From patchwork Tue Oct 18 13:14:31 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yu Kuai X-Patchwork-Id: 4156 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:4ac7:0:0:0:0:0 with SMTP id y7csp1942469wrs; Tue, 18 Oct 2022 05:54:01 -0700 (PDT) X-Google-Smtp-Source: AMsMyM5lmVOCIbkfRljWZUttTEIUbMOqLxGzSQ0tJsmWJB7EJ3tklq2HbH67fcyeboUi4AHyVvhh X-Received: by 2002:a05:6402:1e8e:b0:45c:af84:63dd with SMTP id f14-20020a0564021e8e00b0045caf8463ddmr2506709edf.190.1666097641327; Tue, 18 Oct 2022 05:54:01 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1666097641; cv=none; d=google.com; s=arc-20160816; b=ht9ywCuiraFWDAdx65J5CaGCX7IXZEZdyGy38QQy6bvTxQA2A1YKEDRVdtidYRJYmO VwTBRit3LakIbypoWY79QICvRYbnWRUvoFMa5BpcsfOm9tiSSi6E8Yzoqt7Be02jnO6G vNN2yhBqceNPyWpEPcAa5NqlQPs7Z0K+fs1khOMYrnbUew6kJm9QTsbIwm4mU3pcgQIl fGg2DV3Wo4yMoixtDkSImm4W75X/1rTjVyRQNrN3QmX6sCTSwKDvbEMpeJBLOQDmxzAn WkWVksRwAoj8QqsLpNvpNGm9kbZ4Vwfl+iZ5810AfzwidLC0soxjvlbO0RowHbSXsMa/ xtUQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=MWAbK26wjmu1AG8tnih2dFhSzycYmOA3MbAW4PixqRk=; b=Kj661K3zgGwIQKbS3xZUQflf5A+4r8yGuHpkYOLd7ZCtAyxwreuclrZ4VtbZmN6x2I e3E/xYkH4n0FT81tSMq82gyhSlqw13FSHwnfaLOSFd3V5JSP1yeM/ES0CO2WQR6U9wBz J+a2Za012xFV4meBRREkf6LMtGhLhQCOQCRWJan62CKqxo1C6f01qhW/HrP4js8E5SXr gCHGaoyHWW2poHO52BMwYDLwj1gBMPNFLf0JCDGnIjh1d1JcsBHx3Xpl0Ln7zy5yZFB5 Do2bVW7UCyoeNBCBR77TWIJ0LeKdgLJbKrHsWyTOytfgEem9r4hmMuYFyNYu3SpPpxri hrbg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id l15-20020a170906794f00b0078d2a84f2f8si12665342ejo.645.2022.10.18.05.53.36; Tue, 18 Oct 2022 05:54:01 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230181AbiJRMwf (ORCPT + 99 others); Tue, 18 Oct 2022 08:52:35 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50124 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230199AbiJRMwd (ORCPT ); Tue, 18 Oct 2022 08:52:33 -0400 Received: from szxga02-in.huawei.com (szxga02-in.huawei.com [45.249.212.188]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 24F31C4C3D; Tue, 18 Oct 2022 05:52:32 -0700 (PDT) Received: from dggemv704-chm.china.huawei.com (unknown [172.30.72.56]) by szxga02-in.huawei.com (SkyGuard) with ESMTP id 4MsDKM5X4kzHtt3; Tue, 18 Oct 2022 20:52:23 +0800 (CST) Received: from kwepemm600009.china.huawei.com (7.193.23.164) by dggemv704-chm.china.huawei.com (10.3.19.47) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Tue, 18 Oct 2022 20:52:29 +0800 Received: from huawei.com (10.175.127.227) by kwepemm600009.china.huawei.com (7.193.23.164) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Tue, 18 Oct 2022 20:52:28 +0800 From: Yu Kuai To: , , , , , CC: , , , , Subject: [PATCH RFC 1/2] kobject: add return value for kobject_put() Date: Tue, 18 Oct 2022 21:14:31 +0800 Message-ID: <20221018131432.434167-2-yukuai3@huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221018131432.434167-1-yukuai3@huawei.com> References: <20221018131432.434167-1-yukuai3@huawei.com> MIME-Version: 1.0 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems701-chm.china.huawei.com (10.3.19.178) To kwepemm600009.china.huawei.com (7.193.23.164) X-CFilter-Loop: Reflected X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1747030000050153260?= X-GMAIL-MSGID: =?utf-8?q?1747030000050153260?