Re: [PATCH] null_blk: Fix a NULL pointer dereference

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 9/22/21 12:26 PM, Bart Van Assche wrote:
> On 9/22/21 11:03 AM, Bart Van Assche wrote:
>> On 9/22/21 10:54 AM, Jens Axboe wrote:
>>> On 9/22/21 11:50 AM, Bart Van Assche wrote:
>>>> Skip queue mapping for shared tag sets. This patch fixes the following bug:
>>>>
>>>> ==================================================================
>>>> BUG: KASAN: null-ptr-deref in null_map_queues+0x131/0x1a0 [null_blk]
>>>> Read of size 8 at addr 0000000000000000 by task modprobe/4320
>>>>
>>>> CPU: 9 PID: 4320 Comm: modprobe Tainted: G         E     5.15.0-rc2-dbg+ #2
>>>> Call Trace:
>>>>   show_stack+0x52/0x58
>>>>   dump_stack_lvl+0x49/0x5e
>>>>   kasan_report.cold+0x64/0xdb
>>>>   __asan_load8+0x69/0x90
>>>>   null_map_queues+0x131/0x1a0 [null_blk]
>>>>   blk_mq_update_queue_map+0x122/0x1a0
>>>>   blk_mq_alloc_tag_set+0x1e8/0x570
>>>>   null_init_tag_set+0x197/0x220 [null_blk]
>>>>   null_init+0x1dc/0x1000 [null_blk]
>>>>   do_one_initcall+0xc7/0x440
>>>>   do_init_module+0x10a/0x3d0
>>>>   load_module+0x115c/0x1220
>>>>   __do_sys_finit_module+0x124/0x1a0
>>>>   __x64_sys_finit_module+0x42/0x50
>>>>   do_syscall_64+0x35/0xb0
>>>>   entry_SYSCALL_64_after_hwframe+0x44/0xae
>>>
>>> Thanks Bart, do you mind if I fold this one in? I can add a Fixes-by tag
>>> as well.
>>
>> That sounds good to me. In case this patch would be retained: the word "Skip"
>> in the description should be changed into "Fix".
> 
> Unfortunately my patch is not good enough. I run into other crashes with this
> patch applied since with this patch some hwctx pointers may be NULL:
> 
>      BUG: KASAN: null-ptr-deref in blk_mq_free_rqs+0x1f4/0x380
>      Read of size 8 at addr 0000000000000090 by task modprobe/5085
>      CPU: 19 PID: 5085 Comm: modprobe Tainted: G            E     5.15.0-rc1-dbg+ #7
>      Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.14.0-2 04/01/2014
>      Call Trace:
>       show_stack+0x52/0x58
>       dump_stack_lvl+0x38/0x49
>       kasan_report.cold+0x64/0xdb
>       __asan_load8+0x69/0x90
>       blk_mq_free_rqs+0x1f4/0x380
>       blk_mq_sched_free_requests+0x98/0xc0
>       blk_cleanup_queue+0xe6/0x110
>       blk_cleanup_disk+0x1f/0x40
>       null_del_dev.part.0+0xdf/0x2b0 [null_blk]
>       null_exit+0x65/0xb4 [null_blk]
>       __do_sys_delete_module.constprop.0+0x1dd/0x2e0
>       __x64_sys_delete_module+0x1f/0x30
>       do_syscall_64+0x35/0xb0
>       entry_SYSCALL_64_after_hwframe+0x44/0xae

What options are you loading null_blk with?

-- 
Jens Axboe
[Index of Archives]     [Linux RAID]     [Linux SCSI]     [Linux ATA RAID]     [IDE]     [Linux Wireless]     [Linux Kernel]     [ATH6KL]     [Linux Bluetooth]     [Linux Netdev]     [Kernel Newbies]     [Security]     [Git]     [Netfilter]     [Bugtraq]     [Yosemite News]     [MIPS Linux]     [ARM Linux]     [Linux Security]     [Device Mapper]

  Powered by Linux