From: Oleksandr Natalenko <oleksandr@natalenko.name>
To: linux-kernel@vger.kernel.org
Cc: Paolo Valente <paolo.valente@linaro.org>,
Jens Axboe <axboe@kernel.dk>,
linux-block@vger.kernel.org
Subject: Re: BUG: KFENCE: use-after-free read in bfq_exit_icq_bfqq+0x132/0x270
Date: Mon, 02 Jan 2023 12:49:19 +0100 [thread overview]
Message-ID: <1842801.CQOukoFCf9@natalenko.name> (raw)
In-Reply-To: <8202004.NyiUUSuA9g@natalenko.name>
On pondělí 2. ledna 2023 12:45:30 CET Oleksandr Natalenko wrote:
> This is a sudden splash I've got while just using my workstation:
>
> ==================================================================
> BUG: KFENCE: use-after-free read in bfq_exit_icq_bfqq+0x132/0x270
> Use-after-free read at 0x00000000e57c579c (in kfence-#173):
> bfq_exit_icq_bfqq+0x132/0x270
> bfq_exit_icq+0x5e/0x80
> exit_io_context+0x88/0xb0
> do_exit+0x66c/0xb80
> kthread_exit+0x29/0x30
> kthread+0xbd/0x110
> ret_from_fork+0x22/0x30
>
> kfence-#173: 0x000000005d7be631-0x000000006ad0b684, size=568, cache=bfq_queue
> allocated by task 40147 on cpu 16 at 13975.114285s:
> bfq_get_queue+0xdf/0x4e0
> bfq_get_bfqq_handle_split+0x75/0x170
> bfq_insert_requests+0x832/0x2580
> blk_mq_sched_insert_requests+0x63/0x150
> blk_mq_flush_plug_list+0x122/0x360
> __blk_flush_plug+0x106/0x160
> blk_finish_plug+0x29/0x40
> dm_bufio_prefetch+0x108/0x4d0 [dm_bufio]
> dm_tm_issue_prefetches+0x44/0x70 [dm_persistent_data]
> dm_pool_issue_prefetches+0x39/0x43 [dm_thin_pool]
> do_worker+0x4c/0xd60 [dm_thin_pool]
> process_one_work+0x258/0x410
> worker_thread+0x55/0x4c0
> kthread+0xde/0x110
> ret_from_fork+0x22/0x30
>
> freed by task 40147 on cpu 20 at 14500.096700s:
> bfq_put_queue+0x185/0x2d0
> bfq_exit_icq_bfqq+0x129/0x270
> bfq_exit_icq+0x5e/0x80
> exit_io_context+0x88/0xb0
> do_exit+0x66c/0xb80
> kthread_exit+0x29/0x30
> kthread+0xbd/0x110
> ret_from_fork+0x22/0x30
>
> CPU: 20 PID: 40147 Comm: kworker/dying Tainted: G W 6.1.0-pf2 #1 ff5dbde5ea280110a73397797e059b8558cda111
> Hardware name: ASUS System Product Name/Pro WS X570-ACE, BIOS 4304 12/12/2022
> ==================================================================
>
> I'm using v6.1.2, never experienced this before and cannot reproduce it at will. This kernel does not have any extra patches for the block layer on top of v6.1.2.
>
> In case you know what's going on, please let me know.
I assume 246cf66e30 ("block, bfq: fix uaf for bfqq in bfq_exit_icq_bfqq") may have fixed the issue. This commit is pending for upcoming v6.1.3.
--
Oleksandr Natalenko (post-factum)
prev parent reply other threads:[~2023-01-02 11:57 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-02 11:45 BUG: KFENCE: use-after-free read in bfq_exit_icq_bfqq+0x132/0x270 Oleksandr Natalenko
2023-01-02 11:49 ` Oleksandr Natalenko [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1842801.CQOukoFCf9@natalenko.name \
--to=oleksandr@natalenko.name \
--cc=axboe@kernel.dk \
--cc=linux-block@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=paolo.valente@linaro.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).