Received: by 2002:a05:7412:2a8c:b0:e2:908c:2ebd with SMTP id u12csp3017328rdh; Wed, 27 Sep 2023 23:05:19 -0700 (PDT) X-Google-Smtp-Source: AGHT+IEYrZLYpn+5EX800tP5oDKDlJU72w5g3GHTfYc//0d+gzuL5OlQYWWt/a2VTNC/Iy+YGS/o X-Received: by 2002:a05:6871:b0e:b0:1c0:2e8f:17fd with SMTP id fq14-20020a0568710b0e00b001c02e8f17fdmr369625oab.40.1695881118961; Wed, 27 Sep 2023 23:05:18 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1695881118; cv=none; d=google.com; s=arc-20160816; b=gck02akbMAA1zh6XxD3LRlHU3jiFtZWC2h8nSXb1mZB39fbxxpo6Xo+54W8jcN3GHE rOnX0xAk4WHLTbWidH4E+puvnGPUx9tcUWwWrdbUNHqc4LLMlzPOgfpc31CMFsPTZzLX o9vwG7DLddFrnQsat8C79xU791yMw24WC9yD80Weijid/sqDpvFMVZUcCSuLZEpRFbay svpGCAypMjZVgM8HUyySXI8uwcQbQGOQfSIBsoajhOEJN4uGFimZ2PMkw1WQVW2j9qVi bFd2ucdlYPK8LoiuRJUTlQxfYpwqcW2JNE/PYe3DQbGzT+mgqqJYWm6uUQZziwF/SxOK BPqQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to :mime-version:user-agent:date:message-id:from:references:cc:to :subject; bh=unCSO2YnHkzv/bSqrpa7SopL1wC+xmdX8VkXQeQY5TU=; fh=2rdJm25Tjow/zUWacLtusFaUuhPPUgNPJ8Fx6KUvQz0=; b=eNv37h0Vy0I+bKLqZz8JHcQSvWuaPgIsOJXue5u1Mmz7Fr/31DLA0toVLS9ZYeprc1 87va/z/U8E1+gdhrRbqZzI+7J52tBf45zzeEEAnbKDX9Z7+nD7+h9aUe52No8nCLr4Ko 5bTujfymNyogS01SRiqq5GUWlx01LexCKMl92ogmB+dn6a5yDdz+ps+fbP/ROw7hFQLz jHRWspr9HN0xVRtKtj5ZH556SxOzG8teZK1se9KhPYhwCmYzbS5Gmj/hOSzTI/7A32DP 8ztQ7LtQDjitIUoOedoGc/K3CEB4aA187u2EHiCD2tPtPK3lwN3w7jpPuFvUkTkOFMkX KCeQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:5 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from groat.vger.email (groat.vger.email. [2620:137:e000::3:5]) by mx.google.com with ESMTPS id s1-20020a63dc01000000b0056fed6fa634si17547576pgg.433.2023.09.27.23.05.18 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 27 Sep 2023 23:05:18 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:5 as permitted sender) client-ip=2620:137:e000::3:5; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::3:5 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by groat.vger.email (Postfix) with ESMTP id 94B0D832C9C9; Wed, 27 Sep 2023 23:05:04 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at groat.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230212AbjI1GEp (ORCPT + 99 others); Thu, 28 Sep 2023 02:04:45 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57620 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230150AbjI1GEn (ORCPT ); Thu, 28 Sep 2023 02:04:43 -0400 Received: from dggsgout11.his.huawei.com (dggsgout11.his.huawei.com [45.249.212.51]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 62DD2E5; Wed, 27 Sep 2023 23:04:41 -0700 (PDT) Received: from mail02.huawei.com (unknown [172.30.67.143]) by dggsgout11.his.huawei.com (SkyGuard) with ESMTP id 4Rx2xc3qj1z4f3k5s; Thu, 28 Sep 2023 14:04:36 +0800 (CST) Received: from [10.174.176.73] (unknown [10.174.176.73]) by APP4 (Coremail) with SMTP id gCh0CgD3jd10FxVlJPtVBg--.64960S3; Thu, 28 Sep 2023 14:04:37 +0800 (CST) Subject: Re: [PATCH -next] nbd: get config_lock before sock_shutdown To: Jens Axboe , Zhong Jinghua , josef@toxicpanda.com Cc: linux-block@vger.kernel.org, nbd@other.debian.org, linux-kernel@vger.kernel.org, yi.zhang@huawei.com, "yukuai (C)" References: <20230707062256.1271948-1-zhongjinghua@huaweicloud.com> <1b67a9dd-c28a-661a-3a46-dab509d4c34e@kernel.dk> From: Yu Kuai Message-ID: Date: Thu, 28 Sep 2023 14:04:36 +0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0 MIME-Version: 1.0 In-Reply-To: <1b67a9dd-c28a-661a-3a46-dab509d4c34e@kernel.dk> Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-CM-TRANSID: gCh0CgD3jd10FxVlJPtVBg--.64960S3 X-Coremail-Antispam: 1UD129KBjvJXoW7tw1fKw4xWFWfWF17Aw4kXrb_yoW8tw1UpF W5CF4qkr4UXw4Sva9xC347Wr1UK342grW7Gry8Zwn0vr95uryI9FyDKa4fCryUtrnrCF4F qFWFgasYk3y3JrJanT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUyEb4IE77IF4wAFF20E14v26r4j6ryUM7CY07I20VC2zVCF04k2 6cxKx2IYs7xG6rWj6s0DM7CIcVAFz4kK6r1j6r18M28lY4IEw2IIxxk0rwA2F7IY1VAKz4 vEj48ve4kI8wA2z4x0Y4vE2Ix0cI8IcVAFwI0_Ar0_tr1l84ACjcxK6xIIjxv20xvEc7Cj xVAFwI0_Gr1j6F4UJwA2z4x0Y4vEx4A2jsIE14v26rxl6s0DM28EF7xvwVC2z280aVCY1x 0267AKxVW0oVCq3wAS0I0E0xvYzxvE52x082IY62kv0487Mc02F40EFcxC0VAKzVAqx4xG 6I80ewAv7VC0I7IYx2IY67AKxVWUGVWUXwAv7VC2z280aVAFwI0_Jr0_Gr1lOx8S6xCaFV Cjc4AY6r1j6r4UM4x0Y48IcVAKI48JMxk0xIA0c2IEe2xFo4CEbIxvr21l42xK82IYc2Ij 64vIr41l4I8I3I0E4IkC6x0Yz7v_Jr0_Gr1lx2IqxVAqx4xG67AKxVWUJVWUGwC20s026x 8GjcxK67AKxVWUGVWUWwC2zVAF1VAY17CE14v26r1q6r43MIIYrxkI7VAKI48JMIIF0xvE 2Ix0cI8IcVAFwI0_Jr0_JF4lIxAIcVC0I7IYx2IY6xkF7I0E14v26r4j6F4UMIIF0xvE42 xK8VAvwI8IcIk0rVW3JVWrJr1lIxAIcVC2z280aVAFwI0_Jr0_Gr1lIxAIcVC2z280aVCY 1x0267AKxVW8JVW8JrUvcSsGvfC2KfnxnUUI43ZEXa7IUbPEf5UUUUU== X-CM-SenderInfo: 51xn3trlr6x35dzhxuhorxvhhfrp/ X-CFilter-Loop: Reflected X-Spam-Status: No, score=-2.2 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,NICE_REPLY_A,SPF_HELO_NONE,SPF_PASS autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on groat.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (groat.vger.email [0.0.0.0]); Wed, 27 Sep 2023 23:05:04 -0700 (PDT) Hi, 在 2023/08/01 8:27, Jens Axboe 写道: > On 7/7/23 12:22?AM, Zhong Jinghua wrote: >> Config->socks in sock_shutdown may trigger a UAF problem. >> The reason is that sock_shutdown does not hold the config_lock, >> so that nbd_ioctl can release config->socks at this time. >> >> T0: NBD_SET_SOCK >> T1: NBD_DO_IT >> >> T0 T1 >> >> nbd_ioctl >> mutex_lock(&nbd->config_lock) >> // get lock >> __nbd_ioctl >> nbd_start_device_ioctl >> nbd_start_device >> mutex_unlock(&nbd->config_lock) >> // relase lock >> wait_event_interruptible >> (kill, enter sock_shutdown) >> sock_shutdown >> nbd_ioctl >> mutex_lock(&nbd->config_lock) >> // get lock >> __nbd_ioctl >> nbd_add_socket >> krealloc >> kfree(p) >> //config->socks is NULL >> nbd_sock *nsock = config->socks // error >> >> Fix it by moving config_lock up before sock_shutdown. >> >> Signed-off-by: Zhong Jinghua >> --- >> drivers/block/nbd.c | 7 ++++++- >> 1 file changed, 6 insertions(+), 1 deletion(-) >> >> diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c >> index c410cf29fb0c..accbe99ebb7e 100644 >> --- a/drivers/block/nbd.c >> +++ b/drivers/block/nbd.c >> @@ -1428,13 +1428,18 @@ static int nbd_start_device_ioctl(struct nbd_device *nbd) >> mutex_unlock(&nbd->config_lock); >> ret = wait_event_interruptible(config->recv_wq, >> atomic_read(&config->recv_threads) == 0); >> + >> + /* >> + * recv_work in flush_workqueue will not get this lock, because nbd_open >> + * will hold nbd->config_refs >> + */ >> + mutex_lock(&nbd->config_lock); >> if (ret) { >> sock_shutdown(nbd); >> nbd_clear_que(nbd); >> } >> >> flush_workqueue(nbd->recv_workq); >> - mutex_lock(&nbd->config_lock); > > Feels pretty iffy to hold config_lock over the flush. If anything off > recv_work() ever grabs it, we'd be stuck. Your comment assumes that the > only case this will currently happen is if we drop the last ref, or at > least that's the case that'd do it even if you don't mention it > explicitly. > > Maybe this is all fine, but recv_work() should have a comment matching > this one, and this comment should be more descriptive as well. Jinghua, Please add comment as Jens suggested, and resend this patch. Thanks, Kuai >