Received: by 2002:a25:c205:0:0:0:0:0 with SMTP id s5csp3449079ybf; Tue, 3 Mar 2020 06:16:38 -0800 (PST) X-Google-Smtp-Source: ADFU+vsTTtyqXr1ur/QBPZ7sumQK7oNmXKxpT7ghPygM0IeOFrAUXA+9DXPukjNuYk3vKI+uGxqQ X-Received: by 2002:aca:2303:: with SMTP id e3mr147446oie.74.1583244998251; Tue, 03 Mar 2020 06:16:38 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1583244998; cv=none; d=google.com; s=arc-20160816; b=slM5x2KYaOLgXTTCk3IgrHrtFswXdDD4NZEudP6BftGlkov008mLSlBpPkkkMfNsXP rEIt/OecTDXk2/o0ApNjyUthBYUKhsmWWHEA2/ecxdHzN4eY5LJMPZ0V89NX0WQmHaPT AK7tWIdcBhA84jC2ujO1doYU4plmymSl/Ge4uyLLEa0X4PJIU/VrjpKsCdqNGuFGmbHT /dXwp6MOikFJx12NwpDpnscMhbY0mQOKcIXQuFDQy5jjaogH9TK4vYO0FoivzPSFqx0n Z52yHsNOp5JIgBc++jQuBqBCokr1MarYRtwWwfEZr55QIQN5djJM/utZOcpE+U0Hn87t dZTw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:subject:cc:to:from:date; bh=01z8+KBBaO+CyRefEcOh9xJWY+SRiP69OjqKxweKJT0=; b=IdBHVdOlqa4/doFH1rKrvOdm48Y1tmAEypP6GPWUimd0GMmmqc/3aKMUG8FkkZfelB qG+EsnBkcR1RrtUKSqNggydEzFAsWhk3RD9ox1toDxI1ZioanG1puyYpIxzCpGAql14u 8kSYQQQ19W2WylzJySjhFpMVCHXnWeUC1D8JJP0EelMRkwJIwYal7J/Xeub9UDAcdm3B sOHuRcfFmyqutUL8RmBuynx8drEgzm85qJ79vBFJFD1oTorXHBH6I69dDa6Lap8/JN96 8uMIUlEVhiCl2y+hsf3m3/BmniGO1M0kFnIsvs8e0r6ViVnSrsUb2rxCsW/9BsWoq8HA 9MBA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id p184si3654941oic.39.2020.03.03.06.16.19; Tue, 03 Mar 2020 06:16:38 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728794AbgCCOOj (ORCPT + 99 others); Tue, 3 Mar 2020 09:14:39 -0500 Received: from mail.kernel.org ([198.145.29.99]:52004 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726536AbgCCOOj (ORCPT ); Tue, 3 Mar 2020 09:14:39 -0500 Received: from gandalf.local.home (cpe-66-24-58-225.stny.res.rr.com [66.24.58.225]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 24A1320838; Tue, 3 Mar 2020 14:14:38 +0000 (UTC) Date: Tue, 3 Mar 2020 09:14:36 -0500 From: Steven Rostedt To: Cengiz Can Cc: Jens Axboe , Ingo Molnar , linux-block@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] blktrace: fix dereference after null check Message-ID: <20200303091436.2e7ab191@gandalf.local.home> In-Reply-To: <20200303073358.57799-1-cengiz@kernel.wtf> References: <20200303073358.57799-1-cengiz@kernel.wtf> X-Mailer: Claws Mail 3.17.3 (GTK+ 2.24.32; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, 3 Mar 2020 10:33:59 +0300 Cengiz Can wrote: > There was a recent change in blktrace.c that added a RCU protection to > `q->blk_trace` in order to fix a use-after-free issue during access. > > However the change missed an edge case that can lead to dereferencing of > `bt` pointer even when it's NULL: > > ``` > bt->act_mask = value; // bt can still be NULL here > ``` > > Added a reassignment into the NULL check block to fix the issue. Note, you should probably add a note in your change log that this issue was found by Coverity. Sometimes static analyzers have a tag of some kind that they would like patches that fix the issues they discover to be in the change log. This way they can track the fixes that are found by the tool. > > Fixes: c780e86dd48 ("blktrace: Protect q->blk_trace with RCU") > > Signed-off-by: Cengiz Can > --- > Huge thanks goes to Steven Rostedt for his assistance. > > kernel/trace/blktrace.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/kernel/trace/blktrace.c b/kernel/trace/blktrace.c > index 4560878f0bac..29ea88f10b87 100644 > --- a/kernel/trace/blktrace.c > +++ b/kernel/trace/blktrace.c > @@ -1896,8 +1896,10 @@ static ssize_t sysfs_blk_trace_attr_store(struct device *dev, > } > > ret = 0; > - if (bt == NULL) > + if (bt == NULL) { > ret = blk_trace_setup_queue(q, bdev); > + bt = q->blk_trace; As I said in the other email, the above assignment still needs RCU annotation: bt = rcu_dereference_protected(q->blk_trace, lockdep_is_held(&q->blk_trace_mutex)); Otherwise, other static analyzers will flag this as a problem. -- Steve > + } > > if (ret == 0) { > if (attr == &dev_attr_act_mask) > -- > 2.25.1