From: Sasha Levin <sashal@kernel.org>
To: linux-kernel@vger.kernel.org, stable@vger.kernel.org
Cc: Li Nan <linan122@huawei.com>, Josef Bacik <josef@toxicpanda.com>,
Jens Axboe <axboe@kernel.dk>, Sasha Levin <sashal@kernel.org>,
linux-block@vger.kernel.org, nbd@other.debian.org
Subject: [PATCH AUTOSEL 6.6 13/40] nbd: fix null-ptr-dereference while accessing 'nbd->config'
Date: Tue, 28 Nov 2023 16:05:19 -0500 [thread overview]
Message-ID: <20231128210615.875085-13-sashal@kernel.org> (raw)
In-Reply-To: <20231128210615.875085-1-sashal@kernel.org>
From: Li Nan <linan122@huawei.com>
[ Upstream commit c2da049f419417808466c529999170f5c3ef7d3d ]
Memory reordering may occur in nbd_genl_connect(), causing config_refs
to be set to 1 while nbd->config is still empty. Opening nbd at this
time will cause null-ptr-dereference.
T1 T2
nbd_open
nbd_get_config_unlocked
nbd_genl_connect
nbd_alloc_and_init_config
//memory reordered
refcount_set(&nbd->config_refs, 1) // 2
nbd->config
->null point
nbd->config = config // 1
Fix it by adding smp barrier to guarantee the execution sequence.
Signed-off-by: Li Nan <linan122@huawei.com>
Reviewed-by: Josef Bacik <josef@toxicpanda.com>
Link: https://lore.kernel.org/r/20231116162316.1740402-4-linan666@huaweicloud.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
drivers/block/nbd.c | 18 +++++++++++++++++-
1 file changed, 17 insertions(+), 1 deletion(-)
diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c
index daaf8805e876c..3f03cb3dc33cc 100644
--- a/drivers/block/nbd.c
+++ b/drivers/block/nbd.c
@@ -397,8 +397,16 @@ static u32 req_to_nbd_cmd_type(struct request *req)
static struct nbd_config *nbd_get_config_unlocked(struct nbd_device *nbd)
{
- if (refcount_inc_not_zero(&nbd->config_refs))
+ if (refcount_inc_not_zero(&nbd->config_refs)) {
+ /*
+ * Add smp_mb__after_atomic to ensure that reading nbd->config_refs
+ * and reading nbd->config is ordered. The pair is the barrier in
+ * nbd_alloc_and_init_config(), avoid nbd->config_refs is set
+ * before nbd->config.
+ */
+ smp_mb__after_atomic();
return nbd->config;
+ }
return NULL;
}
@@ -1559,7 +1567,15 @@ static int nbd_alloc_and_init_config(struct nbd_device *nbd)
init_waitqueue_head(&config->conn_wait);
config->blksize_bits = NBD_DEF_BLKSIZE_BITS;
atomic_set(&config->live_connections, 0);
+
nbd->config = config;
+ /*
+ * Order refcount_set(&nbd->config_refs, 1) and nbd->config assignment,
+ * its pair is the barrier in nbd_get_config_unlocked().
+ * So nbd_get_config_unlocked() won't see nbd->config as null after
+ * refcount_inc_not_zero() succeed.
+ */
+ smp_mb__before_atomic();
refcount_set(&nbd->config_refs, 1);
return 0;
--
2.42.0
next prev parent reply other threads:[~2023-11-28 21:06 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-11-28 21:05 [PATCH AUTOSEL 6.6 01/40] x86/hyperv: Fix the detection of E820_TYPE_PRAM in a Gen2 VM Sasha Levin
2023-11-28 21:05 ` [PATCH AUTOSEL 6.6 02/40] usb: aqc111: check packet for fixup for true limit Sasha Levin
2023-11-28 21:05 ` [PATCH AUTOSEL 6.6 03/40] stmmac: dwmac-loongson: Add architecture dependency Sasha Levin
2023-11-28 21:05 ` [PATCH AUTOSEL 6.6 04/40] rxrpc: Fix some minor issues with bundle tracing Sasha Levin
2023-11-28 21:05 ` [PATCH AUTOSEL 6.6 05/40] blk-throttle: fix lockdep warning of "cgroup_mutex or RCU read lock required!" Sasha Levin
2023-11-28 21:05 ` [PATCH AUTOSEL 6.6 06/40] blk-cgroup: bypass blkcg_deactivate_policy after destroying Sasha Levin
2023-11-28 21:05 ` [PATCH AUTOSEL 6.6 07/40] bcache: avoid oversize memory allocation by small stripe_size Sasha Levin
2023-11-28 21:05 ` [PATCH AUTOSEL 6.6 08/40] bcache: remove redundant assignment to variable cur_idx Sasha Levin
2023-11-28 21:05 ` [PATCH AUTOSEL 6.6 09/40] bcache: add code comments for bch_btree_node_get() and __bch_btree_node_alloc() Sasha Levin
