On Jan 12, 2023 / 19:47, Yu Kuai wrote:
> Hi,
>
> 在 2023/01/12 19:38, Shinichiro Kawasaki 写道:
> > I observed another KASAN uaf related to bfq. I would like to ask bfq experts
> > to take a look in it. Whole KASAN message is attached below. It looks different
> > from another uaf fixed with 246cf66e300b ("block, bfq: fix uaf for bfqq in
> > bfq_exit_icq_bfqq").
> >
> > It was observed first time during blktests test case block/027 run on kernel
> > v6.2-rc3. Depending on test machines, it was recreated during system boot or ssh
> > login occasionally. When I repeat system reboot and ssh-login twice, the uaf is
> > recreated.
> >
> > I guess 64dc8c732f5c ("block, bfq: fix possible uaf for 'bfqq->bic'") could be
> > the trigger commit. I cherry-picked the two commits 64dc8c732f5c and
> > 246cf66e300b on top of v6.1. With this kernel, I observed the KASAN uaf in
> > bic_set_bfqq.
> >
> >
> > BUG: KASAN: use-after-free in bic_set_bfqq+0x15f/0x190
> > device offline error, dev sdr, sector 245352968 op 0x0:(READ) flags 0x0 phys_seg 1 prio class 2
> > Read of size 8 at addr ffff88811de85f88 by task in:imjournal/815
> >
> Thanks for the report, is the problem easy to reporduce? If so, can you
> try the following patch?
>
> diff --git a/block/bfq-cgroup.c b/block/bfq-cgroup.c
> index 1b2829e99dad..81d2f401fa3f 100644
> --- a/block/bfq-cgroup.c
> +++ b/block/bfq-cgroup.c
> @@ -771,8 +771,8 @@ static void __bfq_bic_change_cgroup(struct bfq_data
> *bfqd,
> * request from the old cgroup.
> */
> bfq_put_cooperator(sync_bfqq);
> - bfq_release_process_ref(bfqd, sync_bfqq);
> bic_set_bfqq(bic, NULL, true);
> + bfq_release_process_ref(bfqd, sync_bfqq);
> }
> }
> }
Thanks for the quick response. Yes, I can recreate the problem reliably using
one of my test machines. With your fix patch above, the problem disappeared :)
I repeated system reboot and ssh login 6 times and the problem was not observed.
--
Shin'ichiro Kawasaki
