Received: by 2002:a05:6a11:4021:0:0:0:0 with SMTP id ky33csp4136149pxb;
        Mon, 27 Sep 2021 10:07:21 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJyZYysQp2N/o0Upy1yPAuvZ9rwTPzMIE80nRz2uA1CDvBgDVZDxMzff6gjvGQwL3q6rxIU/
X-Received: by 2002:a62:7f01:0:b0:43c:ecef:98dd with SMTP id a1-20020a627f01000000b0043cecef98ddmr1088084pfd.50.1632762440858;
        Mon, 27 Sep 2021 10:07:20 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1632762440; cv=none;
        d=google.com; s=arc-20160816;
        b=N/tIk0VvEKti2YYR2ok6FBXfU3c9lSfU6TYl+xo2hqHa6YnP8RXxLoN7cD4InQXDhf
         vQxdBB/0GgltL3Z3pzLaXd778pxxxDKCWHz7EEbPdqA2XC4E9HuQOcGccV4zZB74rbgY
         DmezTnWMLQJgHm9CCuTKTxyWMrPMn/Jjhiws5ZGsp36x10DDHX1L78Z4WNpRpUCXBEau
         oO7gjLNbS6bzyX6RwHbSVTnIhr2SCHcUncorGb4uQCl5UZupZimk6Gt0t7Mf6sXX0PKX
         Cl6TxDDQ3KOYTojSK7gL2duTvP9kHt4NTEOj1fY873P73DN5kNJnw0I304P3nz2dRCF0
         w7oQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=kxYm5TnXZWExCigPZpwZAuQJPRNUZfM1gT1PGYz56Ko=;
        b=rUyydICPU89xdayA9CgLrrWzX1KmuVoqfvulajDurDG4LTUyX+3cOqpnhzKfuh2rQN
         uu9j6ca+cOcCpZMHPIm6ITWc9fHzXfFQvR4y7RhePhZQQRKhQviCf/afqFta/ZDlxL1w
         cOh7L9qKaKx0CnkkrhS5Akce4+w/VmARvxqutBTwfU/s7JNvKeWh3uIb+uEFvx904+kN
         0rXm1Hwbu8HpBK8yU7zCgPL0YMJMsWC+65e7By6vDtcX8QifGztaB9ga50WKhxzgAj9e
         RcxwoiDij4VPJujzIn52X9JYZhr/q01+cLVQSjCtwmBsuufUf9czPCBJNsD4ml4dwX8A
         E6bw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=FhUv+YRh;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id b14si5549604plh.41.2021.09.27.10.07.07;
        Mon, 27 Sep 2021 10:07:20 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=FhUv+YRh;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S236093AbhI0RHm (ORCPT <rfc822;loic.yhuel@gmail.com> + 99 others);
        Mon, 27 Sep 2021 13:07:42 -0400
Received: from mail.kernel.org ([198.145.29.99]:46614 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S236085AbhI0RGz (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 27 Sep 2021 13:06:55 -0400
Received: by mail.kernel.org (Postfix) with ESMTPSA id A765F61178;
        Mon, 27 Sep 2021 17:05:16 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1632762317;
        bh=A5CEHIsyIfqWQNoMi1xwrZ7ke7UFhHvp4MKZQM11BR4=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=FhUv+YRhH1uXf8DDH0O0HOqYdTjCvE2Tx9b4nFF8OvX0FZAr9uTSaYk87RKtDfEyn
         4bMvfZjkoftagl4i0KR7ESLB0M6vpFypuBhK1+PdAAPAoOYJT3aQ9WgqV/H/IJKILN
         KdG5s6fH0BAIIjTjsGBxswj2kQyDKviuVbH47ZHE=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Zhihao Cheng <chengzhihao1@huawei.com>,
        Jens Axboe <axboe@kernel.dk>, Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.4 45/68] blktrace: Fix uaf in blk_trace access after removing by sysfs
Date:   Mon, 27 Sep 2021 19:02:41 +0200
Message-Id: <20210927170221.522893587@linuxfoundation.org>
X-Mailer: git-send-email 2.33.0
In-Reply-To: <20210927170219.901812470@linuxfoundation.org>
References: <20210927170219.901812470@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Zhihao Cheng <chengzhihao1@huawei.com>

