iv/linux
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
linux/drivers
History
Ye Bin 0c98057be9 nbd: Fix use-after-free in pid_show 
I got issue as follows:
[  263.886511] BUG: KASAN: use-after-free in pid_show+0x11f/0x13f
[  263.888359] Read of size 4 at addr ffff8880bf0648c0 by task cat/746
[  263.890479] CPU: 0 PID: 746 Comm: cat Not tainted 4.19.90-dirty #140
[  263.893162] Call Trace:
[  263.893509]  dump_stack+0x108/0x15f
[  263.893999]  print_address_description+0xa5/0x372
[  263.894641]  kasan_report.cold+0x236/0x2a8
[  263.895696]  __asan_report_load4_noabort+0x25/0x30
[  263.896365]  pid_show+0x11f/0x13f
[  263.897422]  dev_attr_show+0x48/0x90
[  263.898361]  sysfs_kf_seq_show+0x24d/0x4b0
[  263.899479]  kernfs_seq_show+0x14e/0x1b0
[  263.900029]  seq_read+0x43f/0x1150
[  263.900499]  kernfs_fop_read+0xc7/0x5a0
[  263.903764]  vfs_read+0x113/0x350
[  263.904231]  ksys_read+0x103/0x270
[  263.905230]  __x64_sys_read+0x77/0xc0
[  263.906284]  do_syscall_64+0x106/0x360
[  263.906797]  entry_SYSCALL_64_after_hwframe+0x44/0xa9

Reproduce this issue as follows:
1. nbd-server 8000 /tmp/disk
2. nbd-client localhost 8000 /dev/nbd1
3. cat /sys/block/nbd1/pid
Then trigger use-after-free in pid_show.

Reason is after do step '2', nbd-client progress is already exit. So
it's task_struct already freed.
To solve this issue, revert part of 6521d39a64b3's modify and remove
useless 'recv_task' member of nbd_device.

Fixes: 6521d39a64b3 ("nbd: Remove variable 'pid'")
Signed-off-by: Ye Bin <yebin10@huawei.com>
Reviewed-by: Josef Bacik <josef@toxicpanda.com>
Link: https://lore.kernel.org/r/20211020073959.2679255-1-yebin10@huawei.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2021-10-20 08:09:56 -06:00
..
accessibility
acpi
ACPI fix for 5.15-rc6
2021-10-16 08:45:46 -07:00
amba
android
binder: make sure fd closes complete
2021-09-14 09:02:13 +02:00
ata
ata: ahci_platform: fix null-ptr-deref in ahci_platform_enable_regulators()
2021-10-14 12:22:47 +09:00
atm
auxdisplay
base
Driver core fixes for 5.15-rc6
2021-10-17 17:17:28 -10:00
bcma
Driver core update for 5.15-rc1
2021-09-01 08:44:42 -07:00
block
nbd: Fix use-after-free in pid_show
2021-10-20 08:09:56 -06:00
bluetooth
Bluetooth: btusb: Remove WAKEUP_DISABLE and add WAKEUP_AUTOSUSPEND for Realtek devices
2021-08-19 17:08:31 +02:00
bus
Driver core fixes for 5.15-rc6
2021-10-17 17:17:28 -10:00
cdrom
cdrom/gdrom: add error handling support for add_disk()
2021-10-18 14:41:37 -06:00
char
IPMI: A couple of very minor fixes for style and rate limiting
2021-09-12 11:44:58 -07:00
clk
clk: qcom: add select QCOM_GDSC for SM6350
2021-10-13 11:44:42 -07:00
clocksource
- converted Pistachio platform to use MIPS generic kernel
2021-09-03 11:11:54 -07:00
comedi
comedi: Fix memory leak in compat_insnlist()
2021-09-21 17:53:54 +02:00
connector
counter
cpufreq
Power management fixes for 5.15-rc2
2021-09-17 12:05:04 -07:00
cpuidle
- Core Frameworks
2021-09-07 12:38:59 -07:00
crypto
crypto: ccp - fix resource leaks in ccp_run_aes_gcm_cmd()
2021-09-24 15:58:41 +08:00
cxl
cxl for v5.15
2021-09-09 11:48:27 -07:00
dax
libnvdimm for v5.15
2021-09-09 11:39:57 -07:00
dca
devfreq
devfreq: use HZ macros
2021-09-08 11:50:26 -07:00
dio
dma
dmaengine updates for v5.15-rc1
2021-09-09 11:07:47 -07:00
dma-buf
dma-buf: DMABUF_SYSFS_STATS should depend on DMA_SHARED_BUFFER
2021-09-07 12:42:21 +05:30
edac
EDAC/armada-xp: Fix output of uncorrectable error counter
2021-10-14 11:46:03 +02:00
eisa
extcon
firewire
FireWire (IEEE 1394) subsystem updates:
2021-09-11 09:47:33 -07:00
firmware
EFI fixes for v5.15
2021-10-17 17:30:49 -10:00
fpga
fpga: ice40-spi: Add SPI device ID table
2021-09-27 14:00:41 -07:00
fsi
gnss
gpio
gpio: mockup: Convert to use software nodes
2021-10-06 13:04:04 +02:00
gpu
mm: don't include <linux/blk-cgroup.h> in <linux/writeback.h>
2021-10-18 06:17:01 -06:00
greybus
hid
HID: amd_sfh: Fix potential NULL pointer dereference
2021-09-27 10:00:43 +02:00
hsi
hv
hyperv-fixes for 5.15-rc2
2021-09-15 17:18:56 -07:00
hwmon
hwmon: (w83793) Fix NULL pointer dereference by removing unnecessary structure field
2021-10-02 05:14:11 -07:00
hwspinlock
hwtracing
coresight: syscfg: Fix compiler warning
2021-09-14 09:03:16 +02:00
i2c
i2c: mlxcpld: Modify register setting for 400KHz frequency
2021-10-04 21:56:20 +02:00
i3c
idle
iio
Staging/IIO driver fixes for 5.15-rc6
2021-10-17 17:10:00 -10:00
infiniband
RDMA/hns: Add the check of the CQE size of the user space
2021-09-27 14:49:49 -03:00
input
Merge branch 'for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/dtor/input
2021-10-17 16:57:06 -10:00
interconnect
interconnect: qcom: sdm660: Add missing a2noc qos clocks
2021-09-13 15:49:55 +03:00
iommu
iommu/arm: fix ARM_SMMU_QCOM compilation
2021-10-13 21:28:44 +02:00
ipack
ipack: ipoctal: fix module reference leak
2021-09-27 17:38:49 +02:00
irqchip
irqchip/gic: Work around broken Renesas integration
2021-09-22 14:44:25 +01:00
isdn
isdn: mISDN: Fix sleeping function called from invalid context
2021-10-09 13:42:51 +01:00
leds
leds: pca955x: Switch to i2c probe_new
2021-08-20 11:00:08 +02:00
macintosh
memblock: introduce saner 'memblock_free_ptr()' interface
2021-09-14 13:23:22 -07:00
mailbox
mailbox: cmdq: add multi-gce clocks support for mt8195
2021-08-31 22:57:45 -05:00
mcb
mcb: fix error handling in mcb_alloc_bus()
2021-09-14 11:22:26 +02:00
md
md: update superblock after changing rdev flags in state_store
2021-10-18 14:50:35 -06:00
media
asm-generic: build fixes for v5.15
2021-10-08 11:57:54 -07:00
memory
memstick
Driver core update for 5.15-rc1
2021-09-01 08:44:42 -07:00
message
mfd
- Core Frameworks
2021-09-07 12:38:59 -07:00
misc
eeprom: 93xx46: fix MODULE_DEVICE_TABLE
2021-10-15 10:54:02 +02:00
mmc
block: move struct request to blk-mq.h
2021-10-18 06:17:02 -06:00
most
mtd
mm: don't include <linux/blkdev.h> in <linux/backing-dev.h>
2021-10-18 06:17:01 -06:00
mux
net
Networking fixes for 5.15-rc6.
2021-10-14 18:21:39 -04:00
nfc
nfc: st-nci: Add SPI ID matching DT compatible
2021-09-23 12:53:06 +01:00
ntb
Bug fixes and clean-ups for Linux v5.15
2021-09-07 13:05:02 -07:00
nubus
nvdimm
block: switch polling to be bio based
2021-10-18 06:17:36 -06:00
nvme
nvme: don't memset() the normal read/write command
2021-10-19 12:41:09 -06:00
nvmem
nvmem: Fix shift-out-of-bound (UBSAN) with byte size cells
2021-10-13 15:09:58 +02:00
of
fbdev: simplefb: fix Kconfig dependencies
2021-10-06 11:12:28 +02:00
opp
Merge branches 'pm-pci', 'pm-sleep', 'pm-domains' and 'powercap'
2021-08-30 19:25:42 +02:00
parisc
parisc: Move pci_dev_is_behind_card_dino to where it is used
2021-09-09 12:44:31 +02:00
parport
parisc architecture updates for kernel 5.15:
2021-09-02 13:16:00 -07:00
pci
pci-v5.15-fixes-2
2021-10-16 09:00:46 -07:00
pcmcia
perf
KVM: arm64: Fix PMU probe ordering
2021-09-20 12:43:34 +01:00
phy
Merge branch 'akpm' (patches from Andrew)
2021-09-08 12:55:35 -07:00
pinctrl
asm-generic: build fixes for v5.15
2021-10-08 11:57:54 -07:00
platform
platform/x86: int1092: Fix non sequential device mode handling
2021-10-11 16:39:25 +02:00
pnp
power
power supply and reset changes for the v5.15 series
2021-08-30 11:47:32 -07:00
powercap
powercap: Add Power Limit4 support for Alder Lake SoC
2021-08-25 20:12:16 +02:00
pps
ps3
ptp
Networking fixes for 5.15-rc5, including fixes from xfrm, bpf,
2021-10-07 09:50:31 -07:00
pwm
pwm: mtk-disp: Implement atomic API .get_state()
2021-09-02 22:27:46 +02:00
rapidio
ras
regulator
regulator: max14577: Revert "regulator: max14577: Add proper module aliases strings"
2021-09-17 13:16:38 +01:00
remoteproc
reset
ARM: SoC drivers for 5.15
2021-09-01 15:25:28 -07:00
rpmsg
rtc
rtc: cmos: Disable irq around direct invocation of cmos_interrupt()
2021-09-14 10:20:19 +02:00
s390
block: switch polling to be bio based
2021-10-18 06:17:36 -06:00
sbus
scsi
block: add a struct io_comp_batch argument to fops->iopoll()
2021-10-18 14:40:40 -06:00
sh
siox
slimbus
Driver core update for 5.15-rc1
2021-09-01 08:44:42 -07:00
soc
Driver core fixes for 5.15-rc6
2021-10-17 17:17:28 -10:00
soundwire
sound updates for 5.15-rc1
2021-09-01 10:29:29 -07:00
spi
spi-mux: Fix false-positive lockdep splats
2021-10-14 13:32:19 +01:00
spmi
ssb
staging
Staging/IIO driver fixes for 5.15-rc6
2021-10-17 17:10:00 -10:00
target
block: move struct request to blk-mq.h
2021-10-18 06:17:02 -06:00
tc
tee
tee: optee: Fix missing devices unregister during optee_remove
2021-10-12 13:24:39 +02:00
thermal
thermal/drivers/tsens: Fix wrong check for tzd in irq handlers
2021-09-21 15:17:11 +02:00
thunderbolt
thunderbolt: build kunit tests without structleak plugin
2021-10-06 17:53:49 -06:00
tty
Serial driver fix for 5.15-rc6
2021-10-17 17:06:31 -10:00
uio
usb
USB-serial fixes for 5.15-rc6
2021-10-15 15:04:02 +02:00
vdpa
vdpa/mlx5: Avoid executing set_vq_ready() if device is reset
2021-09-14 18:10:43 -04:00
vfio
vfio/pci: add missing identifier name in argument of function prototype
2021-09-23 14:12:36 -06:00
vhost
virtio,vdpa: fixes
2021-10-17 18:17:19 -10:00
video
video: fbdev: gbefb: Only instantiate device when built for IP32
2021-10-06 11:12:28 +02:00
virt
virtio
virtio: write back F_VERSION_1 before validate
2021-10-13 08:35:36 -04:00
visorbus
vlynq
vme
w1
watchdog
watchdog/sb_watchdog: fix compilation problem due to COMPILE_TEST
2021-09-27 11:57:19 -07:00
xen
xen: branch for v5.15-rc5
2021-10-08 12:55:23 -07:00
zorro
Kconfig
firmware: include drivers/firmware/Kconfig unconditionally
2021-10-07 16:51:26 +02:00
Makefile
remove the lightnvm subsystem
2021-08-14 15:54:09 -06:00