forge/linux-uconsole
1
0
Fork 0
Code Issues 1 Pull requests Projects Releases Packages Wiki Activity Actions
linux-uconsole/drivers/block
History
Ming Lei 0987d5a67b block: brd: associate with queue until adding disk 
[ Upstream commit 153fcd5f6d ]

brd_free() may be called in failure path on one brd instance which
disk isn't added yet, so release handler of gendisk may free the
associated request_queue early and causes the following use-after-free[1].

This patch fixes this issue by associating gendisk with request_queue
just before adding disk.

[1] KASAN: use-after-free Read in del_timer_syncNon-volatile memory driver v1.3
Linux agpgart interface v0.103
[drm] Initialized vgem 1.0.0 20120112 for virtual device on minor 0
usbcore: registered new interface driver udl
==================================================================
BUG: KASAN: use-after-free in __lock_acquire+0x36d9/0x4c20
kernel/locking/lockdep.c:3218
Read of size 8 at addr ffff8801d1b6b540 by task swapper/0/1

CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.19.0+ #88
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
  __dump_stack lib/dump_stack.c:77 [inline]
  dump_stack+0x244/0x39d lib/dump_stack.c:113
  print_address_description.cold.7+0x9/0x1ff mm/kasan/report.c:256
  kasan_report_error mm/kasan/report.c:354 [inline]
  kasan_report.cold.8+0x242/0x309 mm/kasan/report.c:412
  __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
  __lock_acquire+0x36d9/0x4c20 kernel/locking/lockdep.c:3218
  lock_acquire+0x1ed/0x520 kernel/locking/lockdep.c:3844
  del_timer_sync+0xb7/0x270 kernel/time/timer.c:1283
  blk_cleanup_queue+0x413/0x710 block/blk-core.c:809
  brd_free+0x5d/0x71 drivers/block/brd.c:422
  brd_init+0x2eb/0x393 drivers/block/brd.c:518
  do_one_initcall+0x145/0x957 init/main.c:890
  do_initcall_level init/main.c:958 [inline]
  do_initcalls init/main.c:966 [inline]
  do_basic_setup init/main.c:984 [inline]
  kernel_init_freeable+0x5c6/0x6b9 init/main.c:1148
  kernel_init+0x11/0x1ae init/main.c:1068
  ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:350

Reported-by: syzbot+3701447012fe951dabb2@syzkaller.appspotmail.com
Signed-off-by: Ming Lei <ming.lei@redhat.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2018-11-27 16:12:58 +01:00
..
aoe drivers/block/aoe/aoedev: NULL check is not needed for mempool_destroy 2018-08-08 09:17:20 -06:00
drbd drivers/block/drbd: remove the null check for kmem_cache_destroy 2018-08-08 10:04:42 -06:00
mtip32xx Merge branch 'ida-4.19' of git://git.infradead.org/users/willy/linux-dax 2018-08-26 11:48:42 -07:00
paride block: paride: pd: mark expected switch fall-throughs 2018-08-09 10:17:38 -06:00
rsxx Merge branch 'ida-4.19' of git://git.infradead.org/users/willy/linux-dax 2018-08-26 11:48:42 -07:00
xen-blkback xen/blkback: remove unused pers_gnts_lock from struct xen_blkif_ring 2018-08-27 12:12:04 -04:00
zram zram: close udev startup race condition as default groups 2018-11-21 09:19:15 +01:00
amiflop.c genhd: Rename get_disk() to get_disk_and_module() 2018-02-26 09:48:42 -07:00
ataflop.c ataflop: fix error handling during setup 2018-11-13 11:08:20 -08:00
brd.c block: brd: associate with queue until adding disk 2018-11-27 16:12:58 +01:00
cryptoloop.c block: cryptoloop - Fix build warning 2017-09-26 07:41:22 -06:00
DAC960.c block/DAC960.c: make some arrays static const, shrinks object size 2018-08-21 11:00:17 -06:00
DAC960.h DAC960: don't use block layer bounce buffers 2018-05-11 15:07:54 -06:00
floppy.c floppy: Do not copy a kernel pointer to user memory in FDGETPRM ioctl 2018-09-20 09:09:48 -06:00
Kconfig cdrom: Use struct scsi_sense_hdr internally 2018-08-02 15:22:39 -06:00
loop.c block/loop: mark expected switch fall-through 2018-07-09 09:07:53 -06:00
loop.h loop: remember whether sysfs_create_group() was done 2018-05-07 15:26:36 -06:00
Makefile block: Rename the null_blk_mod kernel module back into null_blk 2018-07-24 09:54:36 -06:00
nbd.c nbd: don't allow invalid blocksize settings 2018-09-04 11:54:58 -06:00
null_blk.h null_blk: fix zoned support for non-rq based operation 2018-09-12 18:21:11 -06:00
null_blk_main.c null_blk: fix zoned support for non-rq based operation 2018-09-12 18:21:11 -06:00
null_blk_zoned.c null_blk: fix zoned support for non-rq based operation 2018-09-12 18:21:11 -06:00
pktcdvd.c pktcdvd: fix setting of 'ret' error return for a few cases 2018-08-16 14:09:28 -06:00
ps3disk.c ps3disk: handle highmem pages 2018-05-11 15:08:03 -06:00
ps3vram.c treewide: kzalloc() -> kcalloc() 2018-06-12 16:19:22 -07:00
rbd.c rbd: support cloning across namespaces 2018-09-06 16:18:04 +02:00
rbd_types.h rbd: RBD_V{1,2}_DATA_FORMAT macros 2017-02-20 12:16:15 +01:00
skd_main.c block: skd: Use %pad printk format for dma_addr_t values 2018-07-12 15:01:28 -06:00
skd_s1120.h skd: Use __packed only when needed 2017-08-18 08:45:29 -06:00
sunvdc.c sunvdc: Remove VLA usage 2018-10-08 11:09:34 -07:00
swim.c swim: fix cleanup on setup error 2018-11-13 11:08:20 -08:00
swim3.c block/swim: Rename macros to avoid inconsistent inverted logic 2018-04-16 21:49:35 -06:00
swim_asm.S
sx8.c block: sanitize blk_get_request calling conventions 2018-05-14 08:55:12 -06:00
umem.c block: Fix a race between the cgroup code and request queue initialization 2018-02-28 12:23:35 -07:00
umem.h
virtio_blk.c block drivers/block: Use octal not symbolic permissions 2018-05-24 13:38:59 -06:00
xen-blkfront.c xen-blkfront: fix kernel panic with negotiate_mq error path 2018-11-13 11:08:53 -08:00
xsysace.c treewide: setup_timer() -> timer_setup() 2017-11-21 15:57:07 -08:00
z2ram.c treewide: kmalloc() -> kmalloc_array() 2018-06-12 16:19:22 -07:00