On Thu, 18 Sep 2025, Shinichiro Kawasaki wrote:
> On Sep 15, 2025 / 17:42, Mikulas Patocka wrote:
> [...]
> > If the table has only linear targets and there is just one underlying
> > device, we can optimize REQ_PREFLUSH with data - we don't have to split
> > it to two bios - a flush and a write. We can pass it to the linear target
> > directly.
> >
> > Signed-off-by: Mikulas Patocka <mpato...@redhat.com>
> > Tested-by: Bart Van Assche <bvanass...@acm.org>
> >
> > ---
> > drivers/md/dm-core.h | 1 +
> > drivers/md/dm.c | 31 +++++++++++++++++++++++--------
> > 2 files changed, 24 insertions(+), 8 deletions(-)
> >
> > Index: linux-2.6/drivers/md/dm.c
> > ===================================================================
> > --- linux-2.6.orig/drivers/md/dm.c 2025-09-15 17:30:25.000000000 +0200
> > +++ linux-2.6/drivers/md/dm.c 2025-09-15 17:35:47.000000000 +0200
> [...]
> > @@ -976,11 +972,12 @@ static void __dm_io_complete(struct dm_i
> > if (requeued)
> > return;
> >
> > - if (bio_is_flush_with_data(bio)) {
> > + if (unlikely(io->requeue_flush_with_data)) {
>
> Hello Mikluas,
>
> Last night, I ran my fio test for zoned block devices using linux-next kernel
> with the tag "next-20250917" and dm-crypt on QEMU ZNS drive. Then I observed
> KASAN slab-use-after-free [1]. It happend at "__dm_io_complete+0x866/0x960",
> which points to the line above added by this patch. It looks like 'io' is
> freed
> before the reference to io->requeue_flush_with_data. I checked the function
> __dm_io_complete(), and found that free_io(io) is called just before the line
> of KASAN. It looks weird for me to access io->requeue_flush_with_data after
> freeing io. Do you think this is the cause of the KASAN?
>
> 961 dm_end_io_acct(io);
> 962 }
> 963 free_io(io); <-------------------------------- free io here?
> 964 smp_wmb();
> 965 this_cpu_dec(*md->pending_io)
> 966
> 967 /* nudge anyone waiting on suspend queue */
> 968 if (unlikely(wq_has_sleeper(&md->wait)))
> 969 wake_up(&md->wait);
> 970
> 971 /* Return early if the original bio was requeued */
> 972 if (requeued)
> 973 return;
> 974
> 975 if (unlikely(io->requeue_flush_with_data)) { <---- KASAN suaf
> 976 /*
> 977 * Preflush done for flush with data, reissue
> 978 * without REQ_PREFLUSH.
>
> I ran the fio test under the same condition several times, but I'm failing to
> recreate the KASAN so far. This KASAN looks very rare.
>
> [1]
Hi
Thanks for testing it. I fixed it, I folded the fix into the existing
patch. You can get it here:
https://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm.git/log/?h=for-next
Mikulas
