block: fix mismatch size for flush_rq
hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/intel-kernel/issues/I5HEZ8 CVE: NA -------------------------------- commit 5c250d55 ("blk-mq: fix kabi broken in struct request") intrudoce 'struct request_wrapper' to fix kabi broken in 'struct request', it requires to allocate more size for 'struct request'. However, flush_rq is missed for such adaptation, which will lead to following slab-out-of-bounds: ================================================================== BUG: KASAN: slab-out-of-bounds in sg_init_table+0x23/0x40 Write of size 4096 at addr ffff88812249a148 by task swapper/0/1 Call Trace: dump_stack+0xbe/0xf9 ? sg_init_table+0x23/0x40 print_address_description.constprop.0+0x1e/0x220 ? _raw_spin_lock_irqsave+0x80/0xe0 ? _raw_write_unlock_irqrestore+0x20/0x20 ? blk_alloc_flush_queue+0xd3/0x1a0 ? sg_init_table+0x23/0x40 ? sg_init_table+0x23/0x40 kasan_report.cold+0x67/0x7f ? sg_init_table+0x23/0x40 check_memory_region+0x17c/0x1e0 memset+0x20/0x40 sg_init_table+0x23/0x40 virtblk_init_request+0x3d/0x50 ? virtblk_map_queues+0x40/0x40 blk_mq_realloc_hw_ctxs+0x44d/0xb50 blk_mq_init_allocated_queue+0x20f/0x980 ? blk_set_default_limits+0x1ac/0x1c0 ? blk_alloc_queue+0x3f0/0x410 blk_mq_init_queue_data+0x58/0xa0 virtblk_probe+0x51b/0xee0 ? cache_type_store+0x1a0/0x1a0 ? __sanitizer_cov_trace_switch+0x50/0x90 ? ioread8+0x89/0xa0 virtio_dev_probe+0x449/0x5d0 ? virtio_features_ok.part.0+0xb0/0xb0 really_probe+0x26d/0x8a0 driver_probe_device+0xef/0x280 device_driver_attach+0xaf/0xc0 __driver_attach+0x158/0x280 ? device_driver_attach+0xc0/0xc0 bus_for_each_dev+0x111/0x180 ? subsys_dev_iter_exit+0x20/0x20 ? bus_add_driver+0xb6/0x3e0 ? klist_node_init+0x7c/0xb0 bus_add_driver+0x336/0x3e0 driver_register+0x105/0x1a0 ? nbd_init+0x273/0x273 init+0x69/0xad do_one_initcall+0xcb/0x370 ? initcall_blacklisted+0x1b0/0x1b0 ? parameq+0x110/0x110 ? __kasan_kmalloc.constprop.0+0xc2/0xd0 ? kasan_unpoison_shadow+0x33/0x40 do_initcalls+0x223/0x265 kernel_init_freeable+0x2bb/0x302 ? rest_init+0xea/0xea kernel_init+0x13/0x1f6 ? rest_init+0xea/0xea ret_from_fork+0x22/0x30 Allocated by task 1: kasan_save_stack+0x1b/0x40 __kasan_kmalloc.constprop.0+0xc2/0xd0 blk_alloc_flush_queue+0xd3/0x1a0 blk_mq_realloc_hw_ctxs+0x9fa/0xb50 blk_mq_init_allocated_queue+0x20f/0x980 blk_mq_init_queue_data+0x58/0xa0 virtblk_probe+0x51b/0xee0 virtio_dev_probe+0x449/0x5d0 really_probe+0x26d/0x8a0 driver_probe_device+0xef/0x280 device_driver_attach+0xaf/0xc0 __driver_attach+0x158/0x280 bus_for_each_dev+0x111/0x180 bus_add_driver+0x336/0x3e0 driver_register+0x105/0x1a0 init+0x69/0xad do_one_initcall+0xcb/0x370 do_initcalls+0x223/0x265 kernel_init_freeable+0x2bb/0x302 kernel_init+0x13/0x1f6 ret_from_fork+0x22/0x30 Fixes: 5c250d55 ("blk-mq: fix kabi broken in struct request") Signed-off-by:Yu Kuai <yukuai3@huawei.com> Reviewed-by:
Loading
Please sign in to comment