Received: by 2002:a05:6358:c692:b0:131:369:b2a3 with SMTP id fe18csp887330rwb; Fri, 28 Jul 2023 01:02:43 -0700 (PDT) X-Google-Smtp-Source: APBJJlE6NtgpqX5oupTl5qC2HcQqljNdAlASlwTLi3k52Mw0bZcQi1E6qgYtoeUcbQGVjiMDHzpe X-Received: by 2002:a17:903:22c1:b0:1b8:9552:ca with SMTP id y1-20020a17090322c100b001b8955200camr776784plg.45.1690531362728; Fri, 28 Jul 2023 01:02:42 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1690531362; cv=none; d=google.com; s=arc-20160816; b=xdkdttnQ1jNuyv0Ne+8t9pU4tJt+aN5pJn7KzxVSOUiLupK+H8hMgBsZd8mXFnUTr+ mVcEiwduj9K+JcTRVb51y/3uYrodPI4B86U+OxqEIZXW3QTWTdJFMuhDwJk3ZdDUsMsM ydz3pOkOETiKNJrowS61nWr1EwHWfrMwr5QhlhMw4hjLP4scfesfOkPZ11oaRrZ6KXzy NT7DwC8X+sSoTu4sPaXc7mduagoEW7Bzs4x6eiPy6aniT5Xc4JuLvsU4kXHe3j7KrxiV qJH+8zlSj3l0Ss2NMEHbDoh28EF5ciisCwYCDDwp5IEedPpzC6mAyCsGf6Laq5RBEsPM WNmQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to :mime-version:user-agent:date:message-id:from:references:cc:to :subject; bh=B6piJ2348tFlDvigpnbjXEl9oMAH5m7zTqFsKBx9anw=; fh=bYBnOkKqqzBUImryfHIkRBgkKhPc66wXaXcviy7wDUA=; b=Pvfuc8U/mmqfvw9hvg9Xp6aMV5ooExiBWJFipmneapX7wesBOvzMIBYH5c97yVZOSY dhd7whzNHBCGwXwDpLgNERLIoSnC0IIgTX9AoiIR9LKCcHgEedhtif3/rSoGBPtb8ASb TSg+AQ8kidQOvZXHqRkbWU0Z3xOqicNHdZETKi0UIUwIAISj1AAZKdUg0JwpQKot+NWS thSxoMj0yvjClujKI04FfXLz93FQK1Y0/rYcnZQBwK88s9EfYledFYGqzXENin1+9zLS LITvpP4EWOXM/9zyqbUkeFIyHrTUsKHGl2UFYXkhlvJFoGg5kjzqmHbHOBHiLLm6j6bW neqw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id l8-20020a170903244800b001b8b44273b0si2769893pls.403.2023.07.28.01.02.30; Fri, 28 Jul 2023 01:02:42 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234026AbjG1HLa (ORCPT + 99 others); Fri, 28 Jul 2023 03:11:30 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43632 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233950AbjG1HLJ (ORCPT ); Fri, 28 Jul 2023 03:11:09 -0400 Received: from dggsgout11.his.huawei.com (dggsgout11.his.huawei.com [45.249.212.51]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 240F744BB; Fri, 28 Jul 2023 00:10:44 -0700 (PDT) Received: from mail02.huawei.com (unknown [172.30.67.143]) by dggsgout11.his.huawei.com (SkyGuard) with ESMTP id 4RBzLQ4yTmz4f3kpl; Fri, 28 Jul 2023 15:10:38 +0800 (CST) Received: from [10.174.176.73] (unknown [10.174.176.73]) by APP4 (Coremail) with SMTP id gCh0CgAHoZTuacNknej3Ow--.21788S3; Fri, 28 Jul 2023 15:10:39 +0800 (CST) Subject: Re: [PATCH -next] nbd: get config_lock before sock_shutdown To: Zhong Jinghua , josef@toxicpanda.com, axboe@kernel.dk Cc: linux-block@vger.kernel.org, nbd@other.debian.org, linux-kernel@vger.kernel.org, yi.zhang@huawei.com, "yukuai (C)" References: <20230707062256.1271948-1-zhongjinghua@huaweicloud.com> From: Yu Kuai Message-ID: <779966af-844a-3dba-93f8-9daabde8c85b@huaweicloud.com> Date: Fri, 28 Jul 2023 15:10:38 +0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0 MIME-Version: 1.0 In-Reply-To: <20230707062256.1271948-1-zhongjinghua@huaweicloud.com> Content-Type: text/plain; charset=gbk; format=flowed Content-Transfer-Encoding: 8bit X-CM-TRANSID: gCh0CgAHoZTuacNknej3Ow--.21788S3 X-Coremail-Antispam: 1UD129KBjvJXoW7CrWkCFWkuFWruw47uw45KFg_yoW8Cry3pF 4UCF4DCr4rWa1S9FZ5G34xWr1UG343Ka17Gry8Zw1qvr93CrWI93WDKF1fCFyUKwnrJr4S qFyrKF95C3y3JrDanT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUyEb4IE77IF4wAFF20E14v26r4j6ryUM7CY07I20VC2zVCF04k2 6cxKx2IYs7xG6rWj6s0DM7CIcVAFz4kK6r1j6r18M28lY4IEw2IIxxk0rwA2F7IY1VAKz4 vEj48ve4kI8wA2z4x0Y4vE2Ix0cI8IcVAFwI0_Ar0_tr1l84ACjcxK6xIIjxv20xvEc7Cj xVAFwI0_Gr1j6F4UJwA2z4x0Y4vEx4A2jsIE14v26rxl6s0DM28EF7xvwVC2z280aVCY1x 0267AKxVW0oVCq3wAS0I0E0xvYzxvE52x082IY62kv0487Mc02F40EFcxC0VAKzVAqx4xG 6I80ewAv7VC0I7IYx2IY67AKxVWUGVWUXwAv7VC2z280aVAFwI0_Jr0_Gr1lOx8S6xCaFV Cjc4AY6r1j6r4UM4x0Y48IcVAKI48JMxk0xIA0c2IEe2xFo4CEbIxvr21l42xK82IYc2Ij 64vIr41l4I8I3I0E4IkC6x0Yz7v_Jr0_Gr1lx2IqxVAqx4xG67AKxVWUJVWUGwC20s026x 8GjcxK67AKxVWUGVWUWwC2zVAF1VAY17CE14v26r1q6r43MIIYrxkI7VAKI48JMIIF0xvE 2Ix0cI8IcVAFwI0_Jr0_JF4lIxAIcVC0I7IYx2IY6xkF7I0E14v26r4j6F4UMIIF0xvE42 xK8VAvwI8IcIk0rVW3JVWrJr1lIxAIcVC2z280aVAFwI0_Jr0_Gr1lIxAIcVC2z280aVCY 1x0267AKxVW8JVW8JrUvcSsGvfC2KfnxnUUI43ZEXa7IUbPEf5UUUUU== X-CM-SenderInfo: 51xn3trlr6x35dzhxuhorxvhhfrp/ X-CFilter-Loop: Reflected X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,NICE_REPLY_A, SPF_HELO_NONE,SPF_NONE,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org ?? 2023/07/07 14:22, Zhong Jinghua ะด??: > Config->socks in sock_shutdown may trigger a UAF problem. > The reason is that sock_shutdown does not hold the config_lock, > so that nbd_ioctl can release config->socks at this time. > > T0: NBD_SET_SOCK > T1: NBD_DO_IT > > T0 T1 > > nbd_ioctl > mutex_lock(&nbd->config_lock) > // get lock > __nbd_ioctl > nbd_start_device_ioctl > nbd_start_device > mutex_unlock(&nbd->config_lock) > // relase lock > wait_event_interruptible > (kill, enter sock_shutdown) > sock_shutdown > nbd_ioctl > mutex_lock(&nbd->config_lock) > // get lock > __nbd_ioctl > nbd_add_socket > krealloc > kfree(p) > //config->socks is NULL > nbd_sock *nsock = config->socks // error > > Fix it by moving config_lock up before sock_shutdown. LGTM Reviewed-by: Yu Kuai > > Signed-off-by: Zhong Jinghua > --- > drivers/block/nbd.c | 7 ++++++- > 1 file changed, 6 insertions(+), 1 deletion(-) > > diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c > index c410cf29fb0c..accbe99ebb7e 100644 > --- a/drivers/block/nbd.c > +++ b/drivers/block/nbd.c > @@ -1428,13 +1428,18 @@ static int nbd_start_device_ioctl(struct nbd_device *nbd) > mutex_unlock(&nbd->config_lock); > ret = wait_event_interruptible(config->recv_wq, > atomic_read(&config->recv_threads) == 0); > + > + /* > + * recv_work in flush_workqueue will not get this lock, because nbd_open > + * will hold nbd->config_refs > + */ > + mutex_lock(&nbd->config_lock); > if (ret) { > sock_shutdown(nbd); > nbd_clear_que(nbd); > } > > flush_workqueue(nbd->recv_workq); > - mutex_lock(&nbd->config_lock); > nbd_bdev_reset(nbd); > /* user requested, ignore socket errors */ > if (test_bit(NBD_RT_DISCONNECT_REQUESTED, &config->runtime_flags)) >