2023-11-28 21:05 ` [PATCH AUTOSEL 6.6 10/40] bcache: avoid NULL checking to c->root in run_cache_set() Sasha Levin
2023-11-28 21:05 ` [PATCH AUTOSEL 6.6 11/40] nbd: fold nbd config initialization into nbd_alloc_config() Sasha Levin
2023-11-28 21:05 ` [PATCH AUTOSEL 6.6 12/40] nbd: factor out a helper to get nbd_config without holding 'config_lock' Sasha Levin
2023-11-28 21:05 ` Sasha Levin [this message]
2023-11-28 21:05 ` [PATCH AUTOSEL 6.6 14/40] nvme-auth: unlock mutex in one place only Sasha Levin
2023-11-28 21:05 ` [PATCH AUTOSEL 6.6 15/40] nvme-auth: set explanation code for failure2 msgs Sasha Levin
2023-11-28 21:05 ` [PATCH AUTOSEL 6.6 16/40] nvme: catch errors from nvme_configure_metadata() Sasha Levin
2023-11-28 21:05 ` [PATCH AUTOSEL 6.6 17/40] selftests/bpf: fix bpf_loop_bench for new callback verification scheme Sasha Levin
2023-11-28 21:05 ` [PATCH AUTOSEL 6.6 18/40] LoongArch: Add dependency between vmlinuz.efi and vmlinux.efi Sasha Levin
2023-11-28 21:05 ` [PATCH AUTOSEL 6.6 19/40] LoongArch: Record pc instead of offset in la_abs relocation Sasha Levin
2023-11-28 21:05 ` [PATCH AUTOSEL 6.6 20/40] LoongArch: Silence the boot warning about 'nokaslr' Sasha Levin
2023-11-28 21:05 ` [PATCH AUTOSEL 6.6 21/40] LoongArch: Mark {dmw,tlb}_virt_to_page() exports as non-GPL Sasha Levin
2023-11-28 21:05 ` [PATCH AUTOSEL 6.6 22/40] LoongArch: Implement constant timer shutdown interface Sasha Levin
2023-11-28 21:05 ` [PATCH AUTOSEL 6.6 23/40] platform/x86: intel_telemetry: Fix kernel doc descriptions Sasha Levin
2023-11-28 21:05 ` [PATCH AUTOSEL 6.6 24/40] HID: mcp2221: Set driver data before I2C adapter add Sasha Levin
2023-11-28 21:05 ` [PATCH AUTOSEL 6.6 25/40] HID: mcp2221: Allow IO to start during probe Sasha Levin
2023-11-28 21:05 ` [PATCH AUTOSEL 6.6 26/40] HID: apple: add Jamesdonkey and A3R to non-apple keyboards list Sasha Levin
2023-11-28 21:05 ` [PATCH AUTOSEL 6.6 27/40] HID: glorious: fix Glorious Model I HID report Sasha Levin
2023-11-28 21:05 ` [PATCH AUTOSEL 6.6 28/40] HID: add ALWAYS_POLL quirk for Apple kb Sasha Levin
2023-11-28 21:05 ` [PATCH AUTOSEL 6.6 29/40] nbd: pass nbd_sock to nbd_read_reply() instead of index Sasha Levin
2023-11-28 21:05 ` [PATCH AUTOSEL 6.6 30/40] HID: hid-asus: reset the backlight brightness level on resume Sasha Levin
2023-11-28 21:05 ` [PATCH AUTOSEL 6.6 31/40] HID: multitouch: Add quirk for HONOR GLO-GXXX touchpad Sasha Levin
2023-11-28 21:05 ` [PATCH AUTOSEL 6.6 32/40] nfc: virtual_ncidev: Add variable to check if ndev is running Sasha Levin
2023-11-28 21:05 ` [PATCH AUTOSEL 6.6 33/40] scripts/checkstack.pl: match all stack sizes for s390 Sasha Levin
2023-11-28 21:05 ` [PATCH AUTOSEL 6.6 34/40] asm-generic: qspinlock: fix queued_spin_value_unlocked() implementation Sasha Levin
2023-11-28 21:05 ` [PATCH AUTOSEL 6.6 35/40] eventfs: Do not allow NULL parent to eventfs_start_creating() Sasha Levin
2023-11-28 21:05 ` [PATCH AUTOSEL 6.6 36/40] net: usb: qmi_wwan: claim interface 4 for ZTE MF290 Sasha Levin
2023-11-28 21:05 ` [PATCH AUTOSEL 6.6 37/40] smb: client: implement ->query_reparse_point() for SMB1 Sasha Levin
2023-11-28 21:05 ` [PATCH AUTOSEL 6.6 38/40] smb: client: introduce ->parse_reparse_point() Sasha Levin
2023-11-28 21:05 ` [PATCH AUTOSEL 6.6 39/40] smb: client: set correct file type from NFS reparse points Sasha Levin
2023-11-28 21:05 ` [PATCH AUTOSEL 6.6 40/40] arm64: add dependency between vmlinuz.efi and Image Sasha Levin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20231128210615.875085-13-sashal@kernel.org \
--to=sashal@kernel.org \
--cc=axboe@kernel.dk \
--cc=josef@toxicpanda.com \
--cc=linan122@huawei.com \
--cc=linux-block@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=nbd@other.debian.org \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox