From: Shinichiro Kawasaki <shinichiro.kawasaki@wdc.com>
To: Yu Kuai <yukuai1@huaweicloud.com>
Cc: "linux-block@vger.kernel.org" <linux-block@vger.kernel.org>,
Paolo Valente <paolo.valente@linaro.org>, Jan Kara <jack@suse.cz>,
"yukuai (C)" <yukuai3@huawei.com>
Subject: Re: [bug report] BUG: KASAN: use-after-free in bic_set_bfqq
Date: Thu, 12 Jan 2023 13:14:27 +0000 [thread overview]
Message-ID: <20230112131426.bjosgrpfq6xmazci@shindev> (raw)
In-Reply-To: <6933fa2d-014c-8773-39d9-680ad9fca98c@huaweicloud.com>
On Jan 12, 2023 / 19:47, Yu Kuai wrote:
> Hi,
>
> 在 2023/01/12 19:38, Shinichiro Kawasaki 写道:
> > I observed another KASAN uaf related to bfq. I would like to ask bfq experts
> > to take a look in it. Whole KASAN message is attached below. It looks different
> > from another uaf fixed with 246cf66e300b ("block, bfq: fix uaf for bfqq in
> > bfq_exit_icq_bfqq").
> >
> > It was observed first time during blktests test case block/027 run on kernel
> > v6.2-rc3. Depending on test machines, it was recreated during system boot or ssh
> > login occasionally. When I repeat system reboot and ssh-login twice, the uaf is
> > recreated.
> >
> > I guess 64dc8c732f5c ("block, bfq: fix possible uaf for 'bfqq->bic'") could be
> > the trigger commit. I cherry-picked the two commits 64dc8c732f5c and
> > 246cf66e300b on top of v6.1. With this kernel, I observed the KASAN uaf in
> > bic_set_bfqq.
> >
> >
> > BUG: KASAN: use-after-free in bic_set_bfqq+0x15f/0x190
> > device offline error, dev sdr, sector 245352968 op 0x0:(READ) flags 0x0 phys_seg 1 prio class 2
> > Read of size 8 at addr ffff88811de85f88 by task in:imjournal/815
> >
> Thanks for the report, is the problem easy to reporduce? If so, can you
> try the following patch?
>
> diff --git a/block/bfq-cgroup.c b/block/bfq-cgroup.c
> index 1b2829e99dad..81d2f401fa3f 100644
> --- a/block/bfq-cgroup.c
> +++ b/block/bfq-cgroup.c
> @@ -771,8 +771,8 @@ static void __bfq_bic_change_cgroup(struct bfq_data
> *bfqd,
> * request from the old cgroup.
> */
> bfq_put_cooperator(sync_bfqq);
> - bfq_release_process_ref(bfqd, sync_bfqq);
> bic_set_bfqq(bic, NULL, true);
> + bfq_release_process_ref(bfqd, sync_bfqq);
> }
> }
> }
Thanks for the quick response. Yes, I can recreate the problem reliably using
one of my test machines. With your fix patch above, the problem disappeared :)
I repeated system reboot and ssh login 6 times and the problem was not observed.
--
Shin'ichiro Kawasaki
prev parent reply other threads:[~2023-01-12 13:14 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-01-12 11:38 [bug report] BUG: KASAN: use-after-free in bic_set_bfqq Shinichiro Kawasaki
2023-01-12 11:47 ` Yu Kuai
2023-01-12 11:53 ` Yu Kuai
2023-01-12 13:18 ` Shinichiro Kawasaki
2023-01-13 1:04 ` Shinichiro Kawasaki
2023-01-13 1:11 ` Yu Kuai
2023-01-12 13:14 ` Shinichiro Kawasaki [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230112131426.bjosgrpfq6xmazci@shindev \
--to=shinichiro.kawasaki@wdc.com \
--cc=jack@suse.cz \
--cc=linux-block@vger.kernel.org \
--cc=paolo.valente@linaro.org \
--cc=yukuai1@huaweicloud.com \
--cc=yukuai3@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.