Re: [PATCH] md/raid1: Fix use-after-free in reshape pool wait queue

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,

在 2025/06/10 12:51, Wang Jinchao 写道:
[  921.784898] [      C2] BUG: kernel NULL pointer dereference, address: 0000000000000002 
[  921.784907] [      C2] #PF: supervisor instruction fetch in kernel mode
[  921.784910] [      C2] #PF: error_code(0x0010) - not-present page
[  921.784912] [      C2] PGD 0 P4D 0
[  921.784915] [      C2] Oops: 0010 [#1] PREEMPT SMP NOPTI
[  921.784919] [      C2] CPU: 2 PID: 1659 Comm: zds Kdump: loaded Tainted: G     U  W   E      6.8.1-debug-0519 #49 [  921.784922] [      C2] Hardware name: Default string Default string/Default string, BIOS DNS9V011 12/24/2024 
[  921.784923] [      C2] RIP: 0010:0x2
[  921.784929] [      C2] Code: Unable to access opcode bytes at 0xffffffffffffffd8. 
[  921.784931] [      C2] RSP: 0000:ffffa3fac0220c70 EFLAGS: 00010087
[  921.784933] [      C2] RAX: 0000000000000002 RBX: ffff8890539070d8 RCX: 0000000000000000 [  921.784935] [      C2] RDX: 0000000000000000 RSI: 0000000000000003 RDI: ffffa3fac07dfc90 [  921.784936] [      C2] RBP: ffffa3fac0220ca8 R08: 2557c7cc905cff00 R09: 0000000000000000 [  921.784938] [      C2] R10: 0000000000000000 R11: 0000000000000000 R12: 000000008fa158a0 [  921.784939] [      C2] R13: 2557c7cc905cfee8 R14: 0000000000000000 R15: 0000000000000000 [  921.784941] [      C2] FS:  00007d8b034006c0(0000) GS:ffff8891bf900000(0000) knlGS:0000000000000000 
[  921.784943] [      C2] CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[  921.784945] [      C2] CR2: ffffffffffffffd8 CR3: 00000001097be000 CR4: 0000000000f50ef0 
[  921.784946] [      C2] PKRU: 55555554
[  921.784948] [      C2] Call Trace:
[  921.784949] [      C2]  <IRQ>
[  921.784950] [      C2]  ? show_regs+0x6d/0x80
[  921.784957] [      C2]  ? __die+0x24/0x80
[  921.784960] [      C2]  ? page_fault_oops+0x156/0x4b0
[  921.784964] [      C2]  ? mempool_free_slab+0x17/0x30
[  921.784968] [      C2]  ? __slab_free+0x15d/0x2e0
[  921.784971] [      C2]  ? do_user_addr_fault+0x2ee/0x6b0
[  921.784975] [      C2]  ? exc_page_fault+0x83/0x1b0
[  921.784979] [      C2]  ? asm_exc_page_fault+0x27/0x30
[  921.784984] [      C2]  ? __wake_up_common+0x76/0xb0
[  921.784987] [      C2]  __wake_up+0x37/0x70
[  921.784990] [      C2]  mempool_free+0xaa/0xc0
[  921.784993] [      C2]  raid_end_bio_io+0x97/0x130 [raid1]


This is NULL pointer dereference, not the same as UAF, please attach the
log in the next version(and probably remove the useless info like
timestamp and stack started with ?).

(...)


This fix is simple enough.
Alternatively, we could initialize conf->r1bio_pool directly, but that would also require 
handling rollback in case the initialization fails.
What would you suggest?


I'll suggest to use mempool_resize() and get rid of the werid assigment.

Thanks,
Kuai
[Index of Archives]     [Linux RAID Wiki]     [ATA RAID]     [Linux SCSI Target Infrastructure]     [Linux Block]     [Linux IDE]     [Linux SCSI]     [Linux Hams]     [Device Mapper]     [Device Mapper Cryptographics]     [Kernel]     [Linux Admin]     [Linux Net]     [GFS]     [RPM]     [git]     [Yosemite Forum]

  Powered by Linux