Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp227725ybb;
        Fri, 3 Apr 2020 01:21:50 -0700 (PDT)
X-Google-Smtp-Source: APiQypJkrwq2S/z2POhkDOtUFYAFJ8A0y+sA2it/jF64Ge8+hYF2qcPXYykP6Y4NdFTbjUn+TTar
X-Received: by 2002:aca:5b04:: with SMTP id p4mr2289348oib.105.1585902110550;
        Fri, 03 Apr 2020 01:21:50 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1585902110; cv=none;
        d=google.com; s=arc-20160816;
        b=rh2/cu/yI76p+NaFst4csSHT5n91HRv8u3VO83LbbamiZiwR78duhOn6OMq8Mfz6cx
         DfBvPxG6nk6tItBjo+Fda6okUVXW/hK6vMIeM9J0TXxoER1QuPIv0TL1NhToKN+i2xzQ
         vBzkajKp1u5c0v6qeL6KSuSOFe+XIgTUMl95Hqpee/1kdSDDsCp4GhfN6Em2+xvhFQgd
         69gHj1xYj6/eVoMDIG+R6QhOUQLmFb4/jsRe9xJwDkzMOdYtYwOd7am6x/OlWnRCyLVu
         2RJKrhlfGKOxRT6puci6V5IHuvsRiw2XMKlyel6eLDR9BG5a1fUY6LhsENf+QL96DiQL
         Zwww==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date:dkim-signature;
        bh=BZ+Xgs03guAOyReZNCF6ZrrqdxLw5dFuzU2P8g5iCuY=;
        b=hyZe9dFshKaEU1WkreX5k2rDYYsgztyOlK6fX61REATuXFBtxYjs7h5C2f4tDnyLf3
         faH11DI2kbnu3F7XP3UHoPCF1vvxpNhEyfA3acCvdYFs3yjaoHa44paeydZjmSpqKbHk
         IlL1fRs7g3nvABGIyHrZsX7OJMWXvFe1qh100ExDlaLrA7Iv7gcTzY6/rrPmjLPIzg/X
         xJZN5rrgL6VvkSedsT4D5mRwg4piTkYHqGifILDbfhG2jWSTgLagTR3QDs5i1pMBJhQh
         6+8xRqEyKkBhTMx5Zn5Rj8zubxG8LycskV1AdMuU7riLMGWa0adTetPadqFPsDMxivdM
         9LZQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=TQWVPG5s;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id w15si3577038otl.260.2020.04.03.01.21.36;
        Fri, 03 Apr 2020 01:21:50 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=TQWVPG5s;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2390486AbgDCIT4 (ORCPT <rfc822;bowenwang.tinker@gmail.com>
        + 99 others); Fri, 3 Apr 2020 04:19:56 -0400
Received: from us-smtp-delivery-1.mimecast.com ([207.211.31.120]:60401 "EHLO
        us-smtp-1.mimecast.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org
        with ESMTP id S1727835AbgDCIT4 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Fri, 3 Apr 2020 04:19:56 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
        s=mimecast20190719; t=1585901994;
        h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
         to:to:cc:cc:mime-version:mime-version:content-type:content-type:
         in-reply-to:in-reply-to:references:references;
        bh=BZ+Xgs03guAOyReZNCF6ZrrqdxLw5dFuzU2P8g5iCuY=;
        b=TQWVPG5spGPJTV284hF/i6/CJQcLPB1/hCr1ByAiVvDD2GHjEvioNJQxAUyKulDHfpf1g4
        PgHAthkv8QbnepOg+79OjEJwkq5JyTg0kHSBdqt+n2Jq4wXGJPUhL4Go5lQzSnEz+xsm5S
        uvlRZpwkLEnw5KdCq05ZDlt3DmO8SOw=
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) (Using TLS) by relay.mimecast.com with ESMTP id
 us-mta-253-kbyr9x7vPNKH_44OGorzBA-1; Fri, 03 Apr 2020 04:19:46 -0400
X-MC-Unique: kbyr9x7vPNKH_44OGorzBA-1
Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.phx2.redhat.com [10.5.11.16])
        (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
        (No client certificate requested)
        by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 0BC49DB62;
