Chasing a 'use after free' bug of SCSI subsystem for linux-stable 5.15.y

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Dear SCSI developers:
During the rcutorture test performed on linux-stable 5.15.y in PPC VM
of Open Source Lab of Oregon State University, A SCSI related bug is
discovered [1]:
[    5.178733][    C1] BUG: Kernel NULL pointer dereference on read at
0x00000008
...
[    5.231013][    C1] [c00000001ff9fca0] [c0000000009ffbc8]
scsi_end_request+0xd8/0x1f0 (unreliable)^M
[    5.234961][    C1] [c00000001ff9fcf0] [c000000000a00e68]
scsi_io_completion+0x88/0x700^M
[    5.237863][    C1] [c00000001ff9fda0] [c0000000009f5028]
scsi_finish_command+0xe8/0x150^M
[    5.240089][    C1] [c00000001ff9fdf0] [c000000000a00c70]
scsi_complete+0x90/0x140^M
[    5.242481][    C1] [c00000001ff9fe20] [c0000000007e5170]
blk_complete_reqs+0x80/0xa0^M
[    5.245187][    C1] [c00000001ff9fe50] [c000000000f0b5d0]
__do_softirq+0x1e0/0x4e0^M
[    5.248479][    C1] [c00000001ff9ff90] [c0000000000170e8]
do_softirq_own_stack+0x48/0x60^M
[    5.250919][    C1] [c00000000a5e7c40] [c00000000a5e7c80]
0xc00000000a5e7c80^M
[    5.253792][    C1] [c00000000a5e7c70] [c0000000001534c0]
do_softirq+0xb0/0xc0^M
[    5.256824][    C1] [c00000000a5e7ca0] [c0000000001535ac]
__local_bh_enable_ip+0xdc/0x110^M
[    5.259414][    C1] [c00000000a5e7cc0] [c0000000001d75e8]
irq_forced_thread_fn+0xc8/0xf0^M
[    5.261921][    C1] [c00000000a5e7d00] [c0000000001d7ae4]
irq_thread+0x1b4/0x2a0^M
[    5.265298][    C1] [c00000000a5e7da0] [c00000000017d8c8]
kthread+0x1a8/0x1d0^M
[    5.269184][    C1] [c00000000a5e7e10] [c00000000000cee4]

By adding printk statement in the SCSI subsystem and perform rounds of
qemu bootup, I found the bug is caused by following 'use after free'
scenery:

A)
                           B)
__scsi_scan_target
  scsi_probe_and_add_lun
     scsi_probe_lun
       scsi_execute_req
         __scsi_execute
            blk_execute_rq              ---> req --->
time out
   __scsi_remove_device
       blk_cleanup_queue
           percpu_ref_exit(&q->q_usage_counter)
     scsi_end_request

                                   percpu_ref_put(&q->q_usage_counter)

                                      USE-AFTER-FREE
Reported-by: Zhouyi Zhou <zhouzhouyi@xxxxxxxxx>

Thanks for your intention
Zhouyi
[1] https://lore.kernel.org/lkml/CAABZP2wa_ZTHUr9tH_6OSpr+TgNACo4kMu3eawsGV5qkCDoAKg@xxxxxxxxxxxxxx/T/



[Index of Archives]     [Linux Kernel]     [Kernel Development Newbies]     [Linux USB Devel]     [Video for Linux]     [Linux Audio Users]     [Yosemite Hiking]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux