lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <1842801.CQOukoFCf9@natalenko.name>
Date:   Mon, 02 Jan 2023 12:49:19 +0100
From:   Oleksandr Natalenko <oleksandr@...alenko.name>
To:     linux-kernel@...r.kernel.org
Cc:     Paolo Valente <paolo.valente@...aro.org>,
        Jens Axboe <axboe@...nel.dk>, linux-block@...r.kernel.org
Subject: Re: BUG: KFENCE: use-after-free read in bfq_exit_icq_bfqq+0x132/0x270

On pondělí 2. ledna 2023 12:45:30 CET Oleksandr Natalenko wrote:
> This is a sudden splash I've got while just using my workstation:
> 
> ==================================================================
> BUG: KFENCE: use-after-free read in bfq_exit_icq_bfqq+0x132/0x270
> Use-after-free read at 0x00000000e57c579c (in kfence-#173):
>  bfq_exit_icq_bfqq+0x132/0x270
>  bfq_exit_icq+0x5e/0x80
>  exit_io_context+0x88/0xb0
>  do_exit+0x66c/0xb80
>  kthread_exit+0x29/0x30
>  kthread+0xbd/0x110
>  ret_from_fork+0x22/0x30
> 
> kfence-#173: 0x000000005d7be631-0x000000006ad0b684, size=568, cache=bfq_queue
> allocated by task 40147 on cpu 16 at 13975.114285s:
>  bfq_get_queue+0xdf/0x4e0
>  bfq_get_bfqq_handle_split+0x75/0x170
>  bfq_insert_requests+0x832/0x2580
>  blk_mq_sched_insert_requests+0x63/0x150
>  blk_mq_flush_plug_list+0x122/0x360
>  __blk_flush_plug+0x106/0x160
>  blk_finish_plug+0x29/0x40
>  dm_bufio_prefetch+0x108/0x4d0 [dm_bufio]
>  dm_tm_issue_prefetches+0x44/0x70 [dm_persistent_data]
>  dm_pool_issue_prefetches+0x39/0x43 [dm_thin_pool]
>  do_worker+0x4c/0xd60 [dm_thin_pool]
>  process_one_work+0x258/0x410
>  worker_thread+0x55/0x4c0
>  kthread+0xde/0x110
>  ret_from_fork+0x22/0x30
> 
> freed by task 40147 on cpu 20 at 14500.096700s:
>  bfq_put_queue+0x185/0x2d0
>  bfq_exit_icq_bfqq+0x129/0x270
>  bfq_exit_icq+0x5e/0x80
>  exit_io_context+0x88/0xb0
>  do_exit+0x66c/0xb80
>  kthread_exit+0x29/0x30
>  kthread+0xbd/0x110
>  ret_from_fork+0x22/0x30
> 
> CPU: 20 PID: 40147 Comm: kworker/dying Tainted: G        W          6.1.0-pf2 #1 ff5dbde5ea280110a73397797e059b8558cda111
> Hardware name: ASUS System Product Name/Pro WS X570-ACE, BIOS 4304 12/12/2022
> ==================================================================
> 
> I'm using v6.1.2, never experienced this before and cannot reproduce it at will. This kernel does not have any extra patches for the block layer on top of v6.1.2.
> 
> In case you know what's going on, please let me know.

I assume 246cf66e30 ("block, bfq: fix uaf for bfqq in bfq_exit_icq_bfqq") may have fixed the issue. This commit is pending for upcoming v6.1.3.

-- 
Oleksandr Natalenko (post-factum)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