xb9/0xf0
[   38.872555]  do_syscall_64+0x33/0x40
[   38.872649]  entry_SYSCALL_64_after_hwframe+0x44/0xa9
[   38.872823] RIP: 0033:0x7f2e41ba8515
[   38.873013] Code: b8 b0 00 00 00 0f 05 48 3d 00 f0 ff ff 76 10 48 8b 15 5f 79 06 00 f7 d8 63
[   38.873257] RSP: 002b:00007ffd2d0eaaf8 EFLAGS: 00000202 ORIG_RAX: 00000000000000a5
[   38.873420] RAX: ffffffffffffffda RBX: 0000000000008001 RCX: 00007f2e41ba8515
[   38.873537] RDX: 00007ffd2d0ecf62 RSI: 00007ffd2d0ecf54 RDI: 00007ffd2d0ecf4b
[   38.873652] RBP: 00007ffd2d0eac80 R08: 0000000000000000 R09: 00007f2e41bf1480
[   38.873766] R10: 0000000000008001 R11: 0000000000000202 R12: 0000000000000000
[   38.873882] R13: 00007f2e41c2a690 R14: 0000000000000000 R15: 0000000000000000
[   38.874049] ---[ end trace cc983a0044562d15 ]---

Signed-off-by: Tong Zhang <ztong0001@...il.com>
---
 fs/qnx6/inode.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/fs/qnx6/inode.c b/fs/qnx6/inode.c
index 61191f7bdf62..9fbe2b29bd9b 100644
--- a/fs/qnx6/inode.c
+++ b/fs/qnx6/inode.c
@@ -404,12 +404,14 @@ static int qnx6_fill_super(struct super_block *s, void *data, int silent)
 		sbi->sb_buf = bh1;
 		sbi->sb = (struct qnx6_super_block *)bh1->b_data;
 		brelse(bh2);
+		bh2 = NULL;
 		pr_info("superblock #1 active\n");
 	} else {
 		/* superblock #2 active */
 		sbi->sb_buf = bh2;
 		sbi->sb = (struct qnx6_super_block *)bh2->b_data;
 		brelse(bh1);
+		bh1 = NULL;
 		pr_info("superblock #2 active\n");
 	}
 mmi_success:
-- 
2.25.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