lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-Id: <173634662244.346437.17736271332101517970.b4-ty@kernel.dk>
Date: Wed, 08 Jan 2025 07:30:22 -0700
From: Jens Axboe <axboe@...nel.dk>
To: jack@...e.cz, yukuai3@...wei.com, Yu Kuai <yukuai1@...weicloud.com>
Cc: linux-block@...r.kernel.org, linux-kernel@...r.kernel.org, 
 yi.zhang@...wei.com, yangerkun@...wei.com
Subject: Re: [PATCH] block, bfq: fix waker_bfqq UAF after bfq_split_bfqq()


On Wed, 08 Jan 2025 16:41:48 +0800, Yu Kuai wrote:
> Our syzkaller report a following UAF for v6.6:
> 
> BUG: KASAN: slab-use-after-free in bfq_init_rq+0x175d/0x17a0 block/bfq-iosched.c:6958
> Read of size 8 at addr ffff8881b57147d8 by task fsstress/232726
> 
> CPU: 2 PID: 232726 Comm: fsstress Not tainted 6.6.0-g3629d1885222 #39
> Call Trace:
>  <TASK>
>  __dump_stack lib/dump_stack.c:88 [inline]
>  dump_stack_lvl+0x91/0xf0 lib/dump_stack.c:106
>  print_address_description.constprop.0+0x66/0x300 mm/kasan/report.c:364
>  print_report+0x3e/0x70 mm/kasan/report.c:475
>  kasan_report+0xb8/0xf0 mm/kasan/report.c:588
>  hlist_add_head include/linux/list.h:1023 [inline]
>  bfq_init_rq+0x175d/0x17a0 block/bfq-iosched.c:6958
>  bfq_insert_request.isra.0+0xe8/0xa20 block/bfq-iosched.c:6271
>  bfq_insert_requests+0x27f/0x390 block/bfq-iosched.c:6323
>  blk_mq_insert_request+0x290/0x8f0 block/blk-mq.c:2660
>  blk_mq_submit_bio+0x1021/0x15e0 block/blk-mq.c:3143
>  __submit_bio+0xa0/0x6b0 block/blk-core.c:639
>  __submit_bio_noacct_mq block/blk-core.c:718 [inline]
>  submit_bio_noacct_nocheck+0x5b7/0x810 block/blk-core.c:747
>  submit_bio_noacct+0xca0/0x1990 block/blk-core.c:847
>  __ext4_read_bh fs/ext4/super.c:205 [inline]
>  ext4_read_bh+0x15e/0x2e0 fs/ext4/super.c:230
>  __read_extent_tree_block+0x304/0x6f0 fs/ext4/extents.c:567
>  ext4_find_extent+0x479/0xd20 fs/ext4/extents.c:947
>  ext4_ext_map_blocks+0x1a3/0x2680 fs/ext4/extents.c:4182
>  ext4_map_blocks+0x929/0x15a0 fs/ext4/inode.c:660
>  ext4_iomap_begin_report+0x298/0x480 fs/ext4/inode.c:3569
>  iomap_iter+0x3dd/0x1010 fs/iomap/iter.c:91
>  iomap_fiemap+0x1f4/0x360 fs/iomap/fiemap.c:80
>  ext4_fiemap+0x181/0x210 fs/ext4/extents.c:5051
>  ioctl_fiemap.isra.0+0x1b4/0x290 fs/ioctl.c:220
>  do_vfs_ioctl+0x31c/0x11a0 fs/ioctl.c:811
>  __do_sys_ioctl fs/ioctl.c:869 [inline]
>  __se_sys_ioctl+0xae/0x190 fs/ioctl.c:857
>  do_syscall_x64 arch/x86/entry/common.c:51 [inline]
>  do_syscall_64+0x70/0x120 arch/x86/entry/common.c:81
>  entry_SYSCALL_64_after_hwframe+0x78/0xe2
> 
> [...]

Applied, thanks!

[1/1] block, bfq: fix waker_bfqq UAF after bfq_split_bfqq()
      commit: eb92f7314625807ad569c218039ec90e9e14c784

Best regards,
-- 
Jens Axboe

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