From: Ming Lei <ming.lei@redhat.com>
To: Greg KH <greg@kroah.com>
Cc: Yi Zhang <yi.zhang@redhat.com>,
linux-block <linux-block@vger.kernel.org>,
stable@vger.kernel.org
Subject: Re: [bug report] NULL pointer at blk_mq_put_rq_ref+0x20/0xb4 observed with blktests on 5.13.15
Date: Fri, 10 Sep 2021 09:43:28 +0800 [thread overview]
Message-ID: <YTq4QFWexPF9aQvG@T590> (raw)
In-Reply-To: <YTnc5Ja/DKR30Euy@kroah.com>
On Thu, Sep 09, 2021 at 12:07:32PM +0200, Greg KH wrote:
> On Thu, Sep 09, 2021 at 05:14:18PM +0800, Ming Lei wrote:
> > On Thu, Sep 9, 2021 at 4:47 PM Yi Zhang <yi.zhang@redhat.com> wrote:
> > >
> > > Hello
> > >
> > > I found this issue with blktests on[1], did we miss some patch on stable?
> > > [1]
> > > https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git
> > > queue/5.13
> > >
> > > [ 68.989907] run blktests block/006 at 2021-09-09 04:34:35
> > > [ 69.085724] null_blk: module loaded
> > > [ 74.271624] Unable to handle kernel NULL pointer dereference at
> > > virtual address 00000000000002b8
> > > [ 74.280414] Mem abort info:
> > > [ 74.283195] ESR = 0x96000004
> > > [ 74.286245] EC = 0x25: DABT (current EL), IL = 32 bits
> > > [ 74.291545] SET = 0, FnV = 0
> > > [ 74.294587] EA = 0, S1PTW = 0
> > > [ 74.297720] Data abort info:
> > > [ 74.300588] ISV = 0, ISS = 0x00000004
> > > [ 74.304411] CM = 0, WnR = 0
> > > [ 74.307368] user pgtable: 4k pages, 48-bit VAs, pgdp=000008004366e000
> > > [ 74.313796] [00000000000002b8] pgd=0000000000000000, p4d=0000000000000000
> > > [ 74.320577] Internal error: Oops: 96000004 [#1] SMP
> > > [ 74.325443] Modules linked in: null_blk mlx5_ib ib_uverbs ib_core
> > > rfkill sunrpc vfat fat joydev acpi_ipmi ipmi_ssif cdc_ether usbnet mii
> > > mlx5_core psample ipmi_devintf mlxfw tls ipmi_msghandler arm_cmn
> > > cppc_cpufreq arm_dsu_pmu acpi_tad fuse zram ip_tables xfs ast
> > > i2c_algo_bit drm_vram_helper drm_kms_helper crct10dif_ce syscopyarea
> > > ghash_ce sysfillrect uas sysimgblt sbsa_gwdt fb_sys_fops cec
> > > drm_ttm_helper ttm nvme usb_storage nvme_core drm xgene_hwmon
> > > aes_neon_bs
> > > [ 74.366458] CPU: 31 PID: 2511 Comm: fio Not tainted 5.13.15+ #1
> >
> > Looks the fixes haven't land on linux-5.13.y:
> >
> > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=a9ed27a764156929efe714033edb3e9023c5f321
> > https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?id=c2da19ed50554ce52ecbad3655c98371fe58599f
>
> Now queued up. Someone could have told us they were needed :)
Thanks for queuing it up, sorry for not Cc stable.
BTW, the following two patches are missed too in linux-5.13-y:
364b61818f65 blk-mq: clearing flush request reference in tags->rqs[]
bd63141d585b blk-mq: clear stale request in tags->rq[] before freeing one request pool
Both can fix request UAF issue.
Thanks,
Ming
next prev parent reply other threads:[~2021-09-10 1:43 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-09-09 8:47 [bug report] NULL pointer at blk_mq_put_rq_ref+0x20/0xb4 observed with blktests on 5.13.15 Yi Zhang
2021-09-09 9:14 ` Ming Lei
2021-09-09 10:07 ` Greg KH
2021-09-10 1:43 ` Ming Lei [this message]
2021-09-10 6:50 ` Greg KH
2021-09-15 10:35 ` Jack Wang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YTq4QFWexPF9aQvG@T590 \
--to=ming.lei@redhat.com \
--cc=greg@kroah.com \
--cc=linux-block@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=yi.zhang@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox