Received: by 2002:a05:7412:2a8c:b0:e2:908c:2ebd with SMTP id u12csp3114239rdh; Thu, 28 Sep 2023 03:08:05 -0700 (PDT) X-Google-Smtp-Source: AGHT+IEnW8TkYKmJgVLU2E0TXnUQcbxJP/TttwpRHD1y9o4UsPC2L75S9P9edyCc+y5Z+eFIMrLE X-Received: by 2002:a05:6870:1707:b0:1d4:fe03:73e with SMTP id h7-20020a056870170700b001d4fe03073emr771141oae.52.1695895685158; Thu, 28 Sep 2023 03:08:05 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1695895685; cv=none; d=google.com; s=arc-20160816; b=Zurp+ivd3QKld2LJZh2myXMPMRW12sxepIsMU7kQl1iLqnxo6o+t81bRCRfwmLGM7h pxrAFxcp2q/1BJnOc0O1rC/7yCNc9cAei2UVmYd8sAk0ZpT2ZLNCXoqLO4UCfaFLajMA d+uQaatNaHEuIp5IgIUIwHLtOJ5W62lLKQjmJOojKE20PvTJPTwLO7maf1LxsQyxgxp0 gMiGxKQ4S2qFSpGy2ZKuAkmpqHgSyPHTr8SGu74hCIUoVr+RpQhRDL/yeXniJEUKkcVv 5C7xQDyIxATFa+fymsM3bYWMONHJCEVykxhP1A4c2zqjFDXWn6J19nn8h2jKgOwjiGHk tHyg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to :mime-version:user-agent:date:message-id:from:references:cc:to :subject; bh=M1X/Qfvl2+lQ/RXLGgs9cyugChjrmSC7BugiTG/FWk4=; fh=8R5xKpSRGvLSsiY48C6TqBOvKpEAUkPJqzupisKg/c8=; b=FrMPul42DScavMf744TmWkM9W5D1k2qj0vLTzNTb48SPA3+8Mqj8P7nhLsq+fJfMm4 2E4/wiY0dkaESmPZEOH952/zYGi/H/3NarWH2yg8Jn3il4MHj+C3efugfwXIlTLNdcwH jLRklaJ2tO7a+IVltigPtqtfASoEEWNEE6Kh3fMLUrxaiOvccOMqO1DqPhDhqdsllLiy 9HQM1/c2Eap+lhK2whYyg3c+iRjt4TrRucKY9YHj4y8Xox8iKbDTFtA1H8ARMKy07mqh ubZiJSkWJVnWcIPQmU2MGO23GXgyMwR8cYMi47SfGcokYLrnbfwCbynKDz/gxaHRpnFG 4pRw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.34 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from howler.vger.email (howler.vger.email. [23.128.96.34]) by mx.google.com with ESMTPS id r20-20020a6560d4000000b00573fef8a892si16963986pgv.484.2023.09.28.03.08.04 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 28 Sep 2023 03:08:05 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.34 as permitted sender) client-ip=23.128.96.34; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.34 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by howler.vger.email (Postfix) with ESMTP id 1A34080898F2; Thu, 28 Sep 2023 02:41:21 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at howler.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231806AbjI1JlN (ORCPT + 99 others); Thu, 28 Sep 2023 05:41:13 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33158 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231853AbjI1JlA (ORCPT ); Thu, 28 Sep 2023 05:41:00 -0400 Received: from dggsgout11.his.huawei.com (dggsgout11.his.huawei.com [45.249.212.51]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CE61C1722; Thu, 28 Sep 2023 02:40:47 -0700 (PDT) Received: from mail02.huawei.com (unknown [172.30.67.143]) by dggsgout11.his.huawei.com (SkyGuard) with ESMTP id 4Rx7ky5G7Wz4f3nTP; Thu, 28 Sep 2023 17:40:42 +0800 (CST) Received: from [10.174.176.73] (unknown [10.174.176.73]) by APP4 (Coremail) with SMTP id gCh0CgB3BdUbShVlGaViBg--.11343S3; Thu, 28 Sep 2023 17:40:44 +0800 (CST) Subject: Re: [PATCH] nbd: pass nbd_sock to nbd_read_reply() instead of index To: Ming Lei , Yu Kuai Cc: linan666@huaweicloud.com, josef@toxicpanda.com, axboe@kernel.dk, linux-block@vger.kernel.org, nbd@other.debian.org, linux-kernel@vger.kernel.org, linan122@huawei.com, yi.zhang@huawei.com, houtao1@huawei.com, yangerkun@huawei.com, "yukuai (C)" References: <20230911023308.3467802-1-linan666@huaweicloud.com> <47669fb6-3700-e327-11af-93a92b0984a0@huaweicloud.com> <41161d21-299c-3657-6020-0a3a9cf109ec@huaweicloud.com> <60f9a88b-b750-3579-bdfd-5421f2040406@huaweicloud.com> From: Yu Kuai Message-ID: Date: Thu, 28 Sep 2023 17:40:42 +0800 User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 8bit X-CM-TRANSID: gCh0CgB3BdUbShVlGaViBg--.11343S3 X-Coremail-Antispam: 1UD129KBjvJXoWxZr1UXr1UZF4DuFyrKrW7urg_yoWrJF43pF 4UJF1UCr4UJr1aywsYqw4xWr1Yqw17Kw13Ww1UG347Aryqvr13Ar47GFyF9F9rtr1UXr1j qr4UWFy3A348Jr7anT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUU9I14x267AKxVW8JVW5JwAFc2x0x2IEx4CE42xK8VAvwI8IcIk0 rVWrJVCq3wAFIxvE14AKwVWUJVWUGwA2ocxC64kIII0Yj41l84x0c7CEw4AK67xGY2AK02 1l84ACjcxK6xIIjxv20xvE14v26F1j6w1UM28EF7xvwVC0I7IYx2IY6xkF7I0E14v26r4U JVWxJr1l84ACjcxK6I8E87Iv67AKxVW0oVCq3wA2z4x0Y4vEx4A2jsIEc7CjxVAFwI0_Gc CE3s1le2I262IYc4CY6c8Ij28IcVAaY2xG8wAqx4xG64xvF2IEw4CE5I8CrVC2j2WlYx0E 2Ix0cI8IcVAFwI0_Jr0_Jr4lYx0Ex4A2jsIE14v26r1j6r4UMcvjeVCFs4IE7xkEbVWUJV W8JwACjcxG0xvEwIxGrwACjI8F5VA0II8E6IAqYI8I648v4I1lFIxGxcIEc7CjxVA2Y2ka 0xkIwI1lc7I2V7IY0VAS07AlzVAYIcxG8wCF04k20xvY0x0EwIxGrwCFx2IqxVCFs4IE7x kEbVWUJVW8JwC20s026c02F40E14v26r1j6r18MI8I3I0E7480Y4vE14v26r106r1rMI8E 67AF67kF1VAFwI0_Jw0_GFylIxkGc2Ij64vIr41lIxAIcVC0I7IYx2IY67AKxVWUJVWUCw CI42IY6xIIjxv20xvEc7CjxVAFwI0_Gr0_Cr1lIxAIcVCF04k26cxKx2IYs7xG6rWUJVWr Zr1UMIIF0xvEx4A2jsIE14v26r4j6F4UMIIF0xvEx4A2jsIEc7CjxVAFwI0_Gr1j6F4UJb IYCTnIWIevJa73UjIFyTuYvjfUoOJ5UUUUU X-CM-SenderInfo: 51xn3trlr6x35dzhxuhorxvhhfrp/ X-CFilter-Loop: Reflected X-Spam-Status: No, score=-3.4 required=5.0 tests=BAYES_00,NICE_REPLY_A, RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (howler.vger.email [0.0.0.0]); Thu, 28 Sep 2023 02:41:21 -0700 (PDT) Hi, 在 2023/09/28 17:24, Ming Lei 写道: > On Thu, Sep 28, 2023 at 05:06:40PM +0800, Yu Kuai wrote: >> Hi, >> >> 在 2023/09/28 16:57, Ming Lei 写道: >>> On Thu, Sep 28, 2023 at 04:55:03PM +0800, Yu Kuai wrote: >>>> Hi, >>>> >>>> 在 2023/09/28 15:40, Ming Lei 写道: >>>>> On Thu, Sep 28, 2023 at 02:03:28PM +0800, Yu Kuai wrote: >>>>>> Hi, >>>>>> >>>>>> 在 2023/09/28 12:05, Ming Lei 写道: >>>>>>> On Mon, Sep 11, 2023 at 10:33:08AM +0800, linan666@huaweicloud.com wrote: >>>>>>>> From: Li Nan >>>>>>>> >>>>>>>> If a socket is processing ioctl 'NBD_SET_SOCK', config->socks might be >>>>>>>> krealloc in nbd_add_socket(), and a garbage request is received now, a UAF >>>>>>>> may occurs. >>>>>>>> >>>>>>>> T1 >>>>>>>> nbd_ioctl >>>>>>>> __nbd_ioctl >>>>>>>> nbd_add_socket >>>>>>>> blk_mq_freeze_queue >>>>>>>> T2 >>>>>>>> recv_work >>>>>>>> nbd_read_reply >>>>>>>> sock_xmit >>>>>>>> krealloc config->socks >>>>>>>> def config->socks >>>>>>>> >>>>>>>> Pass nbd_sock to nbd_read_reply(). And introduce a new function >>>>>>>> sock_xmit_recv(), which differs from sock_xmit only in the way it get >>>>>>>> socket. >>>>>>>> >>>>>>> >>>>>>> I am wondering why not grab queue usage counter before calling nbd_read_reply() >>>>>>> for avoiding such issue, something like the following change: >>>>>>> >>>>>>> diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c >>>>>>> index df1cd0f718b8..09215b605b12 100644 >>>>>>> --- a/drivers/block/nbd.c >>>>>>> +++ b/drivers/block/nbd.c >>>>>>> @@ -837,9 +837,6 @@ static void recv_work(struct work_struct *work) >>>>>>> while (1) { >>>>>>> struct nbd_reply reply; >>>>>>> - if (nbd_read_reply(nbd, args->index, &reply)) >>>>>>> - break; >>>>>>> - >>>>>>> /* >>>>>>> * Grab .q_usage_counter so request pool won't go away, then no >>>>>>> * request use-after-free is possible during nbd_handle_reply(). >>>>>>> @@ -852,6 +849,9 @@ static void recv_work(struct work_struct *work) >>>>>>> break; >>>>>>> } >>>>>> >>>>>> This break how nbd works, if there is no reply yet, recv_work() will >>>>>> wait for reply in: >>>>>> >>>>>> nbd_read_reply >>>>>> sock_xmit >>>>>> sock_recvmsg >>>>>> >>>>>> After this change, recv_work() will just return if there is no io. >>>>> >>>>> OK, got it, thanks for the input. >>>>> >>>>> But I feel it isn't necessary & fragile to store one extra reference of nsock in >>>>> `recv_thread_args`. >>>>> >>>>> Just run a quick look, the only potential UAF on config->socks should be recv_work(), >>>>> so you can retrieve the `nsock` reference at the entry of recv_work(), >>>> >>>> I don't understand what you mean retrieve the 'nsock', is following what >>>> you expected? >>>> >>>> blk_queue_enter() -> prevent concurrent with nbd_add_socket >>>> nsock = config->socks[args->index] >>>> blk_queue_exit() >>> >>> Yeah, turns out you do understand, :-) >> >> Ok, I was not sure about this blk_queue_enter(). By the way, this > > blk_queue_enter() isn't exported, but you can grab ->config_lock > for getting the `nsock`. > >> remind me of what you did to fix uaf of access queue->mq_hctx[] by >> convert the array to xarray. >> >> >> Maybe it's better to covert config->socks[] to xarray to fix this uaf as >> well? > > ->socks[idx] is needed in nbd fast path, so xarray may not be one good idea > since xarray_load() introduces extra load, especially ->socks[] uaf > should exist in recv_work() very likely. For other cases, the active > block request holds queue usage counter. Thanks for the explanation, grab 'config_lock' to get 'nsock' in the begining sounds good to me. Kuai > > > Thanks, > Ming > > . >