public inbox for linux-block@vger.kernel.org
 help / color / mirror / Atom feed
From: pragalla@codeaurora.org
To: axboe@kernel.dk, bvanassche@acm.org, evgreen@google.com,
	jianchao.w.wang@oracle.com
Cc: linux-block@vger.kernel.org, stummala@codeaurora.org
Subject: use-after-free access in bt_iter()
Date: Thu, 04 Feb 2021 17:16:16 +0530	[thread overview]
Message-ID: <f98dd950466b0408d8589de053b02e05@codeaurora.org> (raw)

Hi Jens, Bart,

This is with regards to use-after-free access in bt_iter().
i saw this got discussed and reported on many separate threads but could 
see
more discussions and conversations over the solution was made on [1]
as pointed in [2].

[1] 
https://lore.kernel.org/linux-block/1545261885.185366.488.camel@acm.org/
[2] https://lkml.org/lkml/2019/2/14/942

A similar issue was reported again on 5.4 kernel during internal 
stability testing.

<2> Unable to handle kernel paging request at virtual address 
ffffff8107929600
<2> Mem abort info:
<2>   ESR = 0x96000007
<2>   EC = 0x25: DABT (current EL), IL = 32 bits
<2>   SET = 0, FnV = 0
<2>   EA = 0, S1PTW = 0
<2> Data abort info:
<2>   ISV = 0, ISS = 0x00000007
<2>   CM = 0, WnR = 0
<2> swapper pgtable: 4k pages, 39-bit VAs, pgdp=00000000a2603000
<2> [ffffff8107929600] pgd=00000001bf909003, pud=00000001bf909003, 
pmd=00000001bf8cc003, pte=0068000187929f12
<2> Internal error: Oops: 96000007 [#1] PREEMPT SMP
<2> Skip md ftrace buffer dump for: 0x1609e0

<2> CPU: 0 PID: 220 Comm: kworker/0:1H Tainted: G S      W  O      
5.4.61-qgki-debug-g85faaf6 #2
<2> Workqueue: kblockd blk_mq_timeout_work
<2> pstate: 20c00005 (nzCv daif +PAN +UAO)
<2> pc : bt_for_each+0x114/0x1a4
<2> lr : bt_for_each+0xe0/0x1a4
<2> sp : ffffffc017f7bc60
<2> x29: ffffffc017f7bc80 x28: 0000000000000001
<2> x27: 0000000000000008 x26: 0000000000000001
<2> x25: 0000000000000001 x24: 0000000000000008
<2> x23: ffffff8107bcd800 x22: ffffff810872bd10
<2> x21: ffffffd764e6ea50 x20: 0000000000000008
<2> x19: 0000000000000000 x18: ffffffc017f51030
<2> x17: 0000000005f5e100 x16: 0000000000000000
<2> x15: ffffffffff84bf5c x14: 0000000000000598
<2> x13: 0000000000000008 x12: 00000000212d4a53
<2> x11: 00000000000000ff x10: 0000000000000000
<2> x9 : ffffff810872cd00 x8 : 0000000000000009
<2> x7 : 0000000000000000 x6 : ffffffd763890758
<2> x5 : 0000000000000000 x4 : 0000000000000000
<2> x3 : ffffffc017f7bd20 x2 : 0000000000000001
<2> x1 : ffffff8107929600 x0 : 0000000000000001
<2> Call trace:
<2>  bt_for_each+0x114/0x1a4
<2>  blk_mq_queue_tag_busy_iter+0xd8/0x1a4
<2>  blk_mq_timeout_work+0xd4/0x1c0
<2>  process_one_work+0x280/0x460
<2>  worker_thread+0x27c/0x4dc
<2>  kthread+0x160/0x170
<2>  ret_from_fork+0x10/0x18

Is this issue got fixed on any latest kernel ? if so, can you please 
help point the patch ?
If not got fixed, can we have a final solution ? i can even help in 
testing the solution.

Thanks and Regards,
Pradeep

             reply	other threads:[~2021-02-04 11:47 UTC|newest]

Thread overview: 8+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-02-04 11:46 pragalla [this message]
2021-02-04 15:51 ` use-after-free access in bt_iter() Bart Van Assche
2021-02-04 16:17   ` John Garry
2021-02-05  2:39     ` Ming Lei
2021-02-05 15:30     ` pragalla
2021-02-05 16:07       ` John Garry
     [not found]         ` <9ace4c26c47e84c3c6a1c68ef1a193f8@codeaurora.org>
2021-02-19  6:22           ` pragalla
2021-02-19  9:34             ` John Garry

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=f98dd950466b0408d8589de053b02e05@codeaurora.org \
    --to=pragalla@codeaurora.org \
    --cc=axboe@kernel.dk \
    --cc=bvanassche@acm.org \
    --cc=evgreen@google.com \
    --cc=jianchao.w.wang@oracle.com \
    --cc=linux-block@vger.kernel.org \
    --cc=stummala@codeaurora.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox