Received: by 2002:a05:7412:2a8c:b0:e2:908c:2ebd with SMTP id u12csp3016772rdh; Wed, 27 Sep 2023 23:04:08 -0700 (PDT) X-Google-Smtp-Source: AGHT+IEpT8xzzt6LhlBWznuAE2ZAopUU8TibwD8yZ0kcecNYHI0D4A3AvsGzh3nOe77ZzQUaSiA+ X-Received: by 2002:a05:6a21:6da3:b0:15a:2c0b:6c73 with SMTP id wl35-20020a056a216da300b0015a2c0b6c73mr311607pzb.12.1695881047953; Wed, 27 Sep 2023 23:04:07 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1695881047; cv=none; d=google.com; s=arc-20160816; b=Au6+plHZ/hxLDT00ND54sTqnWut+VZKwq3M8wYwPO38pbPY0ptTqlJ2YHC621JTikv ALqjliBm90U6fodWxjMqXeEURtBxhy9KrwStc1VgnGP6R5RZ1lZPY4qiYB840K9iD66S 7jmk6H6KA3+uEx17SdW1bXy2cV0jr2gY6DYF/+g+Y0tF3HASHdYN8EVq3ok+y9nmbK6I JCcHnm/imggVXeKwGzs70iRC/sbCIOFjarkqosWHDjoX2WkfDaQITqw70f6sUqKxzKWr eP2W+rnT1lpAYWPc+wLtdyq55lWgxkdLsWJU8iIk5M3zu5oj5FojhNmQLBsAlEtmpGdX lNfw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to :mime-version:user-agent:date:message-id:from:references:cc:to :subject; bh=v2dr6gM5w5sSxmfzUzShS6eCg5wTbBNX/y1hWe0ZpFk=; fh=mpsrUMY6b/ILBx2n6+gmDG6qqoKc3pYsGmui8sPtoPw=; b=FFT/PAE7h/uOQIic9BCFmfHNrQYSQzKxN2VonIZ7OGwXK5IL2ETVTLYo9yyVZs4q/7 89RmMESGAsIUnU7co9jJqhyV/4bxof0Y9JXXd025QIuVWt/eW87VPBLOhc0PQzhr8TJr d74cPJu/hiA6M2QXC4pCLtRY6o/et+phr4XyZD+FIzKjyz/Vxz1P4ZGpgKXQR9uGOaDN xjvG+G8BP4Xpzpq+OXsTaDyqmNmRVES5aA+b4cYhTFBERT70KjoGspb9ixtaa78Z+/Ai OhtcaK4Wnrad0OQCv3zl/9tVgfMcMk3hzp27li4v3JyXBsMmO/DjpGwC13oywPxCYZxp W8zA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.36 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from pete.vger.email (pete.vger.email. [23.128.96.36]) by mx.google.com with ESMTPS id j21-20020a170902c3d500b001c72c893ac9si2580093plj.104.2023.09.27.23.04.07 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 27 Sep 2023 23:04:07 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.36 as permitted sender) client-ip=23.128.96.36; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.36 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by pete.vger.email (Postfix) with ESMTP id D975D8074C87; Wed, 27 Sep 2023 23:04:03 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at pete.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230158AbjI1GDg (ORCPT + 99 others); Thu, 28 Sep 2023 02:03:36 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41146 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229445AbjI1GDf (ORCPT ); Thu, 28 Sep 2023 02:03:35 -0400 Received: from dggsgout11.his.huawei.com (dggsgout11.his.huawei.com [45.249.212.51]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4230999; Wed, 27 Sep 2023 23:03:33 -0700 (PDT) Received: from mail02.huawei.com (unknown [172.30.67.143]) by dggsgout11.his.huawei.com (SkyGuard) with ESMTP id 4Rx2wH6dFdz4f3l1M; Thu, 28 Sep 2023 14:03:27 +0800 (CST) Received: from [10.174.176.73] (unknown [10.174.176.73]) by APP4 (Coremail) with SMTP id gCh0CgD3jd0wFxVlIupVBg--.64905S3; Thu, 28 Sep 2023 14:03:30 +0800 (CST) Subject: Re: [PATCH] nbd: pass nbd_sock to nbd_read_reply() instead of index To: Ming Lei , linan666@huaweicloud.com Cc: josef@toxicpanda.com, axboe@kernel.dk, linux-block@vger.kernel.org, nbd@other.debian.org, linux-kernel@vger.kernel.org, linan122@huawei.com, yi.zhang@huawei.com, houtao1@huawei.com, yangerkun@huawei.com, "yukuai (C)" References: <20230911023308.3467802-1-linan666@huaweicloud.com> From: Yu Kuai Message-ID: <47669fb6-3700-e327-11af-93a92b0984a0@huaweicloud.com> Date: Thu, 28 Sep 2023 14:03:28 +0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=gbk; format=flowed Content-Transfer-Encoding: 8bit X-CM-TRANSID: gCh0CgD3jd0wFxVlIupVBg--.64905S3 X-Coremail-Antispam: 1UD129KBjvJXoW7ZF4ftry5Aw17Xry5XFykAFb_yoW8Aw4fpF 4Fy3WSkF4UJF1Skan5Xw47ur9Yqw48KFWFk34rJ34ayr9xuFsakrs7KFyavFyDKr18Ww1v 9Fn8WFsIyw4UArDanT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUvIb4IE77IF4wAFF20E14v26r4j6ryUM7CY07I20VC2zVCF04k2 6cxKx2IYs7xG6rWj6s0DM7CIcVAFz4kK6r1j6r18M28lY4IEw2IIxxk0rwA2F7IY1VAKz4 vEj48ve4kI8wA2z4x0Y4vE2Ix0cI8IcVAFwI0_Ar0_tr1l84ACjcxK6xIIjxv20xvEc7Cj xVAFwI0_Gr1j6F4UJwA2z4x0Y4vEx4A2jsIE14v26rxl6s0DM28EF7xvwVC2z280aVCY1x 0267AKxVW0oVCq3wAS0I0E0xvYzxvE52x082IY62kv0487Mc02F40EFcxC0VAKzVAqx4xG 6I80ewAv7VC0I7IYx2IY67AKxVWUJVWUGwAv7VC2z280aVAFwI0_Jr0_Gr1lOx8S6xCaFV Cjc4AY6r1j6r4UM4x0Y48IcVAKI48JM4IIrI8v6xkF7I0E8cxan2IY04v7Mxk0xIA0c2IE e2xFo4CEbIxvr21l42xK82IYc2Ij64vIr41l4I8I3I0E4IkC6x0Yz7v_Jr0_Gr1lx2IqxV Aqx4xG67AKxVWUJVWUGwC20s026x8GjcxK67AKxVWUGVWUWwC2zVAF1VAY17CE14v26r1q 6r43MIIYrxkI7VAKI48JMIIF0xvE2Ix0cI8IcVAFwI0_Jr0_JF4lIxAIcVC0I7IYx2IY6x kF7I0E14v26r4j6F4UMIIF0xvE42xK8VAvwI8IcIk0rVWrZr1j6s0DMIIF0xvEx4A2jsIE 14v26r1j6r4UMIIF0xvEx4A2jsIEc7CjxVAFwI0_Gr0_Gr1UYxBIdaVFxhVjvjDU0xZFpf 9x07UWE__UUUUU= X-CM-SenderInfo: 51xn3trlr6x35dzhxuhorxvhhfrp/ X-CFilter-Loop: Reflected X-Spam-Status: No, score=-2.2 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,NICE_REPLY_A,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on pete.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (pete.vger.email [0.0.0.0]); Wed, 27 Sep 2023 23:04:04 -0700 (PDT) Hi, ?? 2023/09/28 12:05, Ming Lei ะด??: > On Mon, Sep 11, 2023 at 10:33:08AM +0800, linan666@huaweicloud.com wrote: >> From: Li Nan >> >> If a socket is processing ioctl 'NBD_SET_SOCK', config->socks might be >> krealloc in nbd_add_socket(), and a garbage request is received now, a UAF >> may occurs. >> >> T1 >> nbd_ioctl >> __nbd_ioctl >> nbd_add_socket >> blk_mq_freeze_queue >> T2 >> recv_work >> nbd_read_reply >> sock_xmit >> krealloc config->socks >> def config->socks >> >> Pass nbd_sock to nbd_read_reply(). And introduce a new function >> sock_xmit_recv(), which differs from sock_xmit only in the way it get >> socket. >> > > I am wondering why not grab queue usage counter before calling nbd_read_reply() > for avoiding such issue, something like the following change: > > diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c > index df1cd0f718b8..09215b605b12 100644 > --- a/drivers/block/nbd.c > +++ b/drivers/block/nbd.c > @@ -837,9 +837,6 @@ static void recv_work(struct work_struct *work) > while (1) { > struct nbd_reply reply; > > - if (nbd_read_reply(nbd, args->index, &reply)) > - break; > - > /* > * Grab .q_usage_counter so request pool won't go away, then no > * request use-after-free is possible during nbd_handle_reply(). > @@ -852,6 +849,9 @@ static void recv_work(struct work_struct *work) > break; > } > This break how nbd works, if there is no reply yet, recv_work() will wait for reply in: nbd_read_reply sock_xmit sock_recvmsg After this change, recv_work() will just return if there is no io. Thanks, Kuai > + if (nbd_read_reply(nbd, args->index, &reply)) > + break; > + > cmd = nbd_handle_reply(nbd, args->index, &reply); > if (IS_ERR(cmd)) { > percpu_ref_put(&q->q_usage_counter); > > Thanks, > Ming > > . >