= The return value will be used in later patch to fix uaf for slave_dir and bd_holder_dir in block layer. Signed-off-by: Yu Kuai --- include/linux/kobject.h | 2 +- lib/kobject.c | 7 +++++-- 2 files changed, 6 insertions(+), 3 deletions(-) diff --git a/include/linux/kobject.h b/include/linux/kobject.h index 57fb972fea05..f12de6274c51 100644 --- a/include/linux/kobject.h +++ b/include/linux/kobject.h @@ -110,7 +110,7 @@ extern int __must_check kobject_move(struct kobject *, struct kobject *); extern struct kobject *kobject_get(struct kobject *kobj); extern struct kobject * __must_check kobject_get_unless_zero( struct kobject *kobj); -extern void kobject_put(struct kobject *kobj); +extern bool kobject_put(struct kobject *kobj); extern const void *kobject_namespace(struct kobject *kobj); extern void kobject_get_ownership(struct kobject *kobj, diff --git a/lib/kobject.c b/lib/kobject.c index a0b2dbfcfa23..f86c55ae7376 100644 --- a/lib/kobject.c +++ b/lib/kobject.c @@ -711,15 +711,18 @@ static void kobject_release(struct kref *kref) * * Decrement the refcount, and if 0, call kobject_cleanup(). */ -void kobject_put(struct kobject *kobj) +bool kobject_put(struct kobject *kobj) { if (kobj) { if (!kobj->state_initialized) WARN(1, KERN_WARNING "kobject: '%s' (%p): is not initialized, yet kobject_put() is being called.\n", kobject_name(kobj), kobj); - kref_put(&kobj->kref, kobject_release); + if (kref_put(&kobj->kref, kobject_release)) + return true; } + + return false; } EXPORT_SYMBOL(kobject_put); From patchwork Tue Oct 18 13:14:32 2022 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yu Kuai X-Patchwork-Id: 4157 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a5d:4ac7:0:0:0:0:0 with SMTP id y7csp1942699wrs; Tue, 18 Oct 2022 05:54:39 -0700 (PDT) X-Google-Smtp-Source: AMsMyM6UbTNJuxSru8dQ8UOKyYO19+Y0mLYgVMJz6MH/OQg5F1nDh9lJraIxcYb8x50+XxWAM5qC X-Received: by 2002:a17:907:7b95:b0:72f:9c64:4061 with SMTP id ne21-20020a1709077b9500b0072f9c644061mr2286926ejc.351.1666097679392; Tue, 18 Oct 2022 05:54:39 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1666097679; cv=none; d=google.com; s=arc-20160816; b=tGgmrYrDDco1wLzbwUVlSpmFnMQrwY9163VWWLTo93sl1PjJBb3Paole5x+IbOHyMC DwhHRR2B5ZPuBwq6UcdPcJft3FMGJXjUVyiZiEKDPsxxkoZ6ili/n5BXHAgK4iLZqRON 0EKaStQ+TcavbzPJrWZe0tRRGug6CJ28TKXdSHU5/VQLU4uysJYfn/H6RWoXzHY6zh0R mIIaiwa+d07n052OgzOqnX1Q1Z2uPfMFM6UO599vCrRT/X0ZDIQEtmsDQssLyOVP6eOC xPp7Abvxg4iBA+VWNVDC0PIW4V+rVyEBcHZrBghYpO/Imt+MzbhtBlq4/PFMIywta/JQ IfQA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from; bh=FUlDINZP9IDmWMod61BNNaGX7OGSeQCIo+c4RDvkjgU=; b=Bbe3ZGqyu1Po5PWA0LA3sloJCQOa/TcmMvdVwajbzMu54pD0UDXjppxZSfEdlCRnzH aRFFapuXeEaj+2+jiKWUNLeRbBgNzGdwxJZS0JELgO0gJpiMxsAd2wgQkBLjghLAbNiQ YpVbLj7tNvK64xyRsYzekVLRZOz8zJ+h7plKC/oyVjBtoiTKWzhlGXzUON05iwHZHxL0 usWctuk3gvzcdOf7MjaBoAXEjt3alFKh4WPz5dxCR2jb1Z+L7NXG/U4YqaQuMJwyPA/s ZtE25GCpDnCdKayDUTgl1Y6FKjkPvI9ZrkZOrmjLV2SVmRlmJG78ZB1GuDVr+0xHH2qk PdHg== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id b25-20020a170906491900b0078e0324ee54si2407862ejq.490.2022.10.18.05.54.14; Tue, 18 Oct 2022 05:54:39 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=huawei.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230236AbiJRMwr (ORCPT + 99 others); Tue, 18 Oct 2022 08:52:47 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50434 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230223AbiJRMwq (ORCPT ); Tue, 18 Oct 2022 08:52:46 -0400 Received: from szxga03-in.huawei.com (szxga03-in.huawei.com [45.249.212.189]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 02D12C4C2E; Tue, 18 Oct 2022 05:52:44 -0700 (PDT) Received: from dggemv703-chm.china.huawei.com (unknown [172.30.72.57]) by szxga03-in.huawei.com (SkyGuard) with ESMTP id 4MsDGg6t8pzJn3X; Tue, 18 Oct 2022 20:50:03 +0800 (CST) Received: from kwepemm600009.china.huawei.com (7.193.23.164) by dggemv703-chm.china.huawei.com (10.3.19.46) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Tue, 18 Oct 2022 20:52:30 +0800 Received: from huawei.com (10.175.127.227) by kwepemm600009.china.huawei.com (7.193.23.164) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256) id 15.1.2375.31; Tue, 18 Oct 2022 20:52:29 +0800 From: Yu Kuai To: , , , , , CC: , , , , Subject: [PATCH RFC 2/2] block: protect slave_dir/bd_holder_dir by open_mutex Date: Tue, 18 Oct 2022 21:14:32 +0800 Message-ID: <20221018131432.434167-3-yukuai3@huawei.com> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20221018131432.434167-1-yukuai3@huawei.com> References: <20221018131432.434167-1-yukuai3@huawei.com> MIME-Version: 1.0 X-Originating-IP: [10.175.127.227] X-ClientProxiedBy: dggems701-chm.china.huawei.com (10.3.19.178) To kwepemm600009.china.huawei.com (7.193.23.164) X-CFilter-Loop: Reflected X-Spam-Status: No, score=-4.2 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_MED, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1747030040663298690?= X-GMAIL-MSGID: =?utf-8?q?1747030040663298690?= Lifecycle of slave_dir/bd_holder_dir is problematic currently: t1: t2: // get bdev of lower disk blkdev_get_by_dev // remove lower disk del_gendisk // initial reference is released, and // slave_dir/bd_holder_dir can be freed kobject_put // uaf is triggered bd_link_disk_holder Fix the problem by protecting them by open_mutex. Signed-off-by: Yu Kuai --- block/genhd.c | 8 ++++++-- block/holder.c | 13 ++++++++++++- block/partitions/core.c | 5 ++++- 3 files changed, 22 insertions(+), 4 deletions(-) diff --git a/block/genhd.c b/block/genhd.c index 17b33c62423d..d9ad889d011a 100644 --- a/block/genhd.c +++ b/block/genhd.c @@ -622,8 +622,12 @@ void del_gendisk(struct gendisk *disk) blk_unregister_queue(disk); - kobject_put(disk->part0->bd_holder_dir); - kobject_put(disk->slave_dir); + mutex_lock(&disk->open_mutex); + if (kobject_put(disk->part0->bd_holder_dir)) + disk->part0->bd_holder_dir = NULL; + if (kobject_put(disk->slave_dir)) + disk->slave_dir = NULL; + mutex_unlock(&disk->open_mutex); part_stat_set_all(disk->part0, 0); disk->part0->bd_stamp = 0; diff --git a/block/holder.c b/block/holder.c index 5283bc804cc1..fdfbe82e31e3 100644 --- a/block/holder.c +++ b/block/holder.c @@ -75,6 +75,13 @@ int bd_link_disk_holder(struct block_device *bdev, struct gendisk *disk) struct bd_holder_disk *holder; int ret = 0; + mutex_lock(&bdev->bd_disk->open_mutex); + /* Failed if bd_holder_dir is freed by del_gendisk() */ + if (!bdev->bd_holder_dir) { + mutex_unlock(&bdev->bd_disk->open_mutex); + return -ENODEV; + } + mutex_lock(&disk->open_mutex); WARN_ON_ONCE(!bdev->bd_holder); @@ -111,6 +118,7 @@ int bd_link_disk_holder(struct block_device *bdev, struct gendisk *disk) out_unlock: mutex_unlock(&disk->open_mutex); + mutex_unlock(&bdev->bd_disk->open_mutex); return ret; } EXPORT_SYMBOL_GPL(bd_link_disk_holder); @@ -136,16 +144,19 @@ void bd_unlink_disk_holder(struct block_device *bdev, struct gendisk *disk) { struct bd_holder_disk *holder; + mutex_lock(&bdev->bd_disk->open_mutex); mutex_lock(&disk->open_mutex); holder = bd_find_holder_disk(bdev, disk); if (!WARN_ON_ONCE(holder == NULL) && !--holder->refcnt) { if (disk->slave_dir) __unlink_disk_holder(bdev, disk); - kobject_put(bdev->bd_holder_dir); + if (kobject_put(bdev->bd_holder_dir)) + bdev->bd_holder_dir = NULL; list_del_init(&holder->list); kfree(holder); } mutex_unlock(&disk->open_mutex); + mutex_unlock(&bdev->bd_disk->open_mutex); } EXPORT_SYMBOL_GPL(bd_unlink_disk_holder); diff --git a/block/partitions/core.c b/block/partitions/core.c index b8112f52d388..eef7b8615419 100644 --- a/block/partitions/core.c +++ b/block/partitions/core.c @@ -279,7 +279,10 @@ static void delete_partition(struct block_device *part) __invalidate_device(part, true); xa_erase(&part->bd_disk->part_tbl, part->bd_partno); - kobject_put(part->bd_holder_dir); + mutex_lock(&part->bd_disk->open_mutex); + if (kobject_put(part->bd_holder_dir)) + part->bd_holder_dir = NULL; + mutex_unlock(&part->bd_disk->open_mutex); device_del(&part->bd_device); /*