On 2024/10/25 16:05, Yang Erkun wrote:
> From: Yang Erkun <yangerkun@xxxxxxxxxx>
>
> My colleague Wupeng found the following problems during fault injection:
>
> BUG: unable to handle page fault for address: fffffbfff809d073
Excuse me, but subject says "null pointer" whereas dmesg says
"not a null pointer dereference". Is this a use-after-free bug?
Also, what verb comes after "when modprobe brd" ?
Is this problem happening with parallel execution? If yes, parallelly
running what and what?
Is this problem happening with what fault injection?
What function (exact location in source code with call trace) has
failed due to fault injection?
> Call Trace:
> <TASK>
> blkdev_put_whole+0x41/0x70
> bdev_release+0x1a3/0x250
> blkdev_release+0x11/0x20
> __fput+0x1d7/0x4a0
> task_work_run+0xfc/0x180
> syscall_exit_to_user_mode+0x1de/0x1f0
> do_syscall_64+0x6b/0x170
> entry_SYSCALL_64_after_hwframe+0x76/0x7e
This suggests that a userspace process has open()ed the device
before brd_init() from modprobe completed?
Please show more context including execution flow until crash.
CPU0: (or Process1) CPU1: (or Process2)
does what?
does what?
does what?
does what and is wrong?
Also, you don't need to embed brd_cleanup() into the caller
just because the caller becomes 1 by this change.
