| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <690f082d.4.EecvzTC1nbjFecvz@inspur.com>
Date: Sat, 8 Nov 2025 17:07:52 +0800
From: jack cheliequan (车烈权)
<cheliequan@...pur.com>
To: Coly Li <colyli@...as.com>, Kent Overstreet <kent.overstreet@...il.com>
CC: linux-bcache <linux-bcache@...r.kernel.org>, linux-kernel
<linux-kernel@...r.kernel.org>
Subject: [PATCH v1 bcache] bcache: fix UAF in cached_dev_free and safely
We hit a use-after-free when cached_dev_free() is called while thewriteback workqueue/thread may still be running or holding references.In addition, writeback_wq was flushed/destroyed in more than one place,which could lead to double flush/destroy and racy teardown。This issueexists in kernels 5.10, 6.6, etc. The error message is as follows.[18627.310402] ------------[ cut here ]------------[18627.316446] WARNING: CPU: 83 PID: 238405 at kernel/kthread.c:83 kthread_stop+0x12c/0x160[18627.326367] Modules linked in: ceph libceph dns_resolver openvswitch nf_conncount nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c vfat fat dm_multipath dm_mod amd64_edac_mod edac_mce_amd kvm_amd kvm bcache crc64 i40iw irqbypass ses enclosure ipmi_si ib_uverbs ipmi_devintf joydev rapl ipmi_msghandler pcspkr ib_core sg i2c_piix4 k10temp fuse ext4 mbcache jbd2 ast drm_vram_helper drm_kms_helper syscopyarea sysfillrect sysimgblt sd_mod fb_sys_fops cec drm_ttm_helper ttm ahci crct10dif_pclmul igb crc32_pclmul libahci nvme crc32c_intel ghash_clmulni_intel nvme_core dca smartpqi i40e t10_pi drm i2c_algo_bit libata ngbe scsi_transport_sas ccp pinctrl_amd[18627.392415] CPU: 83 PID: 238405 Comm: kworker/83:4 Kdump: loaded Tainted: G W 5.10.0-272.0.0.174.ile2312sp1.x86_64 #1[18627.406601] Hardware name: Inspur CS5280H2/CS5280H2, BIOS 3.03.62 09/15/2025[18627.415362] Workqueue: events cached_dev_free [bcache][18627.421985] RIP: 0010:kthread_stop+0x12c/0x160[18627.427836] Code: 00 e9 0b ff ff ff 48 89 ef e8 50 69 fd ff e9 73 ff ff ff be 01 00 00 00 4c 89 e7 e8 2e 6a 46 00 f6 45 36 20 0f 85 16 ff ff ff <0f> 0b e9 0f ff ff ff be 03 00 00 00 4c 89 e7 e8 10 6a 46 00 e9 43[18627.449681] RSP: 0018:ffffb5f9cdd0fe60 EFLAGS: 00010246[18627.456406] RAX: 0000000000000000 RBX: ffff94f51e700010 RCX: 0000000000000000[18627.465254] RDX: ffff94d71fbb1320 RSI: ffff94d71fba0710 RDI: ffff94d71fba0710[18627.474094] RBP: ffff94cf4d518000 R08: 0000000000000000 R09: ffffb5f9cdd0fc90[18627.482942] R10: ffffb5f9cdd0fc88 R11: ffffffffb69e13a8 R12: ffff94cf4d518030[18627.491792] R13: 0000000000000000 R14: ffff94d71fbbb700 R15: ffff94d71fbbb705[18627.500643] FS: 0000000000000000(0000) GS:ffff94d71fb80000(0000) knlGS:0000000000000000[18627.510564] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033[18627.517861] CR2: 000055d6288098d0 CR3: 0000000594856000 CR4: 00000000003506e0[18627.526715] Call Trace:[18627.530338] cached_dev_free+0x30/0xd0 [bcache][18627.536283] process_one_work+0x1b5/0x350[18627.541643] worker_thread+0x49/0x310[18627.546618] ? rescuer_thread+0x380/0x380[18627.551977] kthread+0xfe/0x140[18627.556372] ? kthread_park+0x90/0x90[18627.561345] ret_from_fork+0x22/0x30[18627.566226] ---[ end trace 461f27b6101e7b4f ]---[18627.572269] BUG: unable to handle page fault for address: 00007fd3f5b21e10[18627.580823] #PF: supervisor write access in kernel mode[18627.587529] #PF: error_code(0x0002) - not-present page[18627.594131] PGD 6a710f067 P4D 6a710f067 PUD 0[18627.599968] Oops: 0002 [#1] SMP NOPTI[18627.604930] CPU: 83 PID: 238405 Comm: kworker/83:4 Kdump: loaded Tainted: G W 5.10.0-272.0.0.174.ile2312sp1.x86_64 #1[18627.619101] Hardware name: Inspur CS5280H2/CS5280H2, BIOS 3.03.62 09/15/2025[18627.627851] Workqueue: events cached_dev_free [bcache][18627.634463] RIP: 0010:kthread_stop+0x49/0x160[18627.640199] Code: 45 30 85 c0 0f 84 1c 01 00 00 0f 88 e6 00 00 00 83 c0 01 0f 88 dd 00 00 00 f6 45 36 20 0f 84 ea 00 00 00 48 8b 9d e8 0a 00 00 <f0> 80 0b 02 48 89 ef e8 3b ff ff ff 48 89 ef e8 43 31 01 00 48 8d[18627.662022] RSP: 0018:ffffb5f9cdd0fe60 EFLAGS: 00010246[18627.668728] RAX: 0000000000000000 RBX: 00007fd3f5b21e10 RCX: 0000000000000000[18627.677565] RDX: ffff94d71fbb1320 RSI: ffff94d71fba0710 RDI: ffff94d71fba0710[18627.686404] RBP: ffff94cf4d518000 R08: 0000000000000000 R09: ffffb5f9cdd0fc90[18627.695232] R10: ffffb5f9cdd0fc88 R11: ffffffffb69e13a8 R12: ffff94cf4d518030[18627.704070] R13: 0000000000000000 R14: ffff94d71fbbb700 R15: ffff94d71fbbb705[18627.712910] FS: 0000000000000000(0000) GS:ffff94d71fb80000(0000) knlGS:0000000000000000[18627.722816] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033[18627.730103] CR2: 00007fd3f5b21e10 CR3: 0000000594856000 CR4: 00000000003506e0[18627.738941] Call Trace:[18627.742553] cached_dev_free+0x30/0xd0 [bcache][18627.748483] process_one_work+0x1b5/0x350[18627.753824] worker_thread+0x49/0x310[18627.758785] ? rescuer_thread+0x380/0x380[18627.764134] kthread+0xfe/0x140[18627.768514] ? kthread_park+0x90/0x90[18627.773477] ret_from_fork+0x22/0x30[18627.778344] Modules linked in: ceph libceph dns_resolver openvswitch nf_conncount nf_nat nf_conntrack nf_defrag_ipv6 nf_defrag_ipv4 libcrc32c vfat fat dm_multipath dm_mod amd64_edac_mod edac_mce_amd kvm_amd kvm bcache crc64 i40iw irqbypass ses enclosure ipmi_si ib_uverbs ipmi_devintf joydev rapl ipmi_msghandler pcspkr ib_core sg i2c_piix4 k10temp fuse ext4 mbcache jbd2 ast drm_vram_helper drm_kms_helper syscopyarea sysfillrect sysimgblt sd_mod fb_sys_fops cec drm_ttm_helper ttm ahci crct10dif_pclmul igb crc32_pclmul libahci nvme crc32c_intel ghash_clmulni_intel nvme_core dca smartpqi i40e t10_pi drm i2c_algo_bit libata ngbe scsi_transport_sas ccp pinctrl_amd[18627.844370] CR2: 00007fd3f5b21e10[18627.851414] kexec: Bye! The kernel error call stack is as follows:The kernel error call stack is as follows.crash> btPID: 238405 TASK: ffff94d71fae9c00 CPU: 83 COMMAND: "kworker/83:4"#0 [ffffb5f9cdd0fca8] crash_kexec at ffffffffb4db67e9#1 [ffffb5f9cdd0fcb8] oops_end at ffffffffb4c2b1c5#2 [ffffb5f9cdd0fcd8] no_context at ffffffffb4c7d86c#3 [ffffb5f9cdd0fd10] __bad_area_nosemaphore at ffffffffb4c7d972#4 [ffffb5f9cdd0fd58] exc_page_fault at ffffffffb56f7e1c#5 [ffffb5f9cdd0fdb0] asm_exc_page_fault at ffffffffb5800b4e [exception RIP: kthread_stop+73] RIP: ffffffffb4d0fee9 RSP: ffffb5f9cdd0fe60 RFLAGS: 00010246 RAX: 0000000000000000 RBX: 00007fd3f5b21e10 RCX: 0000000000000000 RDX: ffff94d71fbb1320 RSI: ffff94d71fba0710 RDI: ffff94d71fba0710 RBP: ffff94cf4d518000 R8: 0000000000000000 R9: ffffb5f9cdd0fc90 R10: ffffb5f9cdd0fc88 R11: ffffffffb69e13a8 R12: ffff94cf4d518030 R13: 0000000000000000 R14: ffff94d71fbbb700 R15: ffff94d71fbbb705 ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018#6 [ffffb5f9cdd0fe80] cached_dev_free at ffffffffc0b88470 [bcache]#7 [ffffb5f9cdd0fe98] process_one_work at ffffffffb4d099c5#8 [ffffb5f9cdd0fed8] worker_thread at ffffffffb4d09f29#9 [ffffb5f9cdd0ff10] kthread at ffffffffb4d0f2be#10 [ffffb5f9cdd0ff50] ret_from_fork at ffffffffb4c035b2Signed-off-by: cheliequan <cheliequan@...pur.com>---drivers/md/bcache/bcache.h | 7 +++++++drivers/md/bcache/super.c | 13 +++++++++----drivers/md/bcache/writeback.c | 9 ++++++---3 files changed, 22 insertions(+), 7 deletions(-)diff --git a/drivers/md/bcache/bcache.h b/drivers/md/bcache/bcache.hindex 832fb3d80eb0..5eba5c068c9c 100644--- a/drivers/md/bcache/bcache.h+++ b/drivers/md/bcache/bcache.h@@ -963,6 +963,13 @@ static inline void wait_for_kthread_stop(void) }}+#define STOP_THREAD_ONCE(dc, member) \+ do { \+ struct task_struct *t__ = xchg(&(dc)->member, NULL); \+ if (t__ && !IS_ERR(t__)) \+ kthread_stop(t__); \+ } while (0)+/* Forward declarations */void bch_count_backing_io_errors(struct cached_dev *dc, struct bio *bio);diff --git a/drivers/md/bcache/super.c b/drivers/md/bcache/super.cindex 6afc718ef202..22a002cca6ab 100644--- a/drivers/md/bcache/super.c+++ b/drivers/md/bcache/super.c@@ -1368,15 +1368,20 @@ void bch_cached_dev_release(struct kobject *kobj)static void cached_dev_free(struct closure *cl){+ struct workqueue_struct *wq = NULL; struct cached_dev *dc = container_of(cl, struct cached_dev, disk.cl); if (test_and_clear_bit(BCACHE_DEV_WB_RUNNING, &dc->disk.flags)) cancel_writeback_rate_update_dwork(dc);- if (!IS_ERR_OR_NULL(dc->writeback_thread))- kthread_stop(dc->writeback_thread);- if (!IS_ERR_OR_NULL(dc->status_update_thread))- kthread_stop(dc->status_update_thread);+ STOP_THREAD_ONCE(dc, writeback_thread);+ STOP_THREAD_ONCE(dc, status_update_thread);++ wq = xchg(&dc->writeback_write_wq, NULL);+ if (wq) {+ flush_workqueue(wq);+ destroy_workqueue(wq);+ } mutex_lock(&bch_register_lock);diff --git a/drivers/md/bcache/writeback.c b/drivers/md/bcache/writeback.cindex 854cdaa84462..3cac64b9d606 100644--- a/drivers/md/bcache/writeback.c+++ b/drivers/md/bcache/writeback.c@@ -741,6 +741,7 @@ static int bch_writeback_thread(void *arg) struct cached_dev *dc = arg; struct cache_set *c = dc->disk.c; bool searched_full_index;+ struct workqueue_struct *wq = NULL; bch_ratelimit_reset(&dc->writeback_rate);@@ -832,10 +833,12 @@ static int bch_writeback_thread(void *arg) } }- if (dc->writeback_write_wq) {- flush_workqueue(dc->writeback_write_wq);- destroy_workqueue(dc->writeback_write_wq);+ wq = xchg(&dc->writeback_write_wq, NULL);+ if (wq) {+ flush_workqueue(wq);+ destroy_workqueue(wq); }+ cached_dev_put(dc); wait_for_kthread_stop();--2.43.0
Content of type "text/html" skipped
Download attachment "smime.p7s" of type "application/pkcs7-signature" (2668 bytes)
Powered by blists - more mailing lists