Received: by 2002:a05:7412:8521:b0:e2:908c:2ebd with SMTP id t33csp219778rdf;
        Thu, 2 Nov 2023 20:30:48 -0700 (PDT)
X-Google-Smtp-Source: AGHT+IGGoQFIjI2IEvjjt+zXsP7dvHbAMsddMVQBBEfRxR3EYNkhHDxR98OHgdfMbfKnOQmmvcTQ
X-Received: by 2002:a05:6a20:441a:b0:160:6983:91d6 with SMTP id ce26-20020a056a20441a00b00160698391d6mr1974574pzb.22.1698982247768;
        Thu, 02 Nov 2023 20:30:47 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1698982247; cv=none;
        d=google.com; s=arc-20160816;
        b=Pcsx4mTrRK6tpWgx61zg7QC1Wh2djqePgm1YjjyuHAdpIlnfkYw2T+EuY7yjARis58
         mwojh3DEva9rLtj0sv0gDXbAtldaaXb3zc9YoTmpeRdK0kODXEsjHPkAo9lMTK49k8W6
         EB9HlxTBwJCLbbAmmsRIAmlVqGjOyPBP8zXyjW4x2EV2HpbMDORP0Z08BOGuvL79bIyg
         WKu40WQJTkBVcaE5WA/seffNvCI1RckjWdXkxVPC/MEuLzO5+adMHhMfIBpgZbAK4v4Q
         I/woqjeGu2e8cu7/hZ9RoYQOruJ6c42Sa8t+msQ2cy0mfgYp3H1p3U5tARoLPz5QKaKV
         2buA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:in-reply-to
         :mime-version:user-agent:date:message-id:from:references:cc:to
         :subject;
        bh=UXqPcGeXk5fFJs/Sh7UrQ1A732RE/DxayiUc/NDakVI=;
        fh=0uc2G3jrgJVRba94chiP8Y+NnHWNEqtc55wrWUIn+rk=;
        b=VOLZ67qKj2YuhvbI+3yEt4QxpYlX/hEqONnbvpmOeOq9J7aidwHXb+DaY+v9xiW9yP
         Jdiq2SqIgwVKEApgj4xchZnYUAADau2q3kXm7c5wxBtEB3/f85dYt/lMTOTZ+ZdzhoL2
         JQvnQlXHTUNTwJ58L8p5miHAIfoHIEMaou5O3xVLUX5u+jTBQTgrl2N48RnH0xxgYeyD
         4fNS3Z2rjFWsjrjTg1nH6MEe7o9bpzGANCYErFJMjDdWaBRbZCmEQJQ1dUd7ETBx5ZUd
         4m7jqMfaCPs2gVOagFBg+Tq9GGAyorcy72hX4ikm7Gmmlml8H1E1Yd+DEBOjgZnyx+08
         vIlw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.32 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from agentk.vger.email (agentk.vger.email. [23.128.96.32])
        by mx.google.com with ESMTPS id u9-20020a656709000000b0059cc8d682dfsi744504pgf.814.2023.11.02.20.30.47
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 02 Nov 2023 20:30:47 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.32 as permitted sender) client-ip=23.128.96.32;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.32 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0])
	by agentk.vger.email (Postfix) with ESMTP id 797D4819AD97;
	Thu,  2 Nov 2023 20:30:45 -0700 (PDT)
X-Virus-Status: Clean
X-Virus-Scanned: clamav-milter 0.103.10 at agentk.vger.email
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S231337AbjKCDak (ORCPT <rfc822;gvb.lkml@gmail.com> + 99 others);
        Thu, 2 Nov 2023 23:30:40 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:58538 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229570AbjKCDah (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Thu, 2 Nov 2023 23:30:37 -0400
Received: from dggsgout11.his.huawei.com (dggsgout11.his.huawei.com [45.249.212.51])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5EC2919E;
        Thu,  2 Nov 2023 20:30:33 -0700 (PDT)
Received: from mail.maildlp.com (unknown [172.19.163.235])
        by dggsgout11.his.huawei.com (SkyGuard) with ESMTP id 4SM5q64rhTz4f3n6G;
        Fri,  3 Nov 2023 11:30:26 +0800 (CST)
Received: from mail02.huawei.com (unknown [10.116.40.128])
        by mail.maildlp.com (Postfix) with ESMTP id 3FF501A0176;
        Fri,  3 Nov 2023 11:30:30 +0800 (CST)
Received: from [10.174.176.73] (unknown [10.174.176.73])
        by APP4 (Coremail) with SMTP id gCh0CgAnt9ZUaURlM4vDEg--.56230S3;
        Fri, 03 Nov 2023 11:30:30 +0800 (CST)
Subject: Re: [PATCH] nbd: fix uaf in nbd_open
To:     Li Lingfeng <lilingfeng@huaweicloud.com>, josef@toxicpanda.com
Cc:     linux-kernel@vger.kernel.org, hch@lst.de,
        linux-block@vger.kernel.org, nbd@other.debian.org, axboe@kernel.dk,
        chaitanya.kulkarni@wdc.com, yukuai1@huaweicloud.com,
        houtao1@huawei.com, yi.zhang@huawei.com, yangerkun@huawei.com,
        lilingfeng3@huawei.com, "yukuai (C)" <yukuai3@huawei.com>
References: <20231103101334.1750094-1-lilingfeng@huaweicloud.com>
From:   Yu Kuai <yukuai1@huaweicloud.com>
Message-ID: <07045515-6668-19bc-def8-45fb0e9fe2ed@huaweicloud.com>
Date:   Fri, 3 Nov 2023 11:30:28 +0800
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:60.0) Gecko/20100101
 Thunderbird/60.8.0
MIME-Version: 1.0
In-Reply-To: <20231103101334.1750094-1-lilingfeng@huaweicloud.com>
Content-Type: text/plain; charset=gbk; format=flowed
Content-Transfer-Encoding: 8bit
X-CM-TRANSID: gCh0CgAnt9ZUaURlM4vDEg--.56230S3
X-Coremail-Antispam: 1UD129KBjvJXoW7uF4fKw17Jr47uw4fCry7Awb_yoW8GrW3pF
        Z8GF1qk3y8Wr43Ka1xJw17ZF1rXw1UW348uFnru3sI9F9xKr9I9r48GF95WFn8tr47Arsr
        XFWqqw18Z3Z7CrDanT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2
        9KBjDU0xBIdaVrnRJUUU9F14x267AKxVW8JVW5JwAFc2x0x2IEx4CE42xK8VAvwI8IcIk0
        rVWrJVCq3wAFIxvE14AKwVWUJVWUGwA2ocxC64kIII0Yj41l84x0c7CEw4AK67xGY2AK02
        1l84ACjcxK6xIIjxv20xvE14v26w1j6s0DM28EF7xvwVC0I7IYx2IY6xkF7I0E14v26r4U
        JVWxJr1l84ACjcxK6I8E87Iv67AKxVW0oVCq3wA2z4x0Y4vEx4A2jsIEc7CjxVAFwI0_Gc
        CE3s1le2I262IYc4CY6c8Ij28IcVAaY2xG8wAqx4xG64xvF2IEw4CE5I8CrVC2j2WlYx0E
        2Ix0cI8IcVAFwI0_Jr0_Jr4lYx0Ex4A2jsIE14v26r1j6r4UMcvjeVCFs4IE7xkEbVWUJV
        W8JwACjcxG0xvEwIxGrwACjI8F5VA0II8E6IAqYI8I648v4I1lFIxGxcIEc7CjxVA2Y2ka
        0xkIwI1lc7I2V7IY0VAS07AlzVAYIcxG8wCF04k20xvY0x0EwIxGrwCFx2IqxVCFs4IE7x
        kEbVWUJVW8JwC20s026c02F40E14v26r1j6r18MI8I3I0E7480Y4vE14v26r106r1rMI8E
        67AF67kF1VAFwI0_Jw0_GFylIxkGc2Ij64vIr41lIxAIcVC0I7IYx2IY67AKxVWUJVWUCw
        CI42IY6xIIjxv20xvEc7CjxVAFwI0_Gr0_Cr1lIxAIcVCF04k26cxKx2IYs7xG6rW3Jr0E
        3s1lIxAIcVC2z280aVAFwI0_Jr0_Gr1lIxAIcVC2z280aVCY1x0267AKxVW8JVW8JrUvcS
        sGvfC2KfnxnUUI43ZEXa7VUbXdbUUUUUU==
X-CM-SenderInfo: 51xn3trlr6x35dzhxuhorxvhhfrp/
X-Spam-Status: No, score=-4.5 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,NICE_REPLY_A,SPF_HELO_NONE,SPF_PASS,
	T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no
	version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on agentk.vger.email
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (agentk.vger.email [0.0.0.0]); Thu, 02 Nov 2023 20:30:45 -0700 (PDT)

Hi,

?? 2023/11/03 18:13, Li Lingfeng д??:
> From: Li Lingfeng <lilingfeng3@huawei.com>
> 
> Commit 4af5f2e03013 ("nbd: use blk_mq_alloc_disk and
> blk_cleanup_disk") cleans up disk by blk_cleanup_disk() and it won't set
> disk->private_data as NULL as before. UAF may be triggered in nbd_open()
> if someone tries to open nbd device right after nbd_put() since refcount
> of nbd device is zero and private_data is not NULL.
> 
Do you mean that nbd_open concurrent with nbd_dev_remove?

nbd_open		nbd_dev_remove
			 del_gendisk
			 kfree(nbd)
  mutex_lock
  nbd = disk->private_data
  -> UAF
  refcount_inc_not_zero

Looks like it's possible, but you should use READ/WRITE_ONCE() here,
because disk->pravate_data can be accessed concurrently.

Thanks,
Kuai

> Fixes: 4af5f2e03013 ("nbd: use blk_mq_alloc_disk and blk_cleanup_disk")
> Signed-off-by: Li Lingfeng <lilingfeng3@huawei.com>
> ---
>   drivers/block/nbd.c | 1 +
>   1 file changed, 1 insertion(+)
> 
> diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c
> index 800f131222fc..aab93b836e84 100644
> --- a/drivers/block/nbd.c
> +++ b/drivers/block/nbd.c
> @@ -250,6 +250,7 @@ static void nbd_dev_remove(struct nbd_device *nbd)
>   	struct gendisk *disk = nbd->disk;
>   
>   	del_gendisk(disk);
> +	disk->private_data = NULL;
>   	put_disk(disk);
>   	blk_mq_free_tag_set(&nbd->tag_set);
>   
>