Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp4295631ybl; Tue, 21 Jan 2020 17:09:15 -0800 (PST) X-Google-Smtp-Source: APXvYqzleCjiZYEYnR6PNB3uqUuDAfT70AnFRMyP3Enh+biLuN1QWWWgUMhn3j7jis657iSldjEA X-Received: by 2002:a05:6830:1198:: with SMTP id u24mr5419552otq.215.1579655355824; Tue, 21 Jan 2020 17:09:15 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1579655355; cv=none; d=google.com; s=arc-20160816; b=vZcv+nnnPndmTQSNsuTHU8hAiBWfn8TXKQ/c1dsvhwMqfWWZPW2EEflE588nTg9UrW hq/CCk0PXbk2eoejIhrCy46ZEmwdyo7bo+k7MpyIIjaQx7xJ9dDJImLGDa7w/ili/bqb LKoZSLX8V/mGHkLyprwSfbTjKbBGTzZSX3/68OGTGIdv1zE2xqb7ryFCWS0KkWFRnARy X74FznB7WufolKThlSYUYuZDEEtTjqZh6GSxKWzgHuK4fF8rmfgPm8QpWqCeXHzdAbxq gh8WoMzUEur4iQsnpvYlLOAvDaTGL2RUGuZkLCLzs91p9gjEDZJFmiNq0Dxurf4v/tQF tdwA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:in-reply-to :mime-version:user-agent:date:message-id:from:cc:references:to :subject:dkim-signature; bh=viOBq0Oy9N+6NbeXzcqoYU7boYVlTm9ZppUHXuFh0Mo=; b=JkrLRbCh3pRb8eff7ybOq3xOSNENlblfIlDTq/vHFqcDQ1hY3Yud1D/cMWlR6naNpz p7UhsbsO6xQz/TuptPUNV9OSjmM421azXJVGdhMoUDtOTXCNm4MAH1QxkyVO4AM+wR5f pLZzAKxmCR5WZxfQ9s+uHo4kkuvi1z5UAOpX32SPtYy6f6xCqzw1R/bZhjtCCh9ZKbSC nY6Eot/4sP0E5WxW4HCNpH3+f1H2YcShBZAW1KwxoUMrOJOGWZC0SaWWYYDd63h3N8aB TzNKBacbR32JTfz8dPlGhscPYFu+04hRDREu7lMMs/AGsUbJSP4st+LTsw3AYEK2eFM9 kepQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=f9X20gY0; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x16si20801793otp.184.2020.01.21.17.09.01; Tue, 21 Jan 2020 17:09:15 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=f9X20gY0; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728928AbgAVBGk (ORCPT + 99 others); Tue, 21 Jan 2020 20:06:40 -0500 Received: from us-smtp-2.mimecast.com ([207.211.31.81]:56613 "EHLO us-smtp-delivery-1.mimecast.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1728609AbgAVBGk (ORCPT ); Tue, 21 Jan 2020 20:06:40 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1579655199; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=viOBq0Oy9N+6NbeXzcqoYU7boYVlTm9ZppUHXuFh0Mo=; b=f9X20gY0vEDC2cfQs+LqQjBXyVrFlIQasXZi2Xie4XVIJn7zgF02bX0KpjWmvjykHRDcHD FcMh9SL7EK6Njj2R75bZBeS0trTherFo5fuzghb7QvymbtpHDtHjM/2TfIo7Ss60SCXCQ/ kpinLq2YGC0TQy8btw5ETfjw+KPBQnE= Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id us-mta-163-zW94sMSePQK3sgoIck_AWw-1; Tue, 21 Jan 2020 20:06:37 -0500 X-MC-Unique: zW94sMSePQK3sgoIck_AWw-1 Received: from smtp.corp.redhat.com (int-mx02.intmail.prod.int.phx2.redhat.com [10.5.11.12]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 3676C107ACC4; Wed, 22 Jan 2020 01:06:36 +0000 (UTC) Received: from [10.10.120.159] (ovpn-120-159.rdu2.redhat.com [10.10.120.159]) by smtp.corp.redhat.com (Postfix) with ESMTP id 0CEA360BE0; Wed, 22 Jan 2020 01:06:34 +0000 (UTC) Subject: Re: [v2] nbd: fix potential NULL pointer fault in nbd_genl_disconnect To: Josef Bacik , Sun Ke , axboe@kernel.dk References: <20200120124549.27648-1-sunke32@huawei.com> <8bb961fe-3412-9c3c-ad9b-54d446e90bf0@toxicpanda.com> Cc: linux-block@vger.kernel.org, nbd@other.debian.org, linux-kernel@vger.kernel.org From: Mike Christie Message-ID: <5E27A01A.3040600@redhat.com> Date: Tue, 21 Jan 2020 19:06:34 -0600 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:38.0) Gecko/20100101 Thunderbird/38.6.0 MIME-Version: 1.0 In-Reply-To: <8bb961fe-3412-9c3c-ad9b-54d446e90bf0@toxicpanda.com> Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit X-Scanned-By: MIMEDefang 2.79 on 10.5.11.12 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 01/21/2020 08:09 AM, Josef Bacik wrote: > On 1/20/20 7:45 AM, Sun Ke wrote: >> Open /dev/nbdX first, the config_refs will be 1 and >> the pointers in nbd_device are still null. Disconnect >> /dev/nbdX, then reference a null recv_workq. The >> protection by config_refs in nbd_genl_disconnect is useless. >> >> To fix it, just add a check for a non null task_recv in >> nbd_genl_disconnect. >> >> Signed-off-by: Sun Ke >> --- >> v1 -> v2: >> >> add an omitted mutex_unlock. >> --- >> drivers/block/nbd.c | 4 ++++ >> 1 file changed, 4 insertions(+) >> >> diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c >> index b4607dd96185..668bc9cb92ed 100644 >> --- a/drivers/block/nbd.c >> +++ b/drivers/block/nbd.c >> @@ -2008,6 +2008,10 @@ static int nbd_genl_disconnect(struct sk_buff >> *skb, struct genl_info *info) >> index); >> return -EINVAL; >> } >> + if (!nbd->task_recv) { >> + mutex_unlock(&nbd_index_mutex); >> + return -EINVAL; >> + } >> if (!refcount_inc_not_zero(&nbd->refs)) { >> mutex_unlock(&nbd_index_mutex); >> printk(KERN_ERR "nbd: device at index %d is going down\n", >> > > This doesn't even really protect us, we need to have the > nbd->config_lock held here to make sure it's ok. The IOCTL path is safe > because it creates the device on open so it's sure to exist by the time > we get to the disconnect, we don't have that for genl_disconnect. So > I'd add the config_mutex before getting the config_ref, and then do the > check, something like > > mutex_lock(&nbd->config_lock); > if (!refcount_inc_not_zero(&nbd->refs)) { > } > if (!nbd->recv_workq) { > } > mutex_unlock(&nbd->config_lock); > We will be doing a mix of checks/behavior. Maybe we want to settle on one? It seems the code, before my patch, would let you do a open() then do a nbd_genl_disconnect. This function would then try to cleanup what it could and return success. To keep the current behavior/style in nbd_disconnect_and_put would you want to do: nbd_disconnect_and_put() .... if (nbd->task_recv) flush_workqueue(nbd->recv_workq); ? Alternatively, I think if we want to make it so calling nbd_genl_disconnect is not allowed on a device that we have not done a successful nbd_genl_connect/nbd_start_device call on then we want to add the new state bit to indicate nbd_start_device was successful. Or, we could stick to one variable that gets set at start and always use that to indicate nbd_start_device was called ok. For example, for nbd_genl_reconfigure we already check if task_recv is set to check if nbd_start_device was called successfully.