[ Upstream commit 5afedf670caf30a2b5a52da96eb7eac7dee6a9c9 ]

There is an use-after-free problem triggered by following process:

      P1(sda)				P2(sdb)
			echo 0 > /sys/block/sdb/trace/enable
			  blk_trace_remove_queue
			    synchronize_rcu
			    blk_trace_free
			      relay_close
rcu_read_lock
__blk_add_trace
  trace_note_tsk
  (Iterate running_trace_list)
			        relay_close_buf
				  relay_destroy_buf
				    kfree(buf)
    trace_note(sdb's bt)
      relay_reserve
        buf->offset <- nullptr deference (use-after-free) !!!
rcu_read_unlock

[  502.714379] BUG: kernel NULL pointer dereference, address:
0000000000000010
[  502.715260] #PF: supervisor read access in kernel mode
[  502.715903] #PF: error_code(0x0000) - not-present page
[  502.716546] PGD 103984067 P4D 103984067 PUD 17592b067 PMD 0
[  502.717252] Oops: 0000 [#1] SMP
[  502.720308] RIP: 0010:trace_note.isra.0+0x86/0x360
[  502.732872] Call Trace:
[  502.733193]  __blk_add_trace.cold+0x137/0x1a3
[  502.733734]  blk_add_trace_rq+0x7b/0xd0
[  502.734207]  blk_add_trace_rq_issue+0x54/0xa0
[  502.734755]  blk_mq_start_request+0xde/0x1b0
[  502.735287]  scsi_queue_rq+0x528/0x1140
...
[  502.742704]  sg_new_write.isra.0+0x16e/0x3e0
[  502.747501]  sg_ioctl+0x466/0x1100

Reproduce method:
  ioctl(/dev/sda, BLKTRACESETUP, blk_user_trace_setup[buf_size=127])
  ioctl(/dev/sda, BLKTRACESTART)
  ioctl(/dev/sdb, BLKTRACESETUP, blk_user_trace_setup[buf_size=127])
  ioctl(/dev/sdb, BLKTRACESTART)

  echo 0 > /sys/block/sdb/trace/enable &
  // Add delay(mdelay/msleep) before kernel enters blk_trace_free()

  ioctl$SG_IO(/dev/sda, SG_IO, ...)
  // Enters trace_note_tsk() after blk_trace_free() returned
  // Use mdelay in rcu region rather than msleep(which may schedule out)

Remove blk_trace from running_list before calling blk_trace_free() by
sysfs if blk_trace is at Blktrace_running state.

Fixes: c71a896154119f ("blktrace: add ftrace plugin")
Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
Link: https://lore.kernel.org/r/20210923134921.109194-1-chengzhihao1@huawei.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 kernel/trace/blktrace.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/kernel/trace/blktrace.c b/kernel/trace/blktrace.c
index 884333b9fc76..749b27851f45 100644
--- a/kernel/trace/blktrace.c
+++ b/kernel/trace/blktrace.c
@@ -1656,6 +1656,14 @@ static int blk_trace_remove_queue(struct request_queue *q)
 	if (bt == NULL)
 		return -EINVAL;
 
+	if (bt->trace_state == Blktrace_running) {
+		bt->trace_state = Blktrace_stopped;
+		spin_lock_irq(&running_trace_lock);
+		list_del_init(&bt->running_list);
+		spin_unlock_irq(&running_trace_lock);
+		relay_flush(bt->rchan);
+	}
+
 	put_probe_ref();
 	synchronize_rcu();
 	blk_trace_free(bt);
-- 
2.33.0