linux/include
Yufen Yu 6fcc44d1d7 block: fix use-after-free on gendisk
commit 2da78092dd "block: Fix dev_t minor allocation lifetime"
specifically moved blk_free_devt(dev->devt) call to part_release()
to avoid reallocating device number before the device is fully
shutdown.

However, it can cause use-after-free on gendisk in get_gendisk().
We use md device as example to show the race scenes:

Process1		Worker			Process2
md_free
						blkdev_open
del_gendisk
  add delete_partition_work_fn() to wq
  						__blkdev_get
						get_gendisk
put_disk
  disk_release
    kfree(disk)
    						find part from ext_devt_idr
						get_disk_and_module(disk)
    					  	cause use after free

    			delete_partition_work_fn
			put_device(part)
    		  	part_release
		    	remove part from ext_devt_idr

Before <devt, hd_struct pointer> is removed from ext_devt_idr by
delete_partition_work_fn(), we can find the devt and then access
gendisk by hd_struct pointer. But, if we access the gendisk after
it have been freed, it can cause in use-after-freeon gendisk in
get_gendisk().

We fix this by adding a new helper blk_invalidate_devt() in
delete_partition() and del_gendisk(). It replaces hd_struct
pointer in idr with value 'NULL', and deletes the entry from
idr in part_release() as we do now.

Thanks to Jan Kara for providing the solution and more clear comments
for the code.

Fixes: 2da78092dd ("block: Fix dev_t minor allocation lifetime")
Cc: Al Viro <viro@zeniv.linux.org.uk>
Reviewed-by: Bart Van Assche <bvanassche@acm.org>
Reviewed-by: Keith Busch <keith.busch@intel.com>
Reviewed-by: Jan Kara <jack@suse.cz>
Suggested-by: Jan Kara <jack@suse.cz>
Signed-off-by: Yufen Yu <yuyufen@huawei.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2019-04-22 09:48:12 -06:00
..
acpi ACPI: use different default debug value than ACPICA 2019-03-25 10:45:59 +01:00
asm-generic syscalls: Remove start and number from syscall_set_arguments() args 2019-04-05 09:27:23 -04:00
clocksource clocksource/arm_arch_timer: Store physical timer IRQ number for KVM on VHE 2019-02-19 21:05:22 +00:00
crypto crypto: export arc4 defines 2019-02-15 13:21:55 +08:00
drm drm/atomic-helper: Make atomic_enable/disable crtc callbacks optional 2019-03-29 11:56:52 +01:00
dt-bindings dt-bindings: clock: sifive: add FU540-C000 PRCI clock constants 2019-04-09 20:36:40 -07:00
keys KEYS: trusted: fix -Wvarags warning 2019-04-08 15:58:54 -07:00
kvm ARM: some cleanups, direct physical timer assignment, cache sanitization 2019-03-15 15:00:28 -07:00
linux block: fix use-after-free on gendisk 2019-04-22 09:48:12 -06:00
math-emu
media media: include: fix several typos 2019-03-01 09:45:52 -05:00
memory
misc auxdisplay: charlcd: Introduce charlcd_free() helper 2019-03-17 08:48:16 +01:00
net rxrpc: Make rxrpc_kernel_check_life() indicate if call completed 2019-04-12 16:57:23 -07:00
pcmcia
ras
rdma RDMA: Handle ucontext allocations by IB/core 2019-02-22 14:11:37 -07:00
scsi scsi: kill command serial number 2019-02-27 09:19:24 -05:00
soc IOMMU Updates for Linux v5.1 2019-03-10 12:29:52 -07:00
sound ASoC: core: conditionally increase module refcount on component open 2019-04-08 14:15:44 +07:00
target
trace syscalls: Remove start and number from syscall_get_arguments() args 2019-04-05 09:26:43 -04:00
uapi Linux 5.1-rc6 2019-04-22 09:47:36 -06:00
video media updates for v5.1-rc1 2019-03-09 14:45:54 -08:00
xen block: pass page to xen_biovec_phys_mergeable 2019-04-01 12:11:13 -06:00