Received: by 2002:a05:6358:111d:b0:dc:6189:e246 with SMTP id f29csp1187392rwi; Thu, 3 Nov 2022 02:08:02 -0700 (PDT) X-Google-Smtp-Source: AMsMyM6um8b1zmsnuRUXOFQ9BidcTSQEADO8E6GKw826AggJGpzd4jgnsknr0OrDIUQsRqTxi9J9 X-Received: by 2002:a17:906:504f:b0:7ad:fc14:fed2 with SMTP id e15-20020a170906504f00b007adfc14fed2mr8550367ejk.611.1667466482359; Thu, 03 Nov 2022 02:08:02 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1667466482; cv=none; d=google.com; s=arc-20160816; b=nIuRLFntRYZuyXC8r3jhqoAtqLO0jId0X6JokfdmTjA4LHCmdqCnEnp/no+vYR2VPy hHKzWiVoGoZZm01HACv/vy48J+2vJDj898IwxiAVsSkBUgHYCYBV4YSZLY0ZR52NSls/ Auwn7FgVj/wBVbG3L8x+Py4lCRnRexj/pzuwB4Cj7dxswlZO9KwiP3zbeQGI6ie1GWJY IhnmaLKl3ytcZV+gOgCKLby8G4jCJE05iGXWsGOOmI/KEQpmMKCL3lALDNdGw3UnNKIM ka1aDNtocZ+rNPwR5evsB/2valZCiTRr6RhAOQvH/B7mXwJ3/RFS+8X2zCI+8lAZdZyL u8WQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=NH9gR6a3TW9qoMC1t0N4rUT4ROGaDfZpSisNlTZGva8=; b=Ys68ah2UteSStNvRbakPx7gK3OZIsZ9Kho2kRpJuNvYZF1DQSlULkRei12fydZiyyp r7QUxt3l9wRvQvpH6uDOafG3VORQlZAKbSUGibnieTq/wWxedEmkBWPs/3YxTySE7zr7 U0bkvVhD4xtaCV5wWUtfa0J7ZLYbJGPJnkoqHVQjciGbFqyJAPyPSqOIsfsXGCqKHRsV I6gKhDIOc3AItC2fiyGLVUsD96tvADn2umF7aaG0boThWqfBIh4w+a5t+rC1GSHDYlr8 iGRYXHaUWP+KkOADV0F3Ed7bX1MWJC0cc1zefyOrHfu459ItEgBtUE/ZmUrOZfSXJgyK BolQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id y9-20020a056402270900b0046013b7e7efsi592591edd.631.2022.11.03.02.07.39; Thu, 03 Nov 2022 02:08:02 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229754AbiKCIMS (ORCPT + 97 others); Thu, 3 Nov 2022 04:12:18 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60008 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229487AbiKCIMQ (ORCPT ); Thu, 3 Nov 2022 04:12:16 -0400 Received: from verein.lst.de (verein.lst.de [213.95.11.211]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7B887B1; Thu, 3 Nov 2022 01:12:15 -0700 (PDT) Received: by verein.lst.de (Postfix, from userid 2407) id 1C23868AA6; Thu, 3 Nov 2022 09:12:12 +0100 (CET) Date: Thu, 3 Nov 2022 09:12:11 +0100 From: Christoph Hellwig To: Yu Kuai Cc: hch@lst.de, axboe@kernel.dk, linux-block@vger.kernel.org, linux-kernel@vger.kernel.org, yukuai3@huawei.com, yi.zhang@huawei.com Subject: Re: [PATCH 2/2] block: fix use after free for bd_holder_dir Message-ID: <20221103081211.GB3346@lst.de> References: <20221103025541.1875809-1-yukuai1@huaweicloud.com> <20221103025541.1875809-3-yukuai1@huaweicloud.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20221103025541.1875809-3-yukuai1@huaweicloud.com> User-Agent: Mutt/1.5.17 (2007-11-01) X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,SPF_HELO_NONE, SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Nov 03, 2022 at 10:55:41AM +0800, Yu Kuai wrote: > From: Yu Kuai > > Currently, the caller of bd_link_disk_holer() get 'bdev' by > blkdev_get_by_dev(), which will look up 'bdev' by inode number 'dev'. > Howerver, it's possible that del_gendisk() can be called currently, and > 'bd_holder_dir' can be freed before bd_link_disk_holer() access it, thus > use after free is triggered. > > t1: t2: > bdev = blkdev_get_by_dev > del_gendisk > kobject_put(bd_holder_dir) > kobject_free() > bd_link_disk_holder > > Fix the problem by checking disk is still live and grabbing a reference > to 'bd_holder_dir' first in bd_link_disk_holder(). Looks good with some minor stilistic nipicks: > + if (!disk_live(bdev->bd_disk)) { > + mutex_unlock(&bdev->bd_disk->open_mutex); > + return -ENODEV; > + } This can use a goto out_unlock; > holder->refcnt++; > + kobject_put(bdev->bd_holder_dir); > goto out_unlock; > } > > holder = kzalloc(sizeof(*holder), GFP_KERNEL); > if (!holder) { > ret = -ENOMEM; > + kobject_put(bdev->bd_holder_dir); > goto out_unlock; > } > > @@ -101,16 +114,12 @@ int bd_link_disk_holder(struct block_device *bdev, struct gendisk *disk) > ret = __link_disk_holder(bdev, disk); > if (ret) { > kfree(holder); > + kobject_put(bdev->bd_holder_dir); And I think a goto out_put_holder and out_free_holder would clean this up nicely. > list_add(&holder->list, &disk->slave_bdevs); > - /* > - * del_gendisk drops the initial reference to bd_holder_dir, so we need > - * to keep our own here to allow for cleanup past that point. > - */ > - kobject_get(bdev->bd_holder_dir); .. with this then jumping straight to out_unlock. We should repost a series with my first 7 patches and your two. I can do that, but it might take some time as I just got through (minor) knee surgery and am still at the hospital, so if you have spare cycles feel free to do it.