[PATCH -next] nbd: get config_lock before sock

linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* [PATCH -next] nbd: get config_lock before sock_shutdown
@ 2023-07-07  6:22 Zhong Jinghua
  2023-07-28  7:10 ` Yu Kuai
  2023-08-01  0:27 ` Jens Axboe
  0 siblings, 2 replies; 5+ messages in thread
From: Zhong Jinghua @ 2023-07-07  6:22 UTC (permalink / raw)
  To: josef, axboe
  Cc: linux-block, nbd, linux-kernel, zhongjinghua, yi.zhang, yukuai3

Config->socks in sock_shutdown may trigger a UAF problem.
The reason is that sock_shutdown does not hold the config_lock,
so that nbd_ioctl can release config->socks at this time.

T0: NBD_SET_SOCK
T1: NBD_DO_IT

T0						T1

nbd_ioctl
  mutex_lock(&nbd->config_lock)
  // get lock
  __nbd_ioctl
    nbd_start_device_ioctl
      nbd_start_device
       mutex_unlock(&nbd->config_lock)
         // relase lock
         wait_event_interruptible
         (kill, enter sock_shutdown)
         sock_shutdown
					nbd_ioctl
					  mutex_lock(&nbd->config_lock)
					  // get lock
					  __nbd_ioctl
					    nbd_add_socket
					      krealloc
						kfree(p)
					        //config->socks is NULL
           nbd_sock *nsock = config->socks // error

Fix it by moving config_lock up before sock_shutdown.

Signed-off-by: Zhong Jinghua <zhongjinghua@huaweicloud.com>
---
 drivers/block/nbd.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c
index c410cf29fb0c..accbe99ebb7e 100644
--- a/drivers/block/nbd.c
+++ b/drivers/block/nbd.c
@@ -1428,13 +1428,18 @@ static int nbd_start_device_ioctl(struct nbd_device *nbd)
 	mutex_unlock(&nbd->config_lock);
 	ret = wait_event_interruptible(config->recv_wq,
 					 atomic_read(&config->recv_threads) == 0);
+
+	/*
+	 * recv_work in flush_workqueue will not get this lock, because nbd_open
+	 * will hold nbd->config_refs
+	 */
+	mutex_lock(&nbd->config_lock);
 	if (ret) {
 		sock_shutdown(nbd);
 		nbd_clear_que(nbd);
 	}
 
 	flush_workqueue(nbd->recv_workq);
-	mutex_lock(&nbd->config_lock);
 	nbd_bdev_reset(nbd);
 	/* user requested, ignore socket errors */
 	if (test_bit(NBD_RT_DISCONNECT_REQUESTED, &config->runtime_flags))
-- 
2.31.1


^ permalink raw reply related	[flat|nested] 5+ messages in thread

* Re: [PATCH -next] nbd: get config_lock before sock_shutdown
  2023-07-07  6:22 [PATCH -next] nbd: get config_lock before sock_shutdown Zhong Jinghua
@ 2023-07-28  7:10 ` Yu Kuai
  2023-08-01  0:27 ` Jens Axboe
  1 sibling, 0 replies; 5+ messages in thread
From: Yu Kuai @ 2023-07-28  7:10 UTC (permalink / raw)
  To: Zhong Jinghua, josef, axboe
  Cc: linux-block, nbd, linux-kernel, yi.zhang, yukuai (C)

在 2023/07/07 14:22, Zhong Jinghua 写道:
> Config->socks in sock_shutdown may trigger a UAF problem.
> The reason is that sock_shutdown does not hold the config_lock,
> so that nbd_ioctl can release config->socks at this time.
> 
> T0: NBD_SET_SOCK
> T1: NBD_DO_IT
> 
> T0						T1
> 
> nbd_ioctl
>    mutex_lock(&nbd->config_lock)
>    // get lock
>    __nbd_ioctl
>      nbd_start_device_ioctl
>        nbd_start_device
>         mutex_unlock(&nbd->config_lock)
>           // relase lock
>           wait_event_interruptible
>           (kill, enter sock_shutdown)
>           sock_shutdown
> 					nbd_ioctl
> 					  mutex_lock(&nbd->config_lock)
> 					  // get lock
> 					  __nbd_ioctl
> 					    nbd_add_socket
> 					      krealloc
> 						kfree(p)
> 					        //config->socks is NULL
>             nbd_sock *nsock = config->socks // error
> 
> Fix it by moving config_lock up before sock_shutdown.

