From: Yu Kuai <yukuai1@huaweicloud.com>
To: Wang Jinchao <wangjinchao600@gmail.com>,
Yu Kuai <yukuai1@huaweicloud.com>, Song Liu <song@kernel.org>
Cc: linux-raid@vger.kernel.org, linux-kernel@vger.kernel.org,
"yukuai (C)" <yukuai3@huawei.com>
Subject: Re: [PATCH] md/raid1: Fix use-after-free in reshape pool wait queue
Date: Tue, 10 Jun 2025 14:12:14 +0800 [thread overview]
Message-ID: <43a47dfd-d0c8-3d1d-d9f9-0332434a84f2@huaweicloud.com> (raw)
In-Reply-To: <13a82dab-94c9-4616-90ff-17a8aa7bff81@gmail.com>
Hi,
在 2025/06/10 12:51, Wang Jinchao 写道:
> [ 921.784898] [ C2] BUG: kernel NULL pointer dereference, address:
> 0000000000000002
> [ 921.784907] [ C2] #PF: supervisor instruction fetch in kernel mode
> [ 921.784910] [ C2] #PF: error_code(0x0010) - not-present page
> [ 921.784912] [ C2] PGD 0 P4D 0
> [ 921.784915] [ C2] Oops: 0010 [#1] PREEMPT SMP NOPTI
> [ 921.784919] [ C2] CPU: 2 PID: 1659 Comm: zds Kdump: loaded
> Tainted: G U W E 6.8.1-debug-0519 #49
> [ 921.784922] [ C2] Hardware name: Default string Default
> string/Default string, BIOS DNS9V011 12/24/2024
> [ 921.784923] [ C2] RIP: 0010:0x2
> [ 921.784929] [ C2] Code: Unable to access opcode bytes at
> 0xffffffffffffffd8.
> [ 921.784931] [ C2] RSP: 0000:ffffa3fac0220c70 EFLAGS: 00010087
> [ 921.784933] [ C2] RAX: 0000000000000002 RBX: ffff8890539070d8
> RCX: 0000000000000000
> [ 921.784935] [ C2] RDX: 0000000000000000 RSI: 0000000000000003
> RDI: ffffa3fac07dfc90
> [ 921.784936] [ C2] RBP: ffffa3fac0220ca8 R08: 2557c7cc905cff00
> R09: 0000000000000000
> [ 921.784938] [ C2] R10: 0000000000000000 R11: 0000000000000000
> R12: 000000008fa158a0
> [ 921.784939] [ C2] R13: 2557c7cc905cfee8 R14: 0000000000000000
> R15: 0000000000000000
> [ 921.784941] [ C2] FS: 00007d8b034006c0(0000)
> GS:ffff8891bf900000(0000) knlGS:0000000000000000
> [ 921.784943] [ C2] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
> [ 921.784945] [ C2] CR2: ffffffffffffffd8 CR3: 00000001097be000
> CR4: 0000000000f50ef0
> [ 921.784946] [ C2] PKRU: 55555554
> [ 921.784948] [ C2] Call Trace:
> [ 921.784949] [ C2] <IRQ>
> [ 921.784950] [ C2] ? show_regs+0x6d/0x80
> [ 921.784957] [ C2] ? __die+0x24/0x80
> [ 921.784960] [ C2] ? page_fault_oops+0x156/0x4b0
> [ 921.784964] [ C2] ? mempool_free_slab+0x17/0x30
> [ 921.784968] [ C2] ? __slab_free+0x15d/0x2e0
> [ 921.784971] [ C2] ? do_user_addr_fault+0x2ee/0x6b0
> [ 921.784975] [ C2] ? exc_page_fault+0x83/0x1b0
> [ 921.784979] [ C2] ? asm_exc_page_fault+0x27/0x30
> [ 921.784984] [ C2] ? __wake_up_common+0x76/0xb0
> [ 921.784987] [ C2] __wake_up+0x37/0x70
> [ 921.784990] [ C2] mempool_free+0xaa/0xc0
> [ 921.784993] [ C2] raid_end_bio_io+0x97/0x130 [raid1]
This is NULL pointer dereference, not the same as UAF, please attach the
log in the next version(and probably remove the useless info like
timestamp and stack started with ?).
(...)
> This fix is simple enough.
> Alternatively, we could initialize conf->r1bio_pool directly, but that
> would also require
> handling rollback in case the initialization fails.
> What would you suggest?
I'll suggest to use mempool_resize() and get rid of the werid assigment.
Thanks,
Kuai
prev parent reply other threads:[~2025-06-10 6:12 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-06-09 12:01 [PATCH] md/raid1: Fix use-after-free in reshape pool wait queue Wang Jinchao
2025-06-10 2:52 ` Yu Kuai
2025-06-10 4:51 ` Wang Jinchao
2025-06-10 6:12 ` Yu Kuai [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=43a47dfd-d0c8-3d1d-d9f9-0332434a84f2@huaweicloud.com \
--to=yukuai1@huaweicloud.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-raid@vger.kernel.org \
--cc=song@kernel.org \
--cc=wangjinchao600@gmail.com \
--cc=yukuai3@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).