Received: by 2002:a05:7412:b101:b0:e2:908c:2ebd with SMTP id az1csp3130045rdb; Thu, 16 Nov 2023 00:29:21 -0800 (PST) X-Google-Smtp-Source: AGHT+IFi1byS0IIIlM/EoWFIk8s6+LbT9nWqQ9yiYKnt13JtKfcs6oJEAtp1jkDtwe4sBJ9IL1og X-Received: by 2002:a05:6808:6406:b0:3b6:b9db:ea1c with SMTP id fg6-20020a056808640600b003b6b9dbea1cmr18931710oib.42.1700123361206; Thu, 16 Nov 2023 00:29:21 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1700123361; cv=none; d=google.com; s=arc-20160816; b=zcy4I8fqp3KNbISmIljnTKCVI6s4bs8sz73HFhT5ODo53kZy/nyogFCroqk/qNbFOh SUtqcW3Nfo5vJctNa5jozZXqnsP+F7VMHUvqKJ3Iv6EmNAPq0jYYTQl66+QRJ46mPn8C TGIjVsBfSKwAdc7UkmaxIrp/cmnSyuASQAHNoxQF2wEUeL+QnjPfS3xNZbC9SUGeH/9A qoqLFCQmMLB9sUcfdxUrPqFypQhTZsO4WE8ibKbnJ/k82QJ1HQRevG0u0sw+e20c7wpe 6nzHKgqC1z39LKqTyzdmQcgtgwKZCV2Vlqsr1NTSgUfXC3YG0ZJ2PS/dOolfJwuCkb3P 7kRA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=J6ivCOS5Z4Ziwk+Bp0yCf7hWYhpiaglaxday+XHRtMk=; fh=alHNG+6rFzSOprwLS0qzbHDv/exjtT09n0yftls1l94=; b=C99fNvYbS/L8Q4+RXHfdwlmDT3fgu1F+hZGauTAz0UlPaZ2XloPJ+9KLSrQ1IbOK44 X0cTYwUQlO/ObGRf+jU2LSH/lZ8TNt1IyIFEJP5F4w7crGJlMjc3HL5jEZlTyRobhPsb y1HuXQw5yKXDorGU3Uf65GZKnkn0G/OobPKSFBU2hydlOQhhgCvVYXEuOhxIEhZwCIV7 jhDgbu60Z0kbuidBJrckDAKRs9wE5nw/9i5vEKrBNmYsPMq9M2AXWBGyBJmYFIJmIEe9 nrBRHkCQWMIsasXYvby/bdi2kwB5KO8dZupzYPsXwiVApZdgOW4zpkfXCOrasg3o7Bgd NqTA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.37 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from snail.vger.email (snail.vger.email. [23.128.96.37]) by mx.google.com with ESMTPS id n190-20020a6327c7000000b005be00714949si11913374pgn.222.2023.11.16.00.29.20 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 16 Nov 2023 00:29:21 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.37 as permitted sender) client-ip=23.128.96.37; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.37 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: from out1.vger.email (depot.vger.email [IPv6:2620:137:e000::3:0]) by snail.vger.email (Postfix) with ESMTP id EF6578184E2B; Thu, 16 Nov 2023 00:29:19 -0800 (PST) X-Virus-Status: Clean X-Virus-Scanned: clamav-milter 0.103.11 at snail.vger.email Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234928AbjKPI3O (ORCPT + 99 others); Thu, 16 Nov 2023 03:29:14 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39404 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230259AbjKPI3J (ORCPT ); Thu, 16 Nov 2023 03:29:09 -0500 Received: from dggsgout11.his.huawei.com (dggsgout11.his.huawei.com [45.249.212.51]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id CB6411A3; Thu, 16 Nov 2023 00:29:05 -0800 (PST) Received: from mail.maildlp.com (unknown [172.19.163.235]) by dggsgout11.his.huawei.com (SkyGuard) with ESMTP id 4SWCqc4wYNz4f3kpD; Thu, 16 Nov 2023 16:29:00 +0800 (CST) Received: from mail02.huawei.com (unknown [10.116.40.112]) by mail.maildlp.com (Postfix) with ESMTP id 1B01D1A0177; Thu, 16 Nov 2023 16:29:03 +0800 (CST) Received: from huaweicloud.com (unknown [10.175.104.67]) by APP1 (Coremail) with SMTP id cCh0CgCnqxHL0lVlgbRFBA--.19869S7; Thu, 16 Nov 2023 16:29:02 +0800 (CST) From: linan666@huaweicloud.com To: josef@toxicpanda.com, axboe@kernel.dk Cc: linux-block@vger.kernel.org, nbd@other.debian.org, linux-kernel@vger.kernel.org, linan122@huawei.com, yukuai3@huawei.com, yi.zhang@huawei.com, houtao1@huawei.com, yangerkun@huawei.com Subject: [PATCH 3/3] nbd: fix null-ptr-dereference while accessing 'nbd->config' Date: Fri, 17 Nov 2023 00:23:16 +0800 Message-Id: <20231116162316.1740402-4-linan666@huaweicloud.com> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20231116162316.1740402-1-linan666@huaweicloud.com> References: <20231116162316.1740402-1-linan666@huaweicloud.com> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-CM-TRANSID: cCh0CgCnqxHL0lVlgbRFBA--.19869S7 X-Coremail-Antispam: 1UD129KBjvJXoWxJry3Ww1UurWDAF1kuryDJrb_yoW8ZF47pr 45CF98G3yUJF43JFWDA348Wr15A3Z7AryxGryxG3s8Zr9rCryayr1kK343XFyUArnxJFW5 JFWrGa4Ika4xG3JanT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2 9KBjDU0xBIdaVrnRJUUUQIb4IE77IF4wAFF20E14v26rWj6s0DM7CY07I20VC2zVCF04k2 6cxKx2IYs7xG6rWj6s0DM7CIcVAFz4kK6r1j6r18M280x2IEY4vEnII2IxkI6r1a6r45M2 8IrcIa0xkI8VA2jI8067AKxVWUWwA2048vs2IY020Ec7CjxVAFwI0_Xr0E3s1l8cAvFVAK 0II2c7xJM28CjxkF64kEwVA0rcxSw2x7M28EF7xvwVC0I7IYx2IY67AKxVW7JVWDJwA2z4 x0Y4vE2Ix0cI8IcVCY1x0267AKxVW8Jr0_Cr1UM28EF7xvwVC2z280aVAFwI0_GcCE3s1l 84ACjcxK6I8E87Iv6xkF7I0E14v26rxl6s0DM2vYz4IE04k24VAvwVAKI4IrM2AIxVAIcx kEcVAq07x20xvEncxIr21l5I8CrVACY4xI64kE6c02F40Ex7xfMcIj6xIIjxv20xvE14v2 6r1j6r18McIj6I8E87Iv67AKxVWUJVW8JwAm72CE4IkC6x0Yz7v_Jr0_Gr1lF7xvr2IYc2 Ij64vIr41lFIxGxcIEc7CjxVA2Y2ka0xkIwI1lw4CEc2x0rVAKj4xxMxAIw28IcxkI7VAK I48JMxC20s026xCaFVCjc4AY6r1j6r4UMI8I3I0E5I8CrVAFwI0_Jr0_Jr4lx2IqxVCjr7 xvwVAFwI0_JrI_JrWlx4CE17CEb7AF67AKxVWUtVW8ZwCIc40Y0x0EwIxGrwCI42IY6xII jxv20xvE14v26r1j6r1xMIIF0xvE2Ix0cI8IcVCY1x0267AKxVW8JVWxJwCI42IY6xAIw2 0EY4v20xvaj40_Jr0_JF4lIxAIcVC2z280aVAFwI0_Jr0_Gr1lIxAIcVC2z280aVCY1x02 67AKxVW8JVW8JrUvcSsGvfC2KfnxnUUI43ZEXa7IU0gJ57UUUUU== X-CM-SenderInfo: polqt0awwwqx5xdzvxpfor3voofrz/ X-Spam-Status: No, score=0.0 required=5.0 tests=BAYES_00,DATE_IN_FUTURE_06_12, RCVD_IN_DNSWL_BLOCKED,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_NONE, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-Greylist: Sender passed SPF test, not delayed by milter-greylist-4.6.4 (snail.vger.email [0.0.0.0]); Thu, 16 Nov 2023 00:29:20 -0800 (PST) From: Li Nan Memory reordering may occur in nbd_genl_connect(), causing config_refs to be set to 1 while nbd->config is still empty. Opening nbd at this time will cause null-ptr-dereference. T1 T2 nbd_open nbd_get_config_unlocked nbd_genl_connect nbd_alloc_and_init_config //memory reordered refcount_set(&nbd->config_refs, 1) // 2 nbd->config ->null point nbd->config = config // 1 Fix it by adding smp barrier to guarantee the execution sequence. Signed-off-by: Li Nan --- drivers/block/nbd.c | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c index 1b9ee96d3b8a..03f387f1abb5 100644 --- a/drivers/block/nbd.c +++ b/drivers/block/nbd.c @@ -398,8 +398,16 @@ static u32 req_to_nbd_cmd_type(struct request *req) static struct nbd_config *nbd_get_config_unlocked(struct nbd_device *nbd) { - if (refcount_inc_not_zero(&nbd->config_refs)) + if (refcount_inc_not_zero(&nbd->config_refs)) { + /* + * Add smp_mb__after_atomic to ensure that reading nbd->config_refs + * and reading nbd->config is ordered. The pair is the barrier in + * nbd_alloc_and_init_config(), avoid nbd->config_refs is set + * before nbd->config. + */ + smp_mb__after_atomic(); return nbd->config; + } return NULL; } @@ -1559,7 +1567,15 @@ static int nbd_alloc_and_init_config(struct nbd_device *nbd) init_waitqueue_head(&config->conn_wait); config->blksize_bits = NBD_DEF_BLKSIZE_BITS; atomic_set(&config->live_connections, 0); + nbd->config = config; + /* + * Order refcount_set(&nbd->config_refs, 1) and nbd->config assignment, + * its pair is the barrier in nbd_get_config_unlocked(). + * So nbd_get_config_unlocked() won't see nbd->config as null after + * refcount_inc_not_zero() succeed. + */ + smp_mb__before_atomic(); refcount_set(&nbd->config_refs, 1); return 0; -- 2.39.2