Hi,
在 2024/10/25 18:40, Tetsuo Handa 写道:
On 2024/10/25 16:05, Yang Erkun wrote:
From: Yang Erkun <yangerkun@xxxxxxxxxx>
My colleague Wupeng found the following problems during fault injection:
BUG: unable to handle page fault for address: fffffbfff809d073
Excuse me, but subject says "null pointer" whereas dmesg says
"not a null pointer dereference". Is this a use-after-free bug?
Also, what verb comes after "when modprobe brd" ?
Is this problem happening with parallel execution? If yes, parallelly
running what and what?
The problem is straightforward, to be short,
T1: morprobe brd
brd_init
brd_alloc
add_disk
T2: open brd
bdev_open
try_module_get
// err path
brd_cleanup
// dereference brd_fops() while module is freed.
Thanks,
Kuai
Is this problem happening with what fault injection?
What function (exact location in source code with call trace) has
failed due to fault injection?
Call Trace:
<TASK>
blkdev_put_whole+0x41/0x70
bdev_release+0x1a3/0x250
blkdev_release+0x11/0x20
__fput+0x1d7/0x4a0
task_work_run+0xfc/0x180
syscall_exit_to_user_mode+0x1de/0x1f0
do_syscall_64+0x6b/0x170
entry_SYSCALL_64_after_hwframe+0x76/0x7e
This suggests that a userspace process has open()ed the device
before brd_init() from modprobe completed?
Please show more context including execution flow until crash.
CPU0: (or Process1) CPU1: (or Process2)
does what?
does what?
does what?
does what and is wrong?
Also, you don't need to embed brd_cleanup() into the caller
just because the caller becomes 1 by this change.
.