[PATCH] block: fix use-after-free in disk_part_iter_next

[PATCH] block: fix use-after-free in disk_part_iter_next

[Ming Lei]

Make sure that bdgrab() is done on the 'block_device' instance before
referring to it for avoiding use-after-free.

Cc: <stable@vger.kernel.org>
Reported-by: syzbot+825f0f9657d4e528046e@syzkaller.appspotmail.com
Signed-off-by: Ming Lei <ming.lei@redhat.com>
---
 block/genhd.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/block/genhd.c b/block/genhd.c
index b84b8671e627..2df3c5b1c9c8 100644
--- a/block/genhd.c
+++ b/block/genhd.c
@@ -244,15 +244,18 @@ struct block_device *disk_part_iter_next(struct disk_part_iter *piter)
 		part = rcu_dereference(ptbl->part[piter->idx]);
 		if (!part)
 			continue;
+		piter->part = bdgrab(part);
+		if (!piter->part)
+			continue;
 		if (!bdev_nr_sectors(part) &&
 		    !(piter->flags & DISK_PITER_INCL_EMPTY) &&
 		    !(piter->flags & DISK_PITER_INCL_EMPTY_PART0 &&
-		      piter->idx == 0))
+		      piter->idx == 0)) {
+			bdput(piter->part);
+			piter->part = NULL;
 			continue;
+		}
 
-		piter->part = bdgrab(part);
-		if (!piter->part)
-			continue;
 		piter->idx += inc;
 		break;
 	}
-- 
2.28.0

Re: [PATCH] block: fix use-after-free in disk_part_iter_next

[Christoph Hellwig]

On Mon, Dec 21, 2020 at 12:33:35PM +0800, Ming Lei wrote:
> Make sure that bdgrab() is done on the 'block_device' instance before
> referring to it for avoiding use-after-free.
> 
> Cc: <stable@vger.kernel.org>
> Reported-by: syzbot+825f0f9657d4e528046e@syzkaller.appspotmail.com
> Signed-off-by: Ming Lei <ming.lei@redhat.com>

Looks good,

Reviewed-by: Christoph Hellwig <hch@lst.de>

Re: [PATCH] block: fix use-after-free in disk_part_iter_next

[Jens Axboe]

On 12/20/20 9:33 PM, Ming Lei wrote:
> Make sure that bdgrab() is done on the 'block_device' instance before
> referring to it for avoiding use-after-free.

Applied, thanks.

-- 
Jens Axboe