Received: by 2002:a05:6a11:4021:0:0:0:0 with SMTP id ky33csp4143956pxb;
        Mon, 27 Sep 2021 10:16:24 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJz9gZK70kJDSSl8sYWhfYambgsKVxB3vJIzW5iC0sHwJb6PgFOq4LKem0bBFm6EZItmFGEW
X-Received: by 2002:a17:90b:4d08:: with SMTP id mw8mr188832pjb.97.1632762984522;
        Mon, 27 Sep 2021 10:16:24 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1632762984; cv=none;
        d=google.com; s=arc-20160816;
        b=WJl8wcDFvs+6hlqUnTOYne3OzBlEDosNSKguKeSjg/8aZEvcLuOoWfSn+U/dNeOHkG
         MHZ1llrcJa0jU7sY1DLQkiHnGHbknsH36IWD8HyNpfrIctnU5iESH6c0NvisIWto+scQ
         yJI8XqHtlyeHpA3Lg18XR/R7ApgFJyWTrW/xCwIRYJ3vpSRQVWPQ9oJQKT7RnzHuxheN
         nxSJwQ07688AEBDIAGgq6u52yTnL0nev7KkYCshwwuGItxcjtq84PU3DUjbDkZ0P6nMu
         PCKtJpxh3z43j+6OuI3B4IJhsG6PrwQrr7IFBDEFRsv4lQ/r71o/T+CxEXMTZT/GzHY5
         cA0w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=iONJ+0x4HUqk7zrZCZo9PsRSA0dC4UU8DibYFsqunwg=;
        b=VQPCORZbc4SB8fguQvTSKccP3JcjzCuZhqynIz7nPZdbHg+AidhrNCmY3B6bhj7ymC
         dGzHds4gzrITd9/GEIBVkMv/2x6tjtHnHA0VpKmy/9BFiSnflVDgOmbU1E2/GdHFgRV4
         bjg+0U+EMpkCyQr/Y6VqBdADdO/tDJNR/LZEOtkWnVZFdnEsKwUrZV+QTVhz3CQKF++8
         vAlf5emjSF38jcN2Zlp+Myl+796v2vR+P5t8H/ByhhLljYrsLJQTGUSDuxXVm7kO3wbP
         3fAGZWqnN+mfWKC2osJcN/75k9JJ43A6NYZq4dnXu5YE/dedp49kiAI1ro1npJd+Z69h
         2Q8g==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=2NRmga38;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id n14si21240164pgv.296.2021.09.27.10.16.11;
        Mon, 27 Sep 2021 10:16:24 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=2NRmga38;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S236076AbhI0RPt (ORCPT <rfc822;loic.yhuel@gmail.com> + 99 others);
        Mon, 27 Sep 2021 13:15:49 -0400
Received: from mail.kernel.org ([198.145.29.99]:54388 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S236998AbhI0RNa (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 27 Sep 2021 13:13:30 -0400
Received: by mail.kernel.org (Postfix) with ESMTPSA id B3B0061355;
        Mon, 27 Sep 2021 17:09:23 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1632762564;
        bh=t2tqLgoZvdT9jejSsLrnROND2E82MIow2rxULr6fum8=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=2NRmga386fok7fTbKgLpTRNXKk0EqdNY89iNe2f2sD+NE/+VqA2v15O2bnU3Ln+Vg
         UB+KD5UzhrUY6cEQfDpQJy/YQc/IfXwJ2/JDnmSnaqgV/wGCPcixPY0KrLt5Ub/+ss
         CKs9lf36tcAKSBAOGFQuJZxkGODmdS6lmOvRzN/4=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Zhihao Cheng <chengzhihao1@huawei.com>,
        Jens Axboe <axboe@kernel.dk>, Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.10 072/103] blktrace: Fix uaf in blk_trace access after removing by sysfs
Date:   Mon, 27 Sep 2021 19:02:44 +0200
Message-Id: <20210927170228.257233498@linuxfoundation.org>
X-Mailer: git-send-email 2.33.0
In-Reply-To: <20210927170225.702078779@linuxfoundation.org>
References: <20210927170225.702078779@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Zhihao Cheng <chengzhihao1@huawei.com>

[ Upstream commit 5afedf670caf30a2b5a52da96eb7eac7dee6a9c9 ]

There is an use-after-free problem triggered by following process:

      P1(sda)				P2(sdb)
			echo 0 > /sys/block/sdb/trace/enable
			  blk_trace_remove_queue
			    synchronize_rcu
			    blk_trace_free
			      relay_close
rcu_read_lock
__blk_add_trace
  trace_note_tsk
  (Iterate running_trace_list)
			        relay_close_buf
				  relay_destroy_buf
				    kfree(buf)
    trace_note(sdb's bt)
      relay_reserve
        buf->offset <- nullptr deference (use-after-free) !!!
rcu_read_unlock

[  502.714379] BUG: kernel NULL pointer dereference, address:
0000000000000010
[  502.715260] #PF: supervisor read access in kernel mode
[  502.715903] #PF: error_code(0x0000) - not-present page
[  502.716546] PGD 103984067 P4D 103984067 PUD 17592b067 PMD 0
[  502.717252] Oops: 0000 [#1] SMP
[  502.720308] RIP: 0010:trace_note.isra.0+0x86/0x360
[  502.732872] Call Trace:
[  502.733193]  __blk_add_trace.cold+0x137/0x1a3
[  502.733734]  blk_add_trace_rq+0x7b/0xd0
[  502.734207]  blk_add_trace_rq_issue+0x54/0xa0
[  502.734755]  blk_mq_start_request+0xde/0x1b0
[  502.735287]  scsi_queue_rq+0x528/0x1140
...
[  502.742704]  sg_new_write.isra.0+0x16e/0x3e0
[  502.747501]  sg_ioctl+0x466/0x1100

Reproduce method:
  ioctl(/dev/sda, BLKTRACESETUP, blk_user_trace_setup[buf_size=127])
  ioctl(/dev/sda, BLKTRACESTART)
  ioctl(/dev/sdb, BLKTRACESETUP, blk_user_trace_setup[buf_size=127])
  ioctl(/dev/sdb, BLKTRACESTART)

  echo 0 > /sys/block/sdb/trace/enable &
  // Add delay(mdelay/msleep) before kernel enters blk_trace_free()

  ioctl$SG_IO(/dev/sda, SG_IO, ...)
  // Enters trace_note_tsk() after blk_trace_free() returned
  // Use mdelay in rcu region rather than msleep(which may schedule out)

Remove blk_trace from running_list before calling blk_trace_free() by
sysfs if blk_trace is at Blktrace_running state.

Fixes: c71a896154119f ("blktrace: add ftrace plugin")
Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
Link: https://lore.kernel.org/r/20210923134921.109194-1-chengzhihao1@huawei.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 kernel/trace/blktrace.c | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/kernel/trace/blktrace.c b/kernel/trace/blktrace.c
index f1022945e346..b89ff188a618 100644
--- a/kernel/trace/blktrace.c
+++ b/kernel/trace/blktrace.c
@@ -1670,6 +1670,14 @@ static int blk_trace_remove_queue(struct request_queue *q)
 	if (bt == NULL)
 		return -EINVAL;
 
+	if (bt->trace_state == Blktrace_running) {
+		bt->trace_state = Blktrace_stopped;
+		spin_lock_irq(&running_trace_lock);
+		list_del_init(&bt->running_list);
+		spin_unlock_irq(&running_trace_lock);
+		relay_flush(bt->rchan);
+	}
+
 	put_probe_ref();
 	synchronize_rcu();
 	blk_trace_free(bt);
-- 
2.33.0