From patchwork Tue May 23 13:12:16 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vincent Whitchurch X-Patchwork-Id: 97992 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:b0ea:0:b0:3b6:4342:cba0 with SMTP id b10csp2132688vqo; Tue, 23 May 2023 06:13:53 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ6DH9dSWUvk4pEFgoCNofJtPtOJH3lhAhPE+09imeEfEMJ1oYIBpj8ZTVtZRCzsrY0a9MR7 X-Received: by 2002:a17:90a:9f91:b0:253:2c7f:e9ad with SMTP id o17-20020a17090a9f9100b002532c7fe9admr12100199pjp.27.1684847632851; Tue, 23 May 2023 06:13:52 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1684847632; cv=none; d=google.com; s=arc-20160816; b=FrvGBHQNI0v4L3skccP8mQkQ6OnhFIYdMOSSKeoJ5Sh7ZiQPp+c3XxEIFavY+ppIpH Vm+3y8JWhoDGGAN426GiFVP4XfcWseOmOQrd6OPbUZIif5ycujq5G/F7Au1hRs2Ct244 33jlsHNJacRaLO+unMusLoZZZZJvd6gREUohB2I5UCww3vnUXIrrJ6+sSCqhqGx/XLM/ T3jUgENGjpGu7pqOw4KsZ7P2mFkwTBHygfvbrmTjaj9+L43E+RrrZrqqvhoYXfToJhVn D44ZpLt9SIHrAWAk2Qt+eRmuvxSL5l7ISLMjwnGGfBtl4wVoHesisfD09TCopRoacZIS ybIQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:in-reply-to:references:message-id :content-transfer-encoding:mime-version:subject:date:from :dkim-signature; bh=RUsNkf5+Wyu4/3oi86PLsyVVhLWM8zFhO0TpoHKYz90=; b=Db461bmW/PV+TG+etE5dJwSRAAWsV+z9UO0gu7a6YYQ+J9uinTZL/Mji0EmFTwjt8O FGgRtcGjysgGgnC5qNZD2hmqbwLp0lGTwtJ7JW3meYGuTyVHeBHlR/9crfV9RULWe/3Y e/x5KWKfB7DrpvpN+CQARKOiT9LwzRC7IfZuaEhQ86+OKLkZlyOq28vERwVrRTDGCeb1 E4szs0hq7eIfyT7yN+JJZW/mMb2cvgrnBY86WW3mnUrOmCbyR84rQe4tztx5t0V/MPZT zaPjMyYbLMiJx1kJmNaJRqJiGDYnLaL9MTOe0sACfjr8EIUfflFjt3XTuC+OPlritkxX Cndw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass (test mode) header.i=@axis.com header.s=axis-central1 header.b=m61cYwm3; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=axis.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id p37-20020a635b25000000b0052868a865d4si6232347pgb.553.2023.05.23.06.13.36; Tue, 23 May 2023 06:13:52 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass (test mode) header.i=@axis.com header.s=axis-central1 header.b=m61cYwm3; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=axis.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236797AbjEWNMf (ORCPT + 99 others); Tue, 23 May 2023 09:12:35 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47208 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236720AbjEWNMa (ORCPT ); Tue, 23 May 2023 09:12:30 -0400 Received: from smtp1.axis.com (smtp1.axis.com [195.60.68.17]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5FE94118 for ; Tue, 23 May 2023 06:12:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=axis.com; q=dns/txt; s=axis-central1; t=1684847548; x=1716383548; h=from:date:subject:mime-version:content-transfer-encoding: message-id:references:in-reply-to:to:cc; bh=RUsNkf5+Wyu4/3oi86PLsyVVhLWM8zFhO0TpoHKYz90=; b=m61cYwm3cRTHn9zXZso2dbTGIxJsArciwxaatZiBNrMT/Np4brtkI4Vn ijF2CUqHU7JxFj8LL9PTD9p//6hT7yhEsy2RK/1K1kb6tgvKBdV77U5Wn 1t/E8ZDN2fCJT2EDH+2nwyw9GHu1IWhUb8+nMGqItK0xluBsE3vL8mGad ZG9iJDuP1DBq8oTWpLT7+wzagEPJjg6xQlJ8y8/Jz5++qjaR7oT3Sw4mY bYiyMXA95RMnPY5y3fGmQ3XMZp9aAVEacy75OvChXltK6yLKRheN+2yos iWBR08QrnDyDO1sc2dYy86/q+cgzfPTd/G1wJdYutwYE5awxDOahmRjSG A==; From: Vincent Whitchurch Date: Tue, 23 May 2023 15:12:16 +0200 Subject: [PATCH 1/2] ubi: block: Fix use-after-free of gendisk MIME-Version: 1.0 Message-ID: <20230523-ubiblock-remove-v1-1-240bed75849b@axis.com> References: <20230523-ubiblock-remove-v1-0-240bed75849b@axis.com> In-Reply-To: <20230523-ubiblock-remove-v1-0-240bed75849b@axis.com> To: Richard Weinberger , Miquel Raynal , Vignesh Raghavendra CC: , , , Vincent Whitchurch X-Mailer: b4 0.12.2 X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,SPF_HELO_PASS, SPF_PASS,T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1766690791186086214?= X-GMAIL-MSGID: =?utf-8?q?1766690791186086214?= Do not touch the gendisk after put_disk() to fix this use-after-free: ================================================== BUG: KASAN: slab-use-after-free in ubiblock_remove Read of size 4 by task ubiblock/361 Call Trace: ubiblock_remove (drivers/mtd/ubi/block.c:459 drivers/mtd/ubi/block.c:483) vol_cdev_ioctl ... Allocated by task 358: __alloc_disk_node (block/genhd.c:1377) __blk_mq_alloc_disk (block/blk-mq.c:4093) ubiblock_create (drivers/mtd/ubi/block.c:397) vol_cdev_ioctl ... Freed by task 0: bdev_free_inode (block/bdev.c:337) i_callback rcu_core __do_softirq ... Signed-off-by: Vincent Whitchurch --- drivers/mtd/ubi/block.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/mtd/ubi/block.c b/drivers/mtd/ubi/block.c index 3711d7f74600..70caec4606cd 100644 --- a/drivers/mtd/ubi/block.c +++ b/drivers/mtd/ubi/block.c @@ -448,13 +448,15 @@ int ubiblock_create(struct ubi_volume_info *vi) static void ubiblock_cleanup(struct ubiblock *dev) { + int first_minor = dev->gd->first_minor; + /* Stop new requests to arrive */ del_gendisk(dev->gd); /* Finally destroy the blk queue */ dev_info(disk_to_dev(dev->gd), "released"); put_disk(dev->gd); blk_mq_free_tag_set(&dev->tag_set); - idr_remove(&ubiblock_minor_idr, dev->gd->first_minor); + idr_remove(&ubiblock_minor_idr, first_minor); } int ubiblock_remove(struct ubi_volume_info *vi)