Received: by 2002:a05:7412:8521:b0:e2:908c:2ebd with SMTP id t33csp317322rdf; Fri, 3 Nov 2023 01:13:10 -0700 (PDT) X-Google-Smtp-Source: AGHT+IHgT530kIAc7TY8sSZpVqr3BFWq/fbS3H3xeLtR9lYLOhLPOd85cg65Jd7snjip2wub62Om X-Received: by 2002:a17:907:7f92:b0:9c5:2806:72e9 with SMTP id qk18-20020a1709077f9200b009c5280672e9mr7921734ejc.34.1698999190740; Fri, 03 Nov 2023 01:13:10 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1698999190; cv=none; d=google.com; s=arc-20160816; b=LE3yCLPEcpbKZ5eOvdTRmCqol73Ob9kypCn0TzePgXMs+y3M2hhotfpas0yy/qEnxe GIixxANBl2IyHDCib3tjt2lSjbTtt7BEcStaISuy8YV8xtNR/js/00B9Ggg77VcwvyhP nRF50/7p9+a4vLfDFJ8e4K2BknRLGXB4gSc4TfgLXL3iEEb08UqnM9Uo3EE8uqXrgFeH pPMXRqubXlhevO222KWrRGmRv+xulLeijxlCACv4TSxUhTR64JSmT/beSlaa4fjEdNhk my3s0Mhrxws72d0Y4nAx559FL7o7/3bj1mE7xKJEv+eWVpB2Ac+tyzBHfvSTDLFEyEGu 24CA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=cfXGoAiHngwQjn6inuh2dKVCVA5FS2Y+QSxQ5aKARYg=; fh=aQ0wKzDbHnSmOHBjV7pYa/GchvFmLckfFAafZNR6F9w=; b=pW40sY5zgIAyloEGXo8EoGyCQ6ViJkne+4HxJGmvHTRqRDWB1HQ3RxIDtOFGhgbx/V lcepmmbm5LC1A32VdqT5Sj9d1p0GH/54PncMsJvczum9cSAAU/htEnCozKpNj53dfQQb +nSQSLWX8cHikiEst8AIODFPGE5iyKWIHWV3MNvx/r+zm0yGQRg0Ba6iR7W+W8lz/Agc bP4GKhBl4LqpnRJkusg2XhziHGBTnE6wLwKI7Bzdx1YI0gajDb7MoBCZu05UCwwZDpDf 1diwdB0ReE438u3+WXwoj/d8lK3R6CHO7cJKBCqOr+AC2Et9G7yGN1OA+zWbEi9o/pcJ 65pg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.33 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from lipwig.vger.email (lipwig.vger.email. [23.128.96.33]) by mx.google.com with ESMTPS id 19-20020a170906011300b009d3ccd17620si724477eje.806.2023.11.03.01.13.10 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 03 Nov 2023 01:13:10 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.33 as permitted sender) client-ip=23.128.96.33; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.33 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by lipwig.vger.email (Postfix) with ESMTP id 840A58244E7A; Fri, 3 Nov 2023 01:13:07 -0700 (PDT) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.10 at lipwig.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235377AbjKCINC (ORCPT + 99 others); Fri, 3 Nov 2023 04:13:02 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60468 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235291AbjKCINB (ORCPT ); Fri, 3 Nov 2023 04:13:01 -0400 Received: from verein.lst.de (verein.lst.de [213.95.11.211]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 02087D5C; Fri, 3 Nov 2023 01:12:55 -0700 (PDT) Received: by verein.lst.de (Postfix, from userid 2407) id A6DFB67373; Fri, 3 Nov 2023 09:12:51 +0100 (CET) Date: Fri, 3 Nov 2023 09:12:51 +0100 From: Christoph Hellwig To: Li Lingfeng Cc: josef@toxicpanda.com, linux-kernel@vger.kernel.org, hch@lst.de, linux-block@vger.kernel.org, nbd@other.debian.org, axboe@kernel.dk, chaitanya.kulkarni@wdc.com, yukuai1@huaweicloud.com, houtao1@huawei.com, yi.zhang@huawei.com, yangerkun@huawei.com, lilingfeng3@huawei.com Subject: Re: [PATCH] nbd: fix uaf in nbd_open Message-ID: <20231103081251.GB16854@lst.de> References: <20231103101334.1750094-1-lilingfeng@huaweicloud.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20231103101334.1750094-1-lilingfeng@huaweicloud.com> User-Agent: Mutt/1.5.17 (2007-11-01) X-Spam-Status: No, score=-0.8 required=5.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lipwig.vger.email Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (lipwig.vger.email [0.0.0.0]); Fri, 03 Nov 2023 01:13:07 -0700 (PDT) On Fri, Nov 03, 2023 at 06:13:34PM +0800, Li Lingfeng wrote: > From: Li Lingfeng > > Commit 4af5f2e03013 ("nbd: use blk_mq_alloc_disk and > blk_cleanup_disk") cleans up disk by blk_cleanup_disk() and it won't set > disk->private_data as NULL as before. UAF may be triggered in nbd_open() > if someone tries to open nbd device right after nbd_put() since refcount > of nbd device is zero and private_data is not NULL. I don't think this is the right fix. nbd needs to move to ->free_disk to free it's private data.