linux

History

Yu Kuai 8663b210f8 nbd: fix uaf in nbd_handle_reply() There is a problem that nbd_handle_reply() might access freed request: 1) At first, a normal io is submitted and completed with scheduler: internel_tag = blk_mq_get_tag -> get tag from sched_tags blk_mq_rq_ctx_init sched_tags->rq[internel_tag] = sched_tag->static_rq[internel_tag] ... blk_mq_get_driver_tag __blk_mq_get_driver_tag -> get tag from tags tags->rq[tag] = sched_tag->static_rq[internel_tag] So, both tags->rq[tag] and sched_tags->rq[internel_tag] are pointing to the request: sched_tags->static_rq[internal_tag]. Even if the io is finished. 2) nbd server send a reply with random tag directly: recv_work nbd_handle_reply blk_mq_tag_to_rq(tags, tag) rq = tags->rq[tag] 3) if the sched_tags->static_rq is freed: blk_mq_sched_free_requests blk_mq_free_rqs(q->tag_set, hctx->sched_tags, i) -> step 2) access rq before clearing rq mapping blk_mq_clear_rq_mapping(set, tags, hctx_idx); __free_pages() -> rq is freed here 4) Then, nbd continue to use the freed request in nbd_handle_reply Fix the problem by get 'q_usage_counter' before blk_mq_tag_to_rq(), thus request is ensured not to be freed because 'q_usage_counter' is not zero. Signed-off-by: Yu Kuai <yukuai3@huawei.com> Reviewed-by: Ming Lei <ming.lei@redhat.com> Link: https://lore.kernel.org/r/20210916141810.2325276-1-yukuai3@huawei.com Signed-off-by: Jens Axboe <axboe@kernel.dk>		2021-10-18 14:50:37 -06:00
..
aoe	aoe: add error handling support for add_disk()	2021-10-18 14:41:36 -06:00
drbd	drbd: add error handling support for add_disk()	2021-10-18 14:41:36 -06:00
mtip32xx	mtip32xx: Remove redundant 'flush_workqueue()' calls	2021-10-18 14:50:37 -06:00
null_blk	null_blk: poll queue support	2021-10-18 14:41:36 -06:00
paride	pf: fix error codes in pf_init_unit()	2021-10-18 14:42:16 -06:00
rnbd	block: add a struct io_comp_batch argument to fops->iopoll()	2021-10-18 14:40:40 -06:00
rsxx	block/rsxx: add error handling support for add_disk()	2021-10-18 14:41:36 -06:00
xen-blkback	isystem: trim/fixup stdarg.h and other headers	2021-08-19 09:02:55 +09:00
zram	block: switch polling to be bio based	2021-10-18 06:17:36 -06:00
amiflop.c	amiflop: add error handling support for add_disk()	2021-10-18 14:41:37 -06:00
ataflop.c	block/ataflop: add error handling support for add_disk()	2021-10-18 14:41:37 -06:00
brd.c	block: switch polling to be bio based	2021-10-18 06:17:36 -06:00
cryptoloop.c	cryptoloop: add a deprecation warning	2021-08-27 10:44:54 -06:00
floppy.c	floppy: add error handling support for add_disk()	2021-10-18 14:41:37 -06:00
Kconfig	SCSI misc on 20210902	2021-09-02 15:09:46 -07:00
loop.c	loop: add error handling support for add_disk()	2021-10-18 14:41:36 -06:00
loop.h	loop: reduce the loop_ctl_mutex scope	2021-09-03 22:14:40 -06:00
Makefile	drivers/block: remove the umem driver	2021-03-24 06:57:40 -06:00
n64cart.c	n64cart: add error handling support for add_disk()	2021-10-18 14:41:36 -06:00
nbd.c	nbd: fix uaf in nbd_handle_reply()	2021-10-18 14:50:37 -06:00
pktcdvd.c	pktcdvd: add error handling support for add_disk()	2021-10-18 14:41:36 -06:00
ps3disk.c	ps3disk: use memcpy_{from,to}_bvec	2021-08-02 13:37:27 -06:00
ps3vram.c	block: switch polling to be bio based	2021-10-18 06:17:36 -06:00
rbd_types.h	libceph, rbd: replace zero-length array with flexible-array	2020-06-01 13:22:53 +02:00
rbd.c	rbd: add add_disk() error handling	2021-10-18 14:41:37 -06:00
sunvdc.c	Char / Misc driver updates for 5.14-rc1	2021-07-05 13:42:16 -07:00
swim3.c	swim3: add missing major.h include	2021-10-18 14:42:44 -06:00
swim_asm.S	treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152	2019-05-30 11:26:32 -07:00
swim.c	swim: add error handling support for add_disk()	2021-10-18 14:41:37 -06:00
sx8.c	sx8: fix an error code in carm_init_one()	2021-10-18 14:42:30 -06:00
virtio_blk.c	Revert "virtio-blk: Add validation for block size in config space"	2021-10-13 08:35:36 -04:00
xen-blkfront.c	block: drop unused includes in <linux/genhd.h>	2021-10-18 06:17:02 -06:00
z2ram.c	for-5.14/drivers-2021-06-29	2021-06-30 12:21:16 -07:00