system/linux
system/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux synced 2024-10-17 08:46:50 +00:00
Code Issues Packages