LGTM
Reviewed-by: Yu Kuai <yukuai3@huawei.com>

> 
> Signed-off-by: Zhong Jinghua <zhongjinghua@huaweicloud.com>
> ---
>   drivers/block/nbd.c | 7 ++++++-
>   1 file changed, 6 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c
> index c410cf29fb0c..accbe99ebb7e 100644
> --- a/drivers/block/nbd.c
> +++ b/drivers/block/nbd.c
> @@ -1428,13 +1428,18 @@ static int nbd_start_device_ioctl(struct nbd_device *nbd)
>   	mutex_unlock(&nbd->config_lock);
>   	ret = wait_event_interruptible(config->recv_wq,
>   					 atomic_read(&config->recv_threads) == 0);
> +
> +	/*
> +	 * recv_work in flush_workqueue will not get this lock, because nbd_open
> +	 * will hold nbd->config_refs
> +	 */
> +	mutex_lock(&nbd->config_lock);
>   	if (ret) {
>   		sock_shutdown(nbd);
>   		nbd_clear_que(nbd);
>   	}
>   
>   	flush_workqueue(nbd->recv_workq);
> -	mutex_lock(&nbd->config_lock);
>   	nbd_bdev_reset(nbd);
>   	/* user requested, ignore socket errors */
>   	if (test_bit(NBD_RT_DISCONNECT_REQUESTED, &config->runtime_flags))
> 


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH -next] nbd: get config_lock before sock_shutdown
  2023-07-07  6:22 [PATCH -next] nbd: get config_lock before sock_shutdown Zhong Jinghua
  2023-07-28  7:10 ` Yu Kuai
@ 2023-08-01  0:27 ` Jens Axboe
  2023-09-28  6:04   ` Yu Kuai
  1 sibling, 1 reply; 5+ messages in thread
From: Jens Axboe @ 2023-08-01  0:27 UTC (permalink / raw)
  To: Zhong Jinghua, josef; +Cc: linux-block, nbd, linux-kernel, yi.zhang, yukuai3

On 7/7/23 12:22?AM, Zhong Jinghua wrote:
> Config->socks in sock_shutdown may trigger a UAF problem.
> The reason is that sock_shutdown does not hold the config_lock,
> so that nbd_ioctl can release config->socks at this time.
> 
> T0: NBD_SET_SOCK
> T1: NBD_DO_IT
> 
> T0						T1
> 
> nbd_ioctl
>   mutex_lock(&nbd->config_lock)
>   // get lock
>   __nbd_ioctl
>     nbd_start_device_ioctl
>       nbd_start_device
>        mutex_unlock(&nbd->config_lock)
>          // relase lock
>          wait_event_interruptible
>          (kill, enter sock_shutdown)
>          sock_shutdown
> 					nbd_ioctl
> 					  mutex_lock(&nbd->config_lock)
> 					  // get lock
> 					  __nbd_ioctl
> 					    nbd_add_socket
> 					      krealloc
> 						kfree(p)
> 					        //config->socks is NULL
>            nbd_sock *nsock = config->socks // error
> 
> Fix it by moving config_lock up before sock_shutdown.
> 
> Signed-off-by: Zhong Jinghua <zhongjinghua@huaweicloud.com>
> ---
>  drivers/block/nbd.c | 7 ++++++-
>  1 file changed, 6 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c
> index c410cf29fb0c..accbe99ebb7e 100644
> --- a/drivers/block/nbd.c
> +++ b/drivers/block/nbd.c
> @@ -1428,13 +1428,18 @@ static int nbd_start_device_ioctl(struct nbd_device *nbd)
>  	mutex_unlock(&nbd->config_lock);
>  	ret = wait_event_interruptible(config->recv_wq,
>  					 atomic_read(&config->recv_threads) == 0);
> +
> +	/*
> +	 * recv_work in flush_workqueue will not get this lock, because nbd_open
> +	 * will hold nbd->config_refs
> +	 */
> +	mutex_lock(&nbd->config_lock);
>  	if (ret) {
>  		sock_shutdown(nbd);
>  		nbd_clear_que(nbd);
>  	}
>  
>  	flush_workqueue(nbd->recv_workq);
> -	mutex_lock(&nbd->config_lock);

Feels pretty iffy to hold config_lock over the flush. If anything off
recv_work() ever grabs it, we'd be stuck. Your comment assumes that the
only case this will currently happen is if we drop the last ref, or at
least that's the case that'd do it even if you don't mention it
explicitly.

