Re: [PATCH] brd: fix null pointer when modprobe brd

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

在 2024/10/25 18:40, Tetsuo Handa 写道:
On 2024/10/25 16:05, Yang Erkun wrote:
From: Yang Erkun <yangerkun@xxxxxxxxxx>

My colleague Wupeng found the following problems during fault injection:

BUG: unable to handle page fault for address: fffffbfff809d073

Excuse me, but subject says "null pointer" whereas dmesg says
"not a null pointer dereference". Is this a use-after-free bug?
Also, what verb comes after "when modprobe brd" ?

Is this problem happening with parallel execution? If yes, parallelly
running what and what?

The problem is straightforward, to be short,

T1: morprobe brd
brd_init
 brd_alloc
  add_disk
		T2: open brd
		bdev_open
		 try_module_get
  // err path
  brd_cleanup
 		 // dereference brd_fops() while module is freed.

Thanks,
Kuai


Is this problem happening with what fault injection?
What function (exact location in source code with call trace) has
failed due to fault injection?

Call Trace:
  <TASK>
  blkdev_put_whole+0x41/0x70
  bdev_release+0x1a3/0x250
  blkdev_release+0x11/0x20
  __fput+0x1d7/0x4a0
  task_work_run+0xfc/0x180
  syscall_exit_to_user_mode+0x1de/0x1f0
  do_syscall_64+0x6b/0x170
  entry_SYSCALL_64_after_hwframe+0x76/0x7e

This suggests that a userspace process has open()ed the device
before brd_init() from modprobe completed?

Please show more context including execution flow until crash.

   CPU0: (or Process1)    CPU1: (or Process2)
     does what?
                            does what?
     does what?
                            does what and is wrong?

Also, you don't need to embed brd_cleanup() into the caller
just because the caller becomes 1 by this change.

.






[Index of Archives]     [Linux RAID]     [Linux SCSI]     [Linux ATA RAID]     [IDE]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Device Mapper]

  Powered by Linux