Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp4321170rwd; Tue, 23 May 2023 06:20:38 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ79YA24TOE3oLWj4iAXeXQ9KMy+hrLjmeZ7wC+p3dDwrYM7DL9Yp0QGg2WOOls0ucz6g0UY X-Received: by 2002:a05:6a00:23d1:b0:646:8a8:9334 with SMTP id g17-20020a056a0023d100b0064608a89334mr17808004pfc.20.1684848038375; Tue, 23 May 2023 06:20:38 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1684848038; cv=none; d=google.com; s=arc-20160816; b=GTtro7yulIVaXwzqKf18d2tY5RYfPYEAr7kFbUOo7sQcThvnBAy9kf3qyEdkp0SAOA DoAqBsHcLVJF78BpNUShfAuSh2XO45EGbCTgheUKdAS2njHY7hEJwsrJYVKlFnpLDOcS F/MPmoe81zm+Zjlddedk25O8DXRjtm5n2mYeUp5jZPkUmc0MerD8P3yv8MNhBboEVk4u iO7T/sEhs40+OhxHpsfn/OmFOabvDlZZ5r9X4ymsdw/BBsmNETFrjMlDOcYST8UUZ+ZT F31fmwUXfnvB8hEzO345JYd2wK00U8yNe1CE2o7yif9w2UQ9rc7B2lS9+g4COU055TbK rfDg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:in-reply-to:references:message-id :content-transfer-encoding:mime-version:subject:date:from :dkim-signature; bh=RUsNkf5+Wyu4/3oi86PLsyVVhLWM8zFhO0TpoHKYz90=; b=Db461bmW/PV+TG+etE5dJwSRAAWsV+z9UO0gu7a6YYQ+J9uinTZL/Mji0EmFTwjt8O FGgRtcGjysgGgnC5qNZD2hmqbwLp0lGTwtJ7JW3meYGuTyVHeBHlR/9crfV9RULWe/3Y e/x5KWKfB7DrpvpN+CQARKOiT9LwzRC7IfZuaEhQ86+OKLkZlyOq28vERwVrRTDGCeb1 E4szs0hq7eIfyT7yN+JJZW/mMb2cvgrnBY86WW3mnUrOmCbyR84rQe4tztx5t0V/MPZT zaPjMyYbLMiJx1kJmNaJRqJiGDYnLaL9MTOe0sACfjr8EIUfflFjt3XTuC+OPlritkxX Cndw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass (test mode) header.i=@axis.com header.s=axis-central1 header.b=m61cYwm3; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=axis.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id l72-20020a633e4b000000b0053ef158b0c3si893130pga.25.2023.05.23.06.20.24; Tue, 23 May 2023 06:20:38 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass (test mode) header.i=@axis.com header.s=axis-central1 header.b=m61cYwm3; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=axis.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236771AbjEWNMe (ORCPT + 99 others); Tue, 23 May 2023 09:12:34 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47208 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236720AbjEWNMa (ORCPT ); Tue, 23 May 2023 09:12:30 -0400 Received: from smtp1.axis.com (smtp1.axis.com [195.60.68.17]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5FE94118 for ; Tue, 23 May 2023 06:12:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=axis.com; q=dns/txt; s=axis-central1; t=1684847548; x=1716383548; h=from:date:subject:mime-version:content-transfer-encoding: message-id:references:in-reply-to:to:cc; bh=RUsNkf5+Wyu4/3oi86PLsyVVhLWM8zFhO0TpoHKYz90=; b=m61cYwm3cRTHn9zXZso2dbTGIxJsArciwxaatZiBNrMT/Np4brtkI4Vn ijF2CUqHU7JxFj8LL9PTD9p//6hT7yhEsy2RK/1K1kb6tgvKBdV77U5Wn 1t/E8ZDN2fCJT2EDH+2nwyw9GHu1IWhUb8+nMGqItK0xluBsE3vL8mGad ZG9iJDuP1DBq8oTWpLT7+wzagEPJjg6xQlJ8y8/Jz5++qjaR7oT3Sw4mY bYiyMXA95RMnPY5y3fGmQ3XMZp9aAVEacy75OvChXltK6yLKRheN+2yos iWBR08QrnDyDO1sc2dYy86/q+cgzfPTd/G1wJdYutwYE5awxDOahmRjSG A==; From: Vincent Whitchurch Date: Tue, 23 May 2023 15:12:16 +0200 Subject: [PATCH 1/2] ubi: block: Fix use-after-free of gendisk MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Message-ID: <20230523-ubiblock-remove-v1-1-240bed75849b@axis.com> References: <20230523-ubiblock-remove-v1-0-240bed75849b@axis.com> In-Reply-To: <20230523-ubiblock-remove-v1-0-240bed75849b@axis.com> To: Richard Weinberger , Miquel Raynal , Vignesh Raghavendra CC: , , , Vincent Whitchurch X-Mailer: b4 0.12.2 X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,SPF_HELO_PASS, SPF_PASS,T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Do not touch the gendisk after put_disk() to fix this use-after-free: ================================================== BUG: KASAN: slab-use-after-free in ubiblock_remove Read of size 4 by task ubiblock/361 Call Trace: ubiblock_remove (drivers/mtd/ubi/block.c:459 drivers/mtd/ubi/block.c:483) vol_cdev_ioctl ... Allocated by task 358: __alloc_disk_node (block/genhd.c:1377) __blk_mq_alloc_disk (block/blk-mq.c:4093) ubiblock_create (drivers/mtd/ubi/block.c:397) vol_cdev_ioctl ... Freed by task 0: bdev_free_inode (block/bdev.c:337) i_callback rcu_core __do_softirq ... Signed-off-by: Vincent Whitchurch --- drivers/mtd/ubi/block.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/mtd/ubi/block.c b/drivers/mtd/ubi/block.c index 3711d7f74600..70caec4606cd 100644 --- a/drivers/mtd/ubi/block.c +++ b/drivers/mtd/ubi/block.c @@ -448,13 +448,15 @@ int ubiblock_create(struct ubi_volume_info *vi) static void ubiblock_cleanup(struct ubiblock *dev) { + int first_minor = dev->gd->first_minor; + /* Stop new requests to arrive */ del_gendisk(dev->gd); /* Finally destroy the blk queue */ dev_info(disk_to_dev(dev->gd), "released"); put_disk(dev->gd); blk_mq_free_tag_set(&dev->tag_set); - idr_remove(&ubiblock_minor_idr, dev->gd->first_minor); + idr_remove(&ubiblock_minor_idr, first_minor); } int ubiblock_remove(struct ubi_volume_info *vi) -- 2.34.1