From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id DA98DC64EC4 for ; Fri, 10 Mar 2023 14:40:30 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232712AbjCJOk3 (ORCPT ); Fri, 10 Mar 2023 09:40:29 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56558 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232695AbjCJOk2 (ORCPT ); Fri, 10 Mar 2023 09:40:28 -0500 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8907A1204B7 for ; Fri, 10 Mar 2023 06:40:27 -0800 (PST) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 248D7617B4 for ; Fri, 10 Mar 2023 14:40:27 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 305F5C4339E; Fri, 10 Mar 2023 14:40:26 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1678459226; bh=Z7rXs6G1Bw1wJR8vYBikkDf05k0gYJcZtBy8sJ1qV48=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=kyN7CmVSHjk0AJtzqkngzhVzOKVac3Qw20NlTUGbknA1c0VHAkkmUMBJdcTVrS4Zg wVvc6jgi6nH9e8OUs4d3IkK3oc3ZMDRsHmrnuHTN8FDfll8gNQgrdG3pMSqgvhJO0F 52kNTWEPvefyppVINiIS1q5ESl3BrkzL/bU2utWY= From: Greg Kroah-Hartman To: stable@vger.kernel.org Cc: Greg Kroah-Hartman , patches@lists.linux.dev, Ilya Dryomov Subject: [PATCH 5.4 259/357] rbd: avoid use-after-free in do_rbd_add() when rbd_dev_create() fails Date: Fri, 10 Mar 2023 14:39:08 +0100 Message-Id: <20230310133746.166475034@linuxfoundation.org> X-Mailer: git-send-email 2.39.2 In-Reply-To: <20230310133733.973883071@linuxfoundation.org> References: <20230310133733.973883071@linuxfoundation.org> User-Agent: quilt/0.67 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: stable@vger.kernel.org From: Ilya Dryomov commit f7c4d9b133c7a04ca619355574e96b6abf209fba upstream. If getting an ID or setting up a work queue in rbd_dev_create() fails, use-after-free on rbd_dev->rbd_client, rbd_dev->spec and rbd_dev->opts is triggered in do_rbd_add(). The root cause is that the ownership of these structures is transfered to rbd_dev prematurely and they all end up getting freed when rbd_dev_create() calls rbd_dev_free() prior to returning to do_rbd_add(). Found by Linux Verification Center (linuxtesting.org) with SVACE, an incomplete patch submitted by Natalia Petrova . Cc: stable@vger.kernel.org Fixes: 1643dfa4c2c8 ("rbd: introduce a per-device ordered workqueue") Signed-off-by: Ilya Dryomov Signed-off-by: Greg Kroah-Hartman --- drivers/block/rbd.c | 20 +++++++++----------- 1 file changed, 9 insertions(+), 11 deletions(-) --- a/drivers/block/rbd.c +++ b/drivers/block/rbd.c @@ -5529,8 +5529,7 @@ static void rbd_dev_release(struct devic module_put(THIS_MODULE); } -static struct rbd_device *__rbd_dev_create(struct rbd_client *rbdc, - struct rbd_spec *spec) +static struct rbd_device *__rbd_dev_create(struct rbd_spec *spec) { struct rbd_device *rbd_dev; @@ -5575,9 +5574,6 @@ static struct rbd_device *__rbd_dev_crea rbd_dev->dev.parent = &rbd_root_dev; device_initialize(&rbd_dev->dev); - rbd_dev->rbd_client = rbdc; - rbd_dev->spec = spec; - return rbd_dev; } @@ -5590,12 +5586,10 @@ static struct rbd_device *rbd_dev_create { struct rbd_device *rbd_dev; - rbd_dev = __rbd_dev_create(rbdc, spec); + rbd_dev = __rbd_dev_create(spec); if (!rbd_dev) return NULL; - rbd_dev->opts = opts; - /* get an id and fill in device name */ rbd_dev->dev_id = ida_simple_get(&rbd_dev_id_ida, 0, minor_to_rbd_dev_id(1 << MINORBITS), @@ -5612,6 +5606,10 @@ static struct rbd_device *rbd_dev_create /* we have a ref from do_rbd_add() */ __module_get(THIS_MODULE); + rbd_dev->rbd_client = rbdc; + rbd_dev->spec = spec; + rbd_dev->opts = opts; + dout("%s rbd_dev %p dev_id %d\n", __func__, rbd_dev, rbd_dev->dev_id); return rbd_dev; @@ -6827,7 +6825,7 @@ static int rbd_dev_probe_parent(struct r goto out_err; } - parent = __rbd_dev_create(rbd_dev->rbd_client, rbd_dev->parent_spec); + parent = __rbd_dev_create(rbd_dev->parent_spec); if (!parent) { ret = -ENOMEM; goto out_err; @@ -6837,8 +6835,8 @@ static int rbd_dev_probe_parent(struct r * Images related by parent/child relationships always share * rbd_client and spec/parent_spec, so bump their refcounts. */ - __rbd_get_client(rbd_dev->rbd_client); - rbd_spec_get(rbd_dev->parent_spec); + parent->rbd_client = __rbd_get_client(rbd_dev->rbd_client); + parent->spec = rbd_spec_get(rbd_dev->parent_spec); ret = rbd_dev_image_probe(parent, depth); if (ret < 0)