From: Yu Kuai <yukuai1@huaweicloud.com>
To: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>,
Yang Erkun <yangerkun@huaweicloud.com>
Cc: linux-block@vger.kernel.org, yangerkun@huawei.com,
axboe@kernel.dk, ulf.hansson@linaro.org, hch@lst.de,
houtao1@huawei.com, "yukuai (C)" <yukuai3@huawei.com>
Subject: Re: [PATCH] brd: fix null pointer when modprobe brd
Date: Sat, 26 Oct 2024 09:21:28 +0800 [thread overview]
Message-ID: <05915eac-e5c7-c293-d960-a781e91fd23d@huaweicloud.com> (raw)
In-Reply-To: <a55c8d7e-cfd7-4ab9-ab45-bd7fdecaaf3c@I-love.SAKURA.ne.jp>
Hi,
在 2024/10/25 18:40, Tetsuo Handa 写道:
> On 2024/10/25 16:05, Yang Erkun wrote:
>> From: Yang Erkun <yangerkun@huawei.com>
>>
>> My colleague Wupeng found the following problems during fault injection:
>>
>> BUG: unable to handle page fault for address: fffffbfff809d073
>
> Excuse me, but subject says "null pointer" whereas dmesg says
> "not a null pointer dereference". Is this a use-after-free bug?
> Also, what verb comes after "when modprobe brd" ?
>
> Is this problem happening with parallel execution? If yes, parallelly
> running what and what?
The problem is straightforward, to be short,
T1: morprobe brd
brd_init
brd_alloc
add_disk
T2: open brd
bdev_open
try_module_get
// err path
brd_cleanup
// dereference brd_fops() while module is freed.
Thanks,
Kuai
>
> Is this problem happening with what fault injection?
> What function (exact location in source code with call trace) has
> failed due to fault injection?
>
>> Call Trace:
>> <TASK>
>> blkdev_put_whole+0x41/0x70
>> bdev_release+0x1a3/0x250
>> blkdev_release+0x11/0x20
>> __fput+0x1d7/0x4a0
>> task_work_run+0xfc/0x180
>> syscall_exit_to_user_mode+0x1de/0x1f0
>> do_syscall_64+0x6b/0x170
>> entry_SYSCALL_64_after_hwframe+0x76/0x7e
>
> This suggests that a userspace process has open()ed the device
> before brd_init() from modprobe completed?
>
> Please show more context including execution flow until crash.
>
> CPU0: (or Process1) CPU1: (or Process2)
> does what?
> does what?
> does what?
> does what and is wrong?
>
> Also, you don't need to embed brd_cleanup() into the caller
> just because the caller becomes 1 by this change.
>
> .
>
next prev parent reply other threads:[~2024-10-26 1:21 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-10-25 7:05 [PATCH] brd: fix null pointer when modprobe brd Yang Erkun
2024-10-25 7:59 ` Yu Kuai
2024-10-28 2:10 ` yangerkun
2024-10-25 10:40 ` Tetsuo Handa
2024-10-26 1:21 ` Yu Kuai [this message]
2024-10-26 5:55 ` Tetsuo Handa
2024-10-26 6:28 ` Yu Kuai
2024-10-26 8:06 ` Tetsuo Handa
2024-10-28 2:15 ` yangerkun
2024-11-01 0:31 ` Luis Chamberlain
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=05915eac-e5c7-c293-d960-a781e91fd23d@huaweicloud.com \
--to=yukuai1@huaweicloud.com \
--cc=axboe@kernel.dk \
--cc=hch@lst.de \
--cc=houtao1@huawei.com \
--cc=linux-block@vger.kernel.org \
--cc=penguin-kernel@I-love.SAKURA.ne.jp \
--cc=ulf.hansson@linaro.org \
--cc=yangerkun@huawei.com \
--cc=yangerkun@huaweicloud.com \
--cc=yukuai3@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox