From: Keith Busch <kbusch@kernel.org>
To: Yufen Yu <yuyufen@huawei.com>
Cc: "axboe@kernel.dk" <axboe@kernel.dk>,
"jack@suse.cz" <jack@suse.cz>,
"viro@zeniv.linux.org.uk" <viro@zeniv.linux.org.uk>,
"bart.vanassche@wdc.com" <bart.vanassche@wdc.com>,
"linux-block@vger.kernel.org" <linux-block@vger.kernel.org>
Subject: Re: [PATCH v3] block: fix use-after-free on gendisk
Date: Mon, 15 Apr 2019 09:04:41 -0600 [thread overview]
Message-ID: <20190415150440.GB7312@localhost.localdomain> (raw)
In-Reply-To: <20190402120634.51040-1-yuyufen@huawei.com>
On Tue, Apr 02, 2019 at 05:06:34AM -0700, Yufen Yu wrote:
> commit 2da78092dda "block: Fix dev_t minor allocation lifetime"
> specifically moved blk_free_devt(dev->devt) call to part_release()
> to avoid reallocating device number before the device is fully
> shutdown.
>
> However, it can cause use-after-free on gendisk in get_gendisk().
> We use md device as example to show the race scenes:
>
> Process1 Worker Process2
> md_free
> blkdev_open
> del_gendisk
> add delete_partition_work_fn() to wq
> __blkdev_get
> get_gendisk
> put_disk
> disk_release
> kfree(disk)
> find part from ext_devt_idr
> get_disk_and_module(disk)
> cause use after free
>
> delete_partition_work_fn
> put_device(part)
> part_release
> remove part from ext_devt_idr
>
> Before <devt, hd_struct pointer> is removed from ext_devt_idr by
> delete_partition_work_fn(), we can find the devt and then access
> gendisk by hd_struct pointer. But, if we access the gendisk after
> it have been freed, it can cause in use-after-freeon gendisk in
> get_gendisk().
>
> We fix this by adding a new helper blk_invalidate_devt() in
> delete_partition() and del_gendisk(). It replaces hd_struct
> pointer in idr with value 'NULL', and deletes the entry from
> idr in part_release() as we do now.
>
> Thanks to Jan Kara for providing the solution and more clear comments
> for the code.
>
> Fixes: 2da78092dda1 ("block: Fix dev_t minor allocation lifetime")
> Cc: Al Viro <viro@zeniv.linux.org.uk>
> Cc: Bart Van Assche <bart.vanassche@wdc.com>
> Cc: Keith Busch <keith.busch@intel.com>
> Suggested-by: Jan Kara <jack@suse.cz>
> Signed-off-by: Yufen Yu <yuyufen@huawei.com>
Looks good to me.
Reviewed-by: Keith Busch <keith.busch@intel.com>
next prev parent reply other threads:[~2019-04-15 15:02 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-04-02 12:06 [PATCH v3] block: fix use-after-free on gendisk Yufen Yu
2019-04-02 15:16 ` Jan Kara
2019-04-09 14:07 ` yuyufen
2019-04-15 14:32 ` yuyufen
2019-04-15 15:04 ` Keith Busch [this message]
2019-04-15 15:56 ` Bart Van Assche
2019-04-15 16:01 ` Jan Kara
2019-04-15 19:30 ` Bart Van Assche
2019-04-15 21:36 ` Jens Axboe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190415150440.GB7312@localhost.localdomain \
--to=kbusch@kernel.org \
--cc=axboe@kernel.dk \
--cc=bart.vanassche@wdc.com \
--cc=jack@suse.cz \
--cc=linux-block@vger.kernel.org \
--cc=viro@zeniv.linux.org.uk \
--cc=yuyufen@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.