Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp2009255imm; Tue, 10 Jul 2018 11:31:21 -0700 (PDT) X-Google-Smtp-Source: AAOMgpcOAB9StoH4rp5BVHac4PSUOQZmhLO/JhzXiarVQUUtWX4a/UTNJkg5ZmgwwZm7EJryiTVd X-Received: by 2002:a63:8a41:: with SMTP id y62-v6mr23072513pgd.291.1531247481398; Tue, 10 Jul 2018 11:31:21 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1531247481; cv=none; d=google.com; s=arc-20160816; b=kpet3bZa7pp+SGsW11d2bx/9GdgDNbi9MR6u1aQpDM+MO3oldGU5u9ogr28X0pb2kn qy1igQGTJF5OM4B2Zc6idVtzaBP4C8EhHiEjwRwizjF5Jrruir9UVcs4QaecQO5nuVMB wmXdCuvmRRofJwwSnB/dtgoPoUWop5SxVLnRGfjdE0W6bgXuq/fNu8ze6kJ2kfU6Qwqp ifP4FLXz1p3KAMaNRMZHL2IUKuIj5RwvqYWPNAZWX1fdCxqJdYyXy2ErobnvNlfOnlIJ yfJVXx9itS4NWzvaInr5mvzmNfk3b/Dh1il9eyDHALM1mJOttIQVVhGwV8PQv+DDvtgp 2ryA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :in-reply-to:message-id:date:subject:cc:to:from :arc-authentication-results; bh=ic3ssckqeez+UGaVzVBu0y6Kvk91+uwZJSW8Z5RbpUM=; b=RKKGL1UAm0SsJZHDt0ZHV3gwiHIDMFslTAL8PZgjtxSJGTWl8e71LZSlrqRV8w6srD LC/uZ93qBISJ7O0cM8LOu4MPqcEDs8zw3oepBMLOmO0cyI+8Rl3Qt7qJ6+ZkF96zFmbl 0N9gP3vRtqKUx3coxLC/PlOfzB774NkFXFV5goprCZDeDbp2w5xT2KGF3GOgClHMd0sW risp4rpqhywe3toHgr9PplxKnaFS6P8uhjrmuy2HR4xogEfjCb5b4sxiv4Vz+MZbcU23 xy+SsHwCtn7obsh84ts8a7o2eoqyrWtOA7qA359z9uzqjMIDsI6l3LTZuUNaHN/zp7e0 dlJg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m11-v6si17334544plt.284.2018.07.10.11.31.05; Tue, 10 Jul 2018 11:31:21 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2387941AbeGJSaH (ORCPT + 99 others); Tue, 10 Jul 2018 14:30:07 -0400 Received: from mail.linuxfoundation.org ([140.211.169.12]:45496 "EHLO mail.linuxfoundation.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732596AbeGJSaG (ORCPT ); Tue, 10 Jul 2018 14:30:06 -0400 Received: from localhost (LFbn-1-12247-202.w90-92.abo.wanadoo.fr [90.92.61.202]) by mail.linuxfoundation.org (Postfix) with ESMTPSA id 1FCDDEB4; Tue, 10 Jul 2018 18:29:54 +0000 (UTC) From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Sarah Newman , Lars Ellenberg , Jens Axboe Subject: [PATCH 4.9 23/52] drbd: fix access after free Date: Tue, 10 Jul 2018 20:24:51 +0200 Message-Id: <20180710182451.706696675@linuxfoundation.org> X-Mailer: git-send-email 2.18.0 In-Reply-To: <20180710182449.285532226@linuxfoundation.org> References: <20180710182449.285532226@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.9-stable review patch. If anyone has any objections, please let me know. ------------------ From: Lars Ellenberg commit 64dafbc9530c10300acffc57fae3269d95fa8f93 upstream. We have struct drbd_requests { ... struct bio *private_bio; ... } to hold a bio clone for local submission. On local IO completion, we put that bio, and in case we want to use the result later, we overload that member to hold the ERR_PTR() of the completion result, Which, before v4.3, used to be the passed in "int error", so we could first bio_put(), then assign. v4.3-rc1~100^2~21 4246a0b63bd8 block: add a bi_error field to struct bio changed that: bio_put(req->private_bio); - req->private_bio = ERR_PTR(error); + req->private_bio = ERR_PTR(bio->bi_error); Which introduces an access after free, because it was non obvious that req->private_bio == bio. Impact of that was mostly unnoticable, because we only use that value in a multiple-failure case, and even then map any "unexpected" error code to EIO, so worst case we could potentially mask a more specific error with EIO in a multiple failure case. Unless the pointed to memory region was unmapped, as is the case with CONFIG_DEBUG_PAGEALLOC, in which case this results in BUG: unable to handle kernel paging request v4.13-rc1~70^2~75 4e4cbee93d56 block: switch bios to blk_status_t changes it further to bio_put(req->private_bio); req->private_bio = ERR_PTR(blk_status_to_errno(bio->bi_status)); And blk_status_to_errno() now contains a WARN_ON_ONCE() for unexpected values, which catches this "sometimes", if the memory has been reused quickly enough for other things. Should also go into stable since 4.3, with the trivial change around 4.13. Cc: stable@vger.kernel.org Fixes: 4246a0b63bd8 block: add a bi_error field to struct bio Reported-by: Sarah Newman Signed-off-by: Lars Ellenberg Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman --- drivers/block/drbd/drbd_worker.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/drivers/block/drbd/drbd_worker.c +++ b/drivers/block/drbd/drbd_worker.c @@ -269,8 +269,8 @@ void drbd_request_endio(struct bio *bio) what = COMPLETED_OK; } - bio_put(req->private_bio); req->private_bio = ERR_PTR(bio->bi_error); + bio_put(bio); /* not req_mod(), we need irqsave here! */ spin_lock_irqsave(&device->resource->req_lock, flags);