Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp3700926imm; Mon, 18 Jun 2018 02:34:23 -0700 (PDT) X-Google-Smtp-Source: ADUXVKLcWbQMyEOdbRzzBRiV4mCUMBkf0yutq/aCHDTiAvzRpAI8o941lMpK+R97E9WbHFtiJ0kA X-Received: by 2002:a17:902:6903:: with SMTP id j3-v6mr12990109plk.313.1529314463571; Mon, 18 Jun 2018 02:34:23 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1529314463; cv=none; d=google.com; s=arc-20160816; b=fEBJ1qq+W2rblNRfDopdooTsw5UjTAJ2HxbV+AwsHoSJP+X4wyf31L2avCE+ZBDcEs FeFUKhg/ifMC9jI2ngxkUSS2SutgRW8L5W6Dr8jwP96vvrd/jwRoNIupXFYFIFuG6mvo rzxOpKgL+WvrOy8dxcPgXpQ6m6w9ohpTuXpIuriR2IePuHqEaVbkhEpi8hkSt4+m+f2k rqekXjGPtlJXPi2923bAcD0Ep+QaFEF96syJ1tbHNOeAsTV6PZKJMIxeFK1f2pU7AWnv vFssO7SEjDeEYp4/TZvTbjden1KDVQjYE6S2g+K3ehu13d9ApwMd/F86MMD+dhiyGFp4 MA7A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=mceTZJg0zVPP8bkzWPRXMYMNmMjyLqEHSaFYO4bAyq8=; b=shzCRfaHCuOdbiofwbmkLJSyAMOKyKOZ5QH43rgfA5FTjb/jR0D5zyornRU/rU8zi9 QIYMaKMV9hyn2fIUv9yevTCSGD+T4gXapmA28JeZtA6CRXCMuU0arD0h1HSHluVMUPVi r69pNBLsOEwOiRmKI4ercpOKw9og1nXEIql7ulRANosNabHUXy3S5Rxv0UFitXVRg+Ed W8737YAcuiZYwIu3XrCGhjBh0pJWEgkLZLAd0XCc1uh7cecWGPMmtrDYO/zH/eZDZQ53 4A3+k919XyCufbsOZeypyivMFkod3AFA6JdbBJ20QUcZwSLeirGTdYmYtZ02q3pclg4U TCDw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t6-v6si14855957plo.508.2018.06.18.02.34.10; Mon, 18 Jun 2018 02:34:23 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S936482AbeFRJdf (ORCPT + 99 others); Mon, 18 Jun 2018 05:33:35 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:56030 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S936118AbeFRIY2 (ORCPT ); Mon, 18 Jun 2018 04:24:28 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id D654FBAD; Mon, 18 Jun 2018 08:24:27 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Jianchao Wang , Christoph Hellwig , Keith Busch , Sasha Levin Subject: [PATCH 4.16 197/279] nvme: fix use-after-free in nvme_free_ns_head Date: Mon, 18 Jun 2018 10:13:02 +0200 Message-Id: <20180618080617.064604999@linuxfoundation.org> X-Mailer: git-send-email 2.17.1 In-Reply-To: <20180618080608.851973560@linuxfoundation.org> References: <20180618080608.851973560@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.16-stable review patch. If anyone has any objections, please let me know. ------------------ From: Jianchao Wang [ Upstream commit 12d9f07022dcde261ad16e9a11f45096dc68b03c ] Currently only nvme_ctrl will take a reference counter of nvme_subsystem, nvme_ns_head also needs it. Otherwise nvme_free_ns_head will access the nvme_subsystem.ns_ida which has been freed by __nvme_release_subsystem after all the reference of nvme_subsystem have been released by nvme_free_ctrl. This could cause memory corruption. BUG: KASAN: use-after-free in radix_tree_next_chunk+0x9f/0x4b0 Read of size 8 at addr ffff88036494d2e8 by task fio/1815 CPU: 1 PID: 1815 Comm: fio Kdump: loaded Tainted: G W 4.17.0-rc1+ #18 Hardware name: LENOVO 10MLS0E339/3106, BIOS M1AKT22A 06/27/2017 Call Trace: dump_stack+0x91/0xeb print_address_description+0x6b/0x290 kasan_report+0x261/0x360 radix_tree_next_chunk+0x9f/0x4b0 ida_remove+0x8b/0x180 ida_simple_remove+0x26/0x40 nvme_free_ns_head+0x58/0xc0 __blkdev_put+0x30a/0x3a0 blkdev_close+0x44/0x50 __fput+0x184/0x380 task_work_run+0xaf/0xe0 do_exit+0x501/0x1440 do_group_exit+0x89/0x140 __x64_sys_exit_group+0x28/0x30 do_syscall_64+0x72/0x230 Signed-off-by: Jianchao Wang Reviewed-by: Christoph Hellwig Signed-off-by: Keith Busch Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- drivers/nvme/host/core.c | 5 +++++ 1 file changed, 5 insertions(+) --- a/drivers/nvme/host/core.c +++ b/drivers/nvme/host/core.c @@ -99,6 +99,7 @@ static struct class *nvme_subsys_class; static void nvme_ns_remove(struct nvme_ns *ns); static int nvme_revalidate_disk(struct gendisk *disk); +static void nvme_put_subsystem(struct nvme_subsystem *subsys); static __le32 nvme_get_log_dw10(u8 lid, size_t size) { @@ -353,6 +354,7 @@ static void nvme_free_ns_head(struct kre ida_simple_remove(&head->subsys->ns_ida, head->instance); list_del_init(&head->entry); cleanup_srcu_struct(&head->srcu); + nvme_put_subsystem(head->subsys); kfree(head); } @@ -2843,6 +2845,9 @@ static struct nvme_ns_head *nvme_alloc_n goto out_cleanup_srcu; list_add_tail(&head->entry, &ctrl->subsys->nsheads); + + kref_get(&ctrl->subsys->ref); + return head; out_cleanup_srcu: cleanup_srcu_struct(&head->srcu);