lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <7a14c467-e67e-eede-4ebc-d8105cc3bcd5@nvidia.com>
Date:   Tue, 8 Nov 2022 03:50:33 +0000
From:   Chaitanya Kulkarni <chaitanyak@...dia.com>
To:     Gerd Bayer <gbayer@...ux.ibm.com>, Jens Axboe <axboe@...com>,
        Christoph Hellwig <hch@....de>,
        Sagi Grimberg <sagi@...mberg.me>
CC:     Niklas Schnelle <schnelle@...ux.ibm.com>,
        "linux-kernel@...r.kernel.org" <linux-kernel@...r.kernel.org>,
        "linux-next@...r.kernel.org" <linux-next@...r.kernel.org>,
        "linux-nvme@...ts.infradead.org" <linux-nvme@...ts.infradead.org>
Subject: Re: nvme-pci: NULL pointer dereference in nvme_dev_disable() on
 linux-next

On 11/7/22 09:28, Gerd Bayer wrote:
> Hi,
> 
> our internal s390 CI pointed us to a potential racy "use after free" or similar
> issue in drivers/nvme/host/pci.c by ending one of the tests in the following
> kernel panic:
> 

Thanks a lot for reporting this ...

[...]
> 
> On a stock kernel from
> https://git.kernel.org/pub/scm/linux/kernel/git/next/linux-next.git/tag/?h=next-20221104
> we have been able to reproduce this at will with
> this small script
> 
> #!/usr/bin/env bash
> 
> echo $1 > /sys/bus/pci/drivers/nvme/unbind
> echo $1 > /sys/bus/pci/drivers/nvme/bind
> echo 1 > /sys/bus/pci/devices/$1/remove
> 
> when filling in the NVMe drives' PCI identifier.
> 

Can you please submit a blktests for this ?
so this will get tested by everyone at each release ?

> We believe this to be a race-condition somewhere, since this sequence does not produce the panic
> when executed interactively.
> 

You can try and bisect the code to point out at exact commit.

> Could this be linked to the recent (refactoring) work by Christoph Hellwig?
> E.g. https://lore.kernel.org/all/20221101150050.3510-3-hch@lst.de/
> 
> Thank you,
> Gerd Bayer
> 
> 

-ck

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