Received: by 2002:a25:1506:0:0:0:0:0 with SMTP id 6csp4527502ybv; Mon, 10 Feb 2020 21:47:20 -0800 (PST) X-Google-Smtp-Source: APXvYqyUqGLjWGndOh5mFYQz7Apvc89Eauyf0kdlXG9PbxwwdGGrvGN2xOcOR8D7N/XRAyJICZha X-Received: by 2002:a05:6830:1011:: with SMTP id a17mr3712488otp.45.1581400040514; Mon, 10 Feb 2020 21:47:20 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1581400040; cv=none; d=google.com; s=arc-20160816; b=MbCx77npwdRQ67PN23wMdjKq8qgljO5Wg0Be+ECwv9N0U5VNF44wTTLKHESVNpdidU Tlf55psP3Z5g2awASJOiBEAMSQFzV2MAKYrRaIQZtI/j/qLrNgbF37Z7a1OqaVt7yiPF HOkqHi17AcKY+9QflbveJd7AVBwZhGhbj1ehPq6U/CK/THKSPNwaj7RjWth+zqyNfIlZ VSipy7Jn63GA5tg9ZjsfSxik6/pMDG8odu5Rwiz2ir6QWgHf/xpHiSLzNAnEa7v9KY23 8Af63ATmRh4Ct7uFZb4Qix1MycFPqzbLvx5c3CVqYr7vVO+38zVAG7ncE1CWQRrrySy+ mUhg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:in-reply-to :mime-version:user-agent:date:message-id:from:references:cc:to :subject; bh=Nt6QyHZ4wj1JoNsBO6oFj1OWbebXTup0ML+XttOkdHg=; b=quOMs88mIaAVGUEenu5KDuHGRzqfALaaVDcTvJ+GBdcYJWRTixEMLZkvGnH0VXSYwN lcrmqFVEk4ljbsTTXaCNTbzjtEDEcvWt/rtHiISxhwKgVTnjNSgqBI1nh2nC8ylJCUYK p8PQmsaZEYjzJIx4NHpYox91+oGv31VSHUg5elsKT/0GLwpOMgpnkiecTC8pNdk9xuhw rY21I0bBeYqo4os9PbptDc01rN1oALb3X07QyV2niWeDAtgGaPPTqgxZ93SbBJw+JjYX 9doovs/BK8FZCkFKENzZCYjX5sBfIV5E9j6cHTCUT29CaObcOd3NPnvWRhEdMvRgRYMc WTWQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a7si1442806otp.11.2020.02.10.21.47.08; Mon, 10 Feb 2020 21:47:20 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728093AbgBKENA (ORCPT + 99 others); Mon, 10 Feb 2020 23:13:00 -0500 Received: from szxga05-in.huawei.com ([45.249.212.191]:9721 "EHLO huawei.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1727728AbgBKENA (ORCPT ); Mon, 10 Feb 2020 23:13:00 -0500 Received: from DGGEMS402-HUB.china.huawei.com (unknown [172.30.72.58]) by Forcepoint Email with ESMTP id 0053940FAABA12F48003; Tue, 11 Feb 2020 12:12:54 +0800 (CST) Received: from [127.0.0.1] (10.173.222.66) by DGGEMS402-HUB.china.huawei.com (10.3.19.202) with Microsoft SMTP Server id 14.3.439.0; Tue, 11 Feb 2020 12:12:49 +0800 Subject: Re: [v3] nbd: fix potential NULL pointer fault in nbd_genl_disconnect To: Mike Christie , , CC: , , References: <20200210073241.41813-1-sunke32@huawei.com> <5E418D62.8090102@redhat.com> From: "sunke (E)" Message-ID: Date: Tue, 11 Feb 2020 12:12:48 +0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101 Thunderbird/68.2.2 MIME-Version: 1.0 In-Reply-To: <5E418D62.8090102@redhat.com> Content-Type: text/plain; charset="UTF-8"; format=flowed Content-Transfer-Encoding: 8bit X-Originating-IP: [10.173.222.66] X-CFilter-Loop: Reflected Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 在 2020/2/11 1:05, Mike Christie 写道: > On 02/10/2020 01:32 AM, Sun Ke wrote: >> Open /dev/nbdX first, the config_refs will be 1 and >> the pointers in nbd_device are still null. Disconnect >> /dev/nbdX, then reference a null recv_workq. The >> protection by config_refs in nbd_genl_disconnect is useless. >> >> To fix it, just add a check for a non null task_recv in >> nbd_genl_disconnect. >> >> Signed-off-by: Sun Ke >> --- >> v1 -> v2: >> Add an omitted mutex_unlock. >> >> v2 -> v3: >> Add nbd->config_lock, suggested by Josef. >> --- >> drivers/block/nbd.c | 8 ++++++++ >> 1 file changed, 8 insertions(+) >> >> diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c >> index b4607dd96185..870b3fd0c101 100644 >> --- a/drivers/block/nbd.c >> +++ b/drivers/block/nbd.c >> @@ -2008,12 +2008,20 @@ static int nbd_genl_disconnect(struct sk_buff *skb, struct genl_info *info) >> index); >> return -EINVAL; >> } >> + mutex_lock(&nbd->config_lock); >> if (!refcount_inc_not_zero(&nbd->refs)) { >> + mutex_unlock(&nbd->config_lock); >> mutex_unlock(&nbd_index_mutex); >> printk(KERN_ERR "nbd: device at index %d is going down\n", >> index); >> return -EINVAL; >> } >> + if (!nbd->recv_workq) { >> + mutex_unlock(&nbd->config_lock); >> + mutex_unlock(&nbd_index_mutex); >> + return -EINVAL; >> + } >> + mutex_unlock(&nbd->config_lock); >> mutex_unlock(&nbd_index_mutex); >> if (!refcount_inc_not_zero(&nbd->config_refs)) { >> nbd_put(nbd); >> > > With my other patch then we will not need this right? It handles your > case by just being integrated with the existing checks in: > > nbd_disconnect_and_put->nbd_clear_sock->sock_shutdown > > ... > > static void sock_shutdown(struct nbd_device *nbd) > { > > .... > > if (config->num_connections == 0) > return; > > > num_connections is zero for your case since we never did a > nbd_genl_disconnect so we would return here. > > > . > Hi Mike Your point is not right totally. Yes, config->num_connections is 0 and will return in sock_shutdown. Then it will back to nbd_disconnect_and_put and do flush_workqueue (nbd->recv_workq). nbd_disconnect_and_put ->nbd_clear_sock ->sock_shutdown ->flush_workqueue Thanks, Sun Ke