        Fri,  3 Apr 2020 08:19:44 +0000 (UTC)
Received: from ming.t460p (ovpn-8-40.pek2.redhat.com [10.72.8.40])
        by smtp.corp.redhat.com (Postfix) with ESMTPS id E44715C3FA;
        Fri,  3 Apr 2020 08:19:34 +0000 (UTC)
Date:   Fri, 3 Apr 2020 16:19:29 +0800
From:   Ming Lei <ming.lei@redhat.com>
To:     Luis Chamberlain <mcgrof@kernel.org>
Cc:     axboe@kernel.dk, viro@zeniv.linux.org.uk,
        gregkh@linuxfoundation.org, rostedt@goodmis.org, mingo@redhat.com,
        jack@suse.cz, nstange@suse.de, mhocko@suse.com,
        linux-block@vger.kernel.org, linux-fsdevel@vger.kernel.org,
        linux-kernel@vger.kernel.org, yukuai3@huawei.com
Subject: Re: [RFC 0/3] block: address blktrace use-after-free
Message-ID: <20200403081929.GC6887@ming.t460p>
References: <20200402000002.7442-1-mcgrof@kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20200402000002.7442-1-mcgrof@kernel.org>
User-Agent: Mutt/1.12.1 (2019-06-15)
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.16
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Wed, Apr 01, 2020 at 11:59:59PM +0000, Luis Chamberlain wrote:
> Upstream kernel.org korg#205713 contends that there is a UAF in
> the core debugfs debugfs_remove() function, and has gone through
> pushing for a CVE for this, CVE-2019-19770.
> 
> If correct then parent dentries are not positive, and this would
> have implications far beyond this bug report. Thankfully, upon review
> with Nicolai, he wasn't buying it. His suspicions that this was just
> a blktrace issue were spot on, and this patch series demonstrates
> that, provides a reproducer, and provides a solution to the issue.
> 
> We there would like to contend CVE-2019-19770 as invalid. The
> implications suggested are not correct, and this issue is only
> triggerable with root, by shooting yourself on the foot by misuing
> blktrace.
> 
> If you want this on a git tree, you can get it from linux-next
> 20200401-blktrace-fix-uaf branch [2].
> 
> Wider review, testing, and rants are appreciated.
> 
> [0] https://bugzilla.kernel.org/show_bug.cgi?id=205713
> [1] https://nvd.nist.gov/vuln/detail/CVE-2019-19770
> [2] https://git.kernel.org/pub/scm/linux/kernel/git/mcgrof/linux-next.git/log/?h=20200401-blktrace-fix-uaf
> 
> Luis Chamberlain (3):
>   block: move main block debugfs initialization to its own file
>   blktrace: fix debugfs use after free
>   block: avoid deferral of blk_release_queue() work
> 
>  block/Makefile               |  1 +
>  block/blk-core.c             |  9 +--------
>  block/blk-debugfs.c          | 27 +++++++++++++++++++++++++++
>  block/blk-mq-debugfs.c       |  5 -----
>  block/blk-sysfs.c            | 21 ++++++++-------------
>  block/blk.h                  | 17 +++++++++++++++++
>  include/linux/blktrace_api.h |  1 -
>  kernel/trace/blktrace.c      | 19 ++++++++-----------
>  8 files changed, 62 insertions(+), 38 deletions(-)
>  create mode 100644 block/blk-debugfs.c

BTW, Yu Kuai posted one patch for this issue, looks that approach
is simpler:

https://lore.kernel.org/linux-block/20200324132315.22133-1-yukuai3@huawei.com/


Thanks,
Ming