From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
syzbot+825f0f9657d4e528046e@syzkaller.appspotmail.com,
Ming Lei <ming.lei@redhat.com>, Christoph Hellwig <hch@lst.de>,
Jens Axboe <axboe@kernel.dk>
Subject: [PATCH 4.9 24/25] block: fix use-after-free in disk_part_iter_next
Date: Fri, 15 Jan 2021 13:27:55 +0100 [thread overview]
Message-ID: <20210115121957.880423720@linuxfoundation.org> (raw)
In-Reply-To: <20210115121956.679956165@linuxfoundation.org>
From: Ming Lei <ming.lei@redhat.com>
commit aebf5db917055b38f4945ed6d621d9f07a44ff30 upstream.
Make sure that bdgrab() is done on the 'block_device' instance before
referring to it for avoiding use-after-free.
Cc: <stable@vger.kernel.org>
Reported-by: syzbot+825f0f9657d4e528046e@syzkaller.appspotmail.com
Signed-off-by: Ming Lei <ming.lei@redhat.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
block/genhd.c | 9 ++++++---
1 file changed, 6 insertions(+), 3 deletions(-)
--- a/block/genhd.c
+++ b/block/genhd.c
@@ -159,14 +159,17 @@ struct hd_struct *disk_part_iter_next(st
part = rcu_dereference(ptbl->part[piter->idx]);
if (!part)
continue;
+ get_device(part_to_dev(part));
+ piter->part = part;
if (!part_nr_sects_read(part) &&
!(piter->flags & DISK_PITER_INCL_EMPTY) &&
!(piter->flags & DISK_PITER_INCL_EMPTY_PART0 &&
- piter->idx == 0))
+ piter->idx == 0)) {
+ put_device(part_to_dev(part));
+ piter->part = NULL;
continue;
+ }
- get_device(part_to_dev(part));
- piter->part = part;
piter->idx += inc;
break;
}
next prev parent reply other threads:[~2021-01-15 13:07 UTC|newest]
Thread overview: 30+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-15 12:27 [PATCH 4.9 00/25] 4.9.252-rc1 review Greg Kroah-Hartman
2021-01-15 12:27 ` [PATCH 4.9 01/25] target: bounds check XCOPY segment descriptor list Greg Kroah-Hartman
2021-01-15 12:27 ` [PATCH 4.9 02/25] target: simplify XCOPY wwn->se_dev lookup helper Greg Kroah-Hartman
2021-01-15 12:27 ` [PATCH 4.9 03/25] target: use XCOPY segment descriptor CSCD IDs Greg Kroah-Hartman
2021-01-15 12:27 ` [PATCH 4.9 04/25] xcopy: loop over devices using idr helper Greg Kroah-Hartman
2021-01-15 12:27 ` [PATCH 4.9 05/25] scsi: target: Fix XCOPY NAA identifier lookup Greg Kroah-Hartman
2021-01-15 12:27 ` [PATCH 4.9 06/25] target: add XCOPY target/segment desc sense codes Greg Kroah-Hartman
2021-01-15 12:27 ` [PATCH 4.9 07/25] powerpc: Fix incorrect stw{, ux, u, x} instructions in __set_pte_at Greg Kroah-Hartman
2021-01-15 12:27 ` [PATCH 4.9 08/25] net: ip: always refragment ip defragmented packets Greg Kroah-Hartman
2021-01-15 12:27 ` [PATCH 4.9 09/25] net: fix pmtu check in nopmtudisc mode Greg Kroah-Hartman
2021-01-15 12:27 ` [PATCH 4.9 10/25] vmlinux.lds.h: Add PGO and AutoFDO input sections Greg Kroah-Hartman
2021-01-15 12:27 ` [PATCH 4.9 11/25] drm/i915: Fix mismatch between misplaced vma check and vma insert Greg Kroah-Hartman
2021-01-15 12:27 ` [PATCH 4.9 12/25] ubifs: wbuf: Dont leak kernel memory to flash Greg Kroah-Hartman
2021-01-15 12:27 ` [PATCH 4.9 13/25] spi: pxa2xx: Fix use-after-free on unbind Greg Kroah-Hartman
2021-01-15 12:27 ` [PATCH 4.9 14/25] ARM: OMAP2+: omap_device: fix idling of devices during probe Greg Kroah-Hartman
2021-01-15 12:27 ` [PATCH 4.9 15/25] cpufreq: powernow-k8: pass policy rather than use cpufreq_cpu_get() Greg Kroah-Hartman
2021-01-15 12:27 ` [PATCH 4.9 16/25] dmaengine: xilinx_dma: check dma_async_device_register return value Greg Kroah-Hartman
2021-01-15 12:27 ` [PATCH 4.9 17/25] dmaengine: xilinx_dma: fix mixed_enum_type coverity warning Greg Kroah-Hartman
2021-01-15 12:27 ` [PATCH 4.9 18/25] wil6210: select CONFIG_CRC32 Greg Kroah-Hartman
2021-01-15 12:27 ` [PATCH 4.9 19/25] block: rsxx: " Greg Kroah-Hartman
2021-01-15 12:27 ` [PATCH 4.9 20/25] iommu/intel: Fix memleak in intel_irq_remapping_alloc Greg Kroah-Hartman
2021-01-15 12:27 ` [PATCH 4.9 21/25] net/mlx5e: Fix memleak in mlx5e_create_l2_table_groups Greg Kroah-Hartman
2021-01-15 12:27 ` [PATCH 4.9 22/25] wan: ds26522: select CONFIG_BITREVERSE Greg Kroah-Hartman
2021-01-15 12:27 ` [PATCH 4.9 23/25] KVM: arm64: Dont access PMCR_EL0 when no PMU is available Greg Kroah-Hartman
2021-01-15 12:27 ` Greg Kroah-Hartman [this message]
2021-01-15 12:27 ` [PATCH 4.9 25/25] net: drop bogus skb with CHECKSUM_PARTIAL and offset beyond end of trimmed packet Greg Kroah-Hartman
2021-01-15 16:19 ` [PATCH 4.9 00/25] 4.9.252-rc1 review Jon Hunter
2021-01-15 21:14 ` Shuah Khan
2021-01-15 21:18 ` Guenter Roeck
2021-01-16 7:41 ` Naresh Kamboju
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210115121957.880423720@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=axboe@kernel.dk \
--cc=hch@lst.de \
--cc=linux-kernel@vger.kernel.org \
--cc=ming.lei@redhat.com \
--cc=stable@vger.kernel.org \
--cc=syzbot+825f0f9657d4e528046e@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.