Maybe this is all fine, but recv_work() should have a comment matching
this one, and this comment should be more descriptive as well.

-- 
Jens Axboe


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH -next] nbd: get config_lock before sock_shutdown
  2023-08-01  0:27 ` Jens Axboe
@ 2023-09-28  6:04   ` Yu Kuai
  2023-10-30  8:49     ` zhongjinghua
  0 siblings, 1 reply; 5+ messages in thread
From: Yu Kuai @ 2023-09-28  6:04 UTC (permalink / raw)
  To: Jens Axboe, Zhong Jinghua, josef
  Cc: linux-block, nbd, linux-kernel, yi.zhang, yukuai (C)

Hi,

在 2023/08/01 8:27, Jens Axboe 写道:
> On 7/7/23 12:22?AM, Zhong Jinghua wrote:
>> Config->socks in sock_shutdown may trigger a UAF problem.
>> The reason is that sock_shutdown does not hold the config_lock,
>> so that nbd_ioctl can release config->socks at this time.
>>
>> T0: NBD_SET_SOCK
>> T1: NBD_DO_IT
>>
>> T0						T1
>>
>> nbd_ioctl
>>    mutex_lock(&nbd->config_lock)
>>    // get lock
>>    __nbd_ioctl
>>      nbd_start_device_ioctl
>>        nbd_start_device
>>         mutex_unlock(&nbd->config_lock)
>>           // relase lock
>>           wait_event_interruptible
>>           (kill, enter sock_shutdown)
>>           sock_shutdown
>> 					nbd_ioctl
>> 					  mutex_lock(&nbd->config_lock)
>> 					  // get lock
>> 					  __nbd_ioctl
>> 					    nbd_add_socket
>> 					      krealloc
>> 						kfree(p)
>> 					        //config->socks is NULL
>>             nbd_sock *nsock = config->socks // error
>>
>> Fix it by moving config_lock up before sock_shutdown.
>>
>> Signed-off-by: Zhong Jinghua <zhongjinghua@huaweicloud.com>
>> ---
>>   drivers/block/nbd.c | 7 ++++++-
>>   1 file changed, 6 insertions(+), 1 deletion(-)
>>
>> diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c
>> index c410cf29fb0c..accbe99ebb7e 100644
>> --- a/drivers/block/nbd.c
>> +++ b/drivers/block/nbd.c
>> @@ -1428,13 +1428,18 @@ static int nbd_start_device_ioctl(struct nbd_device *nbd)
>>   	mutex_unlock(&nbd->config_lock);
>>   	ret = wait_event_interruptible(config->recv_wq,
>>   					 atomic_read(&config->recv_threads) == 0);
>> +
>> +	/*
>> +	 * recv_work in flush_workqueue will not get this lock, because nbd_open
>> +	 * will hold nbd->config_refs
>> +	 */
>> +	mutex_lock(&nbd->config_lock);
>>   	if (ret) {
>>   		sock_shutdown(nbd);
>>   		nbd_clear_que(nbd);
>>   	}
>>   
>>   	flush_workqueue(nbd->recv_workq);
>> -	mutex_lock(&nbd->config_lock);
> 
> Feels pretty iffy to hold config_lock over the flush. If anything off
> recv_work() ever grabs it, we'd be stuck. Your comment assumes that the
> only case this will currently happen is if we drop the last ref, or at
> least that's the case that'd do it even if you don't mention it
> explicitly.
> 
> Maybe this is all fine, but recv_work() should have a comment matching
> this one, and this comment should be more descriptive as well.

Jinghua,

Please add comment as Jens suggested, and resend this patch.

Thanks,
Kuai

> 


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: [PATCH -next] nbd: get config_lock before sock_shutdown
  2023-09-28  6:04   ` Yu Kuai
@ 2023-10-30  8:49     ` zhongjinghua
  0 siblings, 0 replies; 5+ messages in thread
From: zhongjinghua @ 2023-10-30  8:49 UTC (permalink / raw)
  To: Yu Kuai, Jens Axboe, josef
  Cc: linux-block, nbd, linux-kernel, yi.zhang, yukuai (C)


在 2023/9/28 14:04, Yu Kuai 写道:
> Hi,
>
> 在 2023/08/01 8:27, Jens Axboe 写道:
>> On 7/7/23 12:22?AM, Zhong Jinghua wrote:
>>> Config->socks in sock_shutdown may trigger a UAF problem.
>>> The reason is that sock_shutdown does not hold the config_lock,
>>> so that nbd_ioctl can release config->socks at this time.
>>>
>>> T0: NBD_SET_SOCK
>>> T1: NBD_DO_IT
>>>
>>> T0                        T1
>>>
>>> nbd_ioctl
>>>    mutex_lock(&nbd->config_lock)
>>>    // get lock
>>>    __nbd_ioctl
>>>      nbd_start_device_ioctl
>>>        nbd_start_device
>>>         mutex_unlock(&nbd->config_lock)
>>>           // relase lock
>>>           wait_event_interruptible
>>>           (kill, enter sock_shutdown)
>>>           sock_shutdown
>>>                     nbd_ioctl
>>>                       mutex_lock(&nbd->config_lock)
>>>                       // get lock
>>>                       __nbd_ioctl
>>>                         nbd_add_socket
>>>                           krealloc
>>>                         kfree(p)
>>>                             //config->socks is NULL
>>>             nbd_sock *nsock = config->socks // error
>>>
>>> Fix it by moving config_lock up before sock_shutdown.
>>>
>>> Signed-off-by: Zhong Jinghua <zhongjinghua@huaweicloud.com>
>>> ---
>>>   drivers/block/nbd.c | 7 ++++++-
>>>   1 file changed, 6 insertions(+), 1 deletion(-)
>>>
>>> diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c
>>> index c410cf29fb0c..accbe99ebb7e 100644
>>> --- a/drivers/block/nbd.c
>>> +++ b/drivers/block/nbd.c
>>> @@ -1428,13 +1428,18 @@ static int nbd_start_device_ioctl(struct 
>>> nbd_device *nbd)
>>>       mutex_unlock(&nbd->config_lock);
>>>       ret = wait_event_interruptible(config->recv_wq,
>>> atomic_read(&config->recv_threads) == 0);
>>> +
>>> +    /*
>>> +     * recv_work in flush_workqueue will not get this lock, because 
>>> nbd_open
>>> +     * will hold nbd->config_refs
>>> +     */
>>> +    mutex_lock(&nbd->config_lock);
>>>       if (ret) {
>>>           sock_shutdown(nbd);
>>>           nbd_clear_que(nbd);
>>>       }
>>>         flush_workqueue(nbd->recv_workq);
>>> -    mutex_lock(&nbd->config_lock);
>>
>> Feels pretty iffy to hold config_lock over the flush. If anything off
>> recv_work() ever grabs it, we'd be stuck. Your comment assumes that the
>> only case this will currently happen is if we drop the last ref, or at
>> least that's the case that'd do it even if you don't mention it
>> explicitly.
>>
>> Maybe this is all fine, but recv_work() should have a comment matching
>> this one, and this comment should be more descriptive as well.
>
> Jinghua,
>
> Please add comment as Jens suggested, and resend this patch.
>
> Thanks,
> Kuai
>
>>
OK.

Later I'll send out,

Thanks to Jens for the advice.


^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2023-10-30  8:50 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-07-07  6:22 [PATCH -next] nbd: get config_lock before sock_shutdown Zhong Jinghua
2023-07-28  7:10 ` Yu Kuai
2023-08-01  0:27 ` Jens Axboe
2023-09-28  6:04   ` Yu Kuai
2023-10-30  8:49     ` zhongjinghua

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).