All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH] block: fix syzbot report UAF in bdev_free_inode()
@ 2021-10-09  6:59 Zqiang
  2021-10-09  9:34 ` Tetsuo Handa
  0 siblings, 1 reply; 3+ messages in thread
From: Zqiang @ 2021-10-09  6:59 UTC (permalink / raw)
  To: axboe; +Cc: penguin-kernel, linux-block, linux-kernel, Zqiang

BUG: KASAN: use-after-free in bdev_free_inode+0x202/0x220
Read of size 8 at addr ffff88806e022148 by task systemd-udevd/8843
Call Trace:
 <IRQ>
 __dump_stack [inline]
 dump_stack_lvl+0xcd/0x134
 print_address_description.constprop.0.cold+0x6c/0x2d6
 __kasan_report [inline]
 kasan_report.cold+0x83/0xdf
 bdev_free_inode+0x202/0x220
 i_callback+0x3f/0x70
 rcu_do_batch [inline]
 rcu_core+0x7ab/0x1470
 __do_softirq+0x29b/0x9c2
 invoke_softirq [inline]
 __irq_exit_rcu+0x123/0x180
 irq_exit_rcu+0x5/0x20

Allocated by task 15227:
 kasan_save_stack+0x1b/0x40
 kasan_set_track [inline]
 set_alloc_info [inline]
 ____kasan_kmalloc [inline]
 ____kasan_kmalloc [inline]
 __kasan_kmalloc+0xa1/0xd0
 kasan_kmalloc [inline]
 kmem_cache_alloc_node_trace+0x20b/0x5d0
 kmalloc_node [inline]
 kzalloc_node [inline]
 __alloc_disk_node+0x77/0x580
 __blk_mq_alloc_disk+0xed/0x160
 loop_add+0x340/0x960
 loop_control_get_free [inline]
 loop_control_ioctl+0x227/0x4a0

 Freed by task 15227:
 kasan_save_stack+0x1b/0x40
 kasan_set_track+0x1c/0x30
 kasan_set_free_info+0x20/0x30
 ____kasan_slab_free [inline]
 ____kasan_slab_free [inline]
 __kasan_slab_free+0xd1/0x110
 kasan_slab_free [inline]
 __cache_free [inline]
 kfree+0x10a/0x2c0
 __alloc_disk_node+0x474/0x580
 __blk_mq_alloc_disk+0xed/0x160
 loop_add+0x340/0x960
 loop_control_get_free [inline]
 loop_control_ioctl+0x227/0x4a0

The xa_insert() may be return error in __alloc_disk_node(), and the disk
object will be release, however there are two operations that will release
it, kfree(disk) and iput(disk->part0->bd_inode), the iput operations
will call call_rcu(), because the rcu callback executed is an asynchronous
actionthe, so when free disk object in rcu callback, the disk object haven
been released. solve it through a unified release action.

Reported-by: syzbot+8281086e8a6fbfbd952a@syzkaller.appspotmail.com
Signed-off-by: Zqiang <qiang.zhang1211@gmail.com>
---
 block/genhd.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/block/genhd.c b/block/genhd.c
index 5e8aa0ab66c2..924b75d9dfa6 100644
--- a/block/genhd.c
+++ b/block/genhd.c
@@ -1269,11 +1269,13 @@ struct gendisk *__alloc_disk_node(struct request_queue *q, int node_id,
 
 out_destroy_part_tbl:
 	xa_destroy(&disk->part_tbl);
-	iput(disk->part0->bd_inode);
 out_free_bdi:
 	bdi_put(disk->bdi);
 out_free_disk:
-	kfree(disk);
+	if (disk->part0)
+		iput(disk->part0->bd_inode);
+	else
+		kfree(disk);
 out_put_queue:
 	blk_put_queue(q);
 	return NULL;
-- 
2.17.1


^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [PATCH] block: fix syzbot report UAF in bdev_free_inode()
  2021-10-09  6:59 [PATCH] block: fix syzbot report UAF in bdev_free_inode() Zqiang
@ 2021-10-09  9:34 ` Tetsuo Handa
  2021-10-09  9:42   ` zhangqiang
  0 siblings, 1 reply; 3+ messages in thread
From: Tetsuo Handa @ 2021-10-09  9:34 UTC (permalink / raw)
  To: Zqiang; +Cc: linux-block, linux-kernel, axboe

On 2021/10/09 15:59, Zqiang wrote:
> The xa_insert() may be return error in __alloc_disk_node(), and the disk
> object will be release, however there are two operations that will release
> it, kfree(disk) and iput(disk->part0->bd_inode), the iput operations
> will call call_rcu(), because the rcu callback executed is an asynchronous
> actionthe, so when free disk object in rcu callback, the disk object haven
> been released. solve it through a unified release action.
> 
> Reported-by: syzbot+8281086e8a6fbfbd952a@syzkaller.appspotmail.com
> Signed-off-by: Zqiang <qiang.zhang1211@gmail.com>

Thanks. But my patch is ready for 5.15.

https://lore.kernel.org/all/e6dd13c5-8db0-4392-6e78-a42ee5d2a1c4@i-love.sakura.ne.jp/T/#u

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [PATCH] block: fix syzbot report UAF in bdev_free_inode()
  2021-10-09  9:34 ` Tetsuo Handa
@ 2021-10-09  9:42   ` zhangqiang
  0 siblings, 0 replies; 3+ messages in thread
From: zhangqiang @ 2021-10-09  9:42 UTC (permalink / raw)
  To: Tetsuo Handa, Zqiang; +Cc: linux-block, linux-kernel, axboe


On 2021/10/9 下午5:34, Tetsuo Handa wrote:
> On 2021/10/09 15:59, Zqiang wrote:
>> The xa_insert() may be return error in __alloc_disk_node(), and the disk
>> object will be release, however there are two operations that will release
>> it, kfree(disk) and iput(disk->part0->bd_inode), the iput operations
>> will call call_rcu(), because the rcu callback executed is an asynchronous
>> actionthe, so when free disk object in rcu callback, the disk object haven
>> been released. solve it through a unified release action.
>>
>> Reported-by: syzbot+8281086e8a6fbfbd952a@syzkaller.appspotmail.com
>> Signed-off-by: Zqiang <qiang.zhang1211@gmail.com>
> Thanks. But my patch is ready for 5.15.
>
> https://lore.kernel.org/all/e6dd13c5-8db0-4392-6e78-a42ee5d2a1c4@i-love.sakura.ne.jp/T/#u


Thanks, there is a problem with my patch, your path is more suitable


^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-10-09  9:43 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-10-09  6:59 [PATCH] block: fix syzbot report UAF in bdev_free_inode() Zqiang
2021-10-09  9:34 ` Tetsuo Handa
2021-10-09  9:42   ` zhangqiang

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.