Received: by 2002:a25:c205:0:0:0:0:0 with SMTP id s5csp5733481ybf; Thu, 5 Mar 2020 06:08:21 -0800 (PST) X-Google-Smtp-Source: ADFU+vuCqZ1YYgY1UiYsCi8QB8QPkn+IDr5opWeIB5cyUtMKCZeMNcvfI+4T0Btcc2SAlshT7FwV X-Received: by 2002:a05:6830:1645:: with SMTP id h5mr7071014otr.317.1583417301493; Thu, 05 Mar 2020 06:08:21 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1583417301; cv=none; d=google.com; s=arc-20160816; b=olajNuSHkZC796AkSXiApGLUrkWw4VHTFjGYVdQwQdOuAb/eS076KLKp2SB121ASap qOPuz/uUlE3oAQKc3AT1b8XAFNlU50Hq2PpMDEmxH5Foxd1D5lW1w93orzEo5/AdR+gw eJecrphd0NuCTlJXFGiF7zexpqO3xdVlmtqmmHH9iF9iA4AxTzPIxIyeLdbIStQikXKa TqTZbWBIp09cGz+YZy8q3jVaCyrDawwYCKJD9NhIF05GrfuSydZhL8lS/KIzsa0vvzq0 /qcbqp4355ioXcEAd767KncTtsns3tIP7a64gOtvr3PT39bKBA+4aH3xLHvxTe21EFUb JXWA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:subject:cc:to:from:date; bh=+GHXfR0fH/EcCiaFjemaskHjjq3j+EsntJwyGK+MoDQ=; b=Awpjpu9m+ImYr1HSqFkMudJ5fOsJ8BBP0EvSYUBtqYgR8ljwPTldhz2u+MnimZHlIW kZLHMRe6yxYXTgrS1ijch1oUdpWdvSxrMq1bLMazBlvmjxsAbzuifjXpEDlmT3/gOs2X 7rqEpeB5dVfo71PofgXBpnp7xROsmlNCcijfvNBVH/ogGvwkkw0Vv7Dy05jZT4y9cI7J ajY+W3O15WAqVatNKZxOnpr6K7aiO2VL3hfCnUytPI1Ll1DbVLzWJeU2bbl2REv2584D 2y/4A4ZgASKlG5hMeiea7YV9UIZPBD5s3Hwg0vHMWiQanrr4XczzsGv4NPcfo+JlxKPq hRdA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id c83si3881416oig.116.2020.03.05.06.07.57; Thu, 05 Mar 2020 06:08:21 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726413AbgCEOFV (ORCPT + 99 others); Thu, 5 Mar 2020 09:05:21 -0500 Received: from mail.kernel.org ([198.145.29.99]:52112 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726181AbgCEOFU (ORCPT ); Thu, 5 Mar 2020 09:05:20 -0500 Received: from gandalf.local.home (cpe-66-24-58-225.stny.res.rr.com [66.24.58.225]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id A8F14206D5; Thu, 5 Mar 2020 14:05:19 +0000 (UTC) Date: Thu, 5 Mar 2020 09:05:18 -0500 From: Steven Rostedt To: Cengiz Can Cc: Jens Axboe , Ingo Molnar , linux-block@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH v2] blktrace: fix dereference after null check Message-ID: <20200305090518.728d8cc5@gandalf.local.home> In-Reply-To: <20200304105818.11781-1-cengiz@kernel.wtf> References: <20200304105818.11781-1-cengiz@kernel.wtf> X-Mailer: Claws Mail 3.17.3 (GTK+ 2.24.32; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, 4 Mar 2020 13:58:19 +0300 Cengiz Can wrote: > There was a recent change in blktrace.c that added a RCU protection to > `q->blk_trace` in order to fix a use-after-free issue during access. > > However the change missed an edge case that can lead to dereferencing of > `bt` pointer even when it's NULL: > > Coverity static analyzer marked this as a FORWARD_NULL issue with CID > 1460458. > > ``` > /kernel/trace/blktrace.c: 1904 in sysfs_blk_trace_attr_store() > 1898 ret = 0; > 1899 if (bt == NULL) > 1900 ret = blk_trace_setup_queue(q, bdev); > 1901 > 1902 if (ret == 0) { > 1903 if (attr == &dev_attr_act_mask) > >>> CID 1460458: Null pointer dereferences (FORWARD_NULL) > >>> Dereferencing null pointer "bt". > 1904 bt->act_mask = value; > 1905 else if (attr == &dev_attr_pid) > 1906 bt->pid = value; > 1907 else if (attr == &dev_attr_start_lba) > 1908 bt->start_lba = value; > 1909 else if (attr == &dev_attr_end_lba) > ``` > > Added a reassignment with RCU annotation to fix the issue. > > Fixes: c780e86dd48 ("blktrace: Protect q->blk_trace with RCU") > > Signed-off-by: Cengiz Can Reviewed-by: Steven Rostedt (VMware) -- Steve > --- > > Patch Changelog > * v2: Added RCU annotation to assignment > > kernel/trace/blktrace.c | 5 ++++- > 1 file changed, 4 insertions(+), 1 deletion(-) > > diff --git a/kernel/trace/blktrace.c b/kernel/trace/blktrace.c > index 4560878f0bac..ca39dc3230cb 100644 > --- a/kernel/trace/blktrace.c > +++ b/kernel/trace/blktrace.c > @@ -1896,8 +1896,11 @@ static ssize_t sysfs_blk_trace_attr_store(struct device *dev, > } > > ret = 0; > - if (bt == NULL) > + if (bt == NULL) { > ret = blk_trace_setup_queue(q, bdev); > + bt = rcu_dereference_protected(q->blk_trace, > + lockdep_is_held(&q->blk_trace_mutex)); > + } > > if (ret == 0) { > if (attr == &dev_attr_act_mask) > -- > 2.25.1