Message ID | 20230523-ubiblock-remove-v1-1-240bed75849b@axis.com |
---|---|
State | New |
Delegated to: | Richard Weinberger |
Headers | show |
Series | ubi: block: fix use-after-free and deadlock | expand |
On Tue, May 23, 2023 at 03:12:16PM +0200, Vincent Whitchurch wrote: > static void ubiblock_cleanup(struct ubiblock *dev) > { > + int first_minor = dev->gd->first_minor; > + > /* Stop new requests to arrive */ > del_gendisk(dev->gd); > /* Finally destroy the blk queue */ > dev_info(disk_to_dev(dev->gd), "released"); > put_disk(dev->gd); > blk_mq_free_tag_set(&dev->tag_set); > - idr_remove(&ubiblock_minor_idr, dev->gd->first_minor); > + idr_remove(&ubiblock_minor_idr, first_minor); I think the real fix here is to implement the free_disk method and free the idr there. That ensures the ID can't be reused until the disk is entirely freed as well.
diff --git a/drivers/mtd/ubi/block.c b/drivers/mtd/ubi/block.c index 3711d7f74600..70caec4606cd 100644 --- a/drivers/mtd/ubi/block.c +++ b/drivers/mtd/ubi/block.c @@ -448,13 +448,15 @@ int ubiblock_create(struct ubi_volume_info *vi) static void ubiblock_cleanup(struct ubiblock *dev) { + int first_minor = dev->gd->first_minor; + /* Stop new requests to arrive */ del_gendisk(dev->gd); /* Finally destroy the blk queue */ dev_info(disk_to_dev(dev->gd), "released"); put_disk(dev->gd); blk_mq_free_tag_set(&dev->tag_set); - idr_remove(&ubiblock_minor_idr, dev->gd->first_minor); + idr_remove(&ubiblock_minor_idr, first_minor); } int ubiblock_remove(struct ubi_volume_info *vi)
Do not touch the gendisk after put_disk() to fix this use-after-free: ================================================== BUG: KASAN: slab-use-after-free in ubiblock_remove Read of size 4 by task ubiblock/361 Call Trace: ubiblock_remove (drivers/mtd/ubi/block.c:459 drivers/mtd/ubi/block.c:483) vol_cdev_ioctl ... Allocated by task 358: __alloc_disk_node (block/genhd.c:1377) __blk_mq_alloc_disk (block/blk-mq.c:4093) ubiblock_create (drivers/mtd/ubi/block.c:397) vol_cdev_ioctl ... Freed by task 0: bdev_free_inode (block/bdev.c:337) i_callback rcu_core __do_softirq ... Signed-off-by: Vincent Whitchurch <vincent.whitchurch@axis.com> --- drivers/mtd/ubi/block.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)