Re: [PATCH] md/raid1: Fix use-after-free in reshape pool wait queue

From: Yu Kuai
Date: Tue Jun 10 2025 - 02:12:35 EST

Next message: Alexander Dahl: "[PATCH] arm64: dts: imx8dxl-ss-conn: Disable USB3 nodes"
Previous message: Markus Elfring: "[PATCH v3] drm/amd/display: Fix exception handling in dm_validate_stream_and_context()"
In reply to: Wang Jinchao: "Re: [PATCH] md/raid1: Fix use-after-free in reshape pool wait queue"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi,

在 2025/06/10 12:51, Wang Jinchao 写道:

[ 921.784898] [ C2] BUG: kernel NULL pointer dereference, address: 0000000000000002
[ 921.784907] [ C2] #PF: supervisor instruction fetch in kernel mode
[ 921.784910] [ C2] #PF: error_code(0x0010) - not-present page
[ 921.784912] [ C2] PGD 0 P4D 0
[ 921.784915] [ C2] Oops: 0010 [#1] PREEMPT SMP NOPTI
[ 921.784919] [ C2] CPU: 2 PID: 1659 Comm: zds Kdump: loaded Tainted: G U W E 6.8.1-debug-0519 #49
[ 921.784922] [ C2] Hardware name: Default string Default string/Default string, BIOS DNS9V011 12/24/2024
[ 921.784923] [ C2] RIP: 0010:0x2
[ 921.784929] [ C2] Code: Unable to access opcode bytes at 0xffffffffffffffd8.
[ 921.784931] [ C2] RSP: 0000:ffffa3fac0220c70 EFLAGS: 00010087
[ 921.784933] [ C2] RAX: 0000000000000002 RBX: ffff8890539070d8 RCX: 0000000000000000
[ 921.784935] [ C2] RDX: 0000000000000000 RSI: 0000000000000003 RDI: ffffa3fac07dfc90
[ 921.784936] [ C2] RBP: ffffa3fac0220ca8 R08: 2557c7cc905cff00 R09: 0000000000000000
[ 921.784938] [ C2] R10: 0000000000000000 R11: 0000000000000000 R12: 000000008fa158a0
[ 921.784939] [ C2] R13: 2557c7cc905cfee8 R14: 0000000000000000 R15: 0000000000000000
[ 921.784941] [ C2] FS: 00007d8b034006c0(0000) GS:ffff8891bf900000(0000) knlGS:0000000000000000
[ 921.784943] [ C2] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 921.784945] [ C2] CR2: ffffffffffffffd8 CR3: 00000001097be000 CR4: 0000000000f50ef0
[ 921.784946] [ C2] PKRU: 55555554
[ 921.784948] [ C2] Call Trace:
[ 921.784949] [ C2] <IRQ>
[ 921.784950] [ C2] ? show_regs+0x6d/0x80
[ 921.784957] [ C2] ? __die+0x24/0x80
[ 921.784960] [ C2] ? page_fault_oops+0x156/0x4b0
[ 921.784964] [ C2] ? mempool_free_slab+0x17/0x30
[ 921.784968] [ C2] ? __slab_free+0x15d/0x2e0
[ 921.784971] [ C2] ? do_user_addr_fault+0x2ee/0x6b0
[ 921.784975] [ C2] ? exc_page_fault+0x83/0x1b0
[ 921.784979] [ C2] ? asm_exc_page_fault+0x27/0x30
[ 921.784984] [ C2] ? __wake_up_common+0x76/0xb0
[ 921.784987] [ C2] __wake_up+0x37/0x70
[ 921.784990] [ C2] mempool_free+0xaa/0xc0
[ 921.784993] [ C2] raid_end_bio_io+0x97/0x130 [raid1]

This is NULL pointer dereference, not the same as UAF, please attach the
log in the next version(and probably remove the useless info like
timestamp and stack started with ?).

(...)

This fix is simple enough.
Alternatively, we could initialize conf->r1bio_pool directly, but that would also require
handling rollback in case the initialization fails.
What would you suggest?

I'll suggest to use mempool_resize() and get rid of the werid assigment.

Thanks,
Kuai

Next message: Alexander Dahl: "[PATCH] arm64: dts: imx8dxl-ss-conn: Disable USB3 nodes"
Previous message: Markus Elfring: "[PATCH v3] drm/amd/display: Fix exception handling in dm_validate_stream_and_context()"
In reply to: Wang Jinchao: "Re: [PATCH] md/raid1: Fix use-after-free in reshape pool wait queue"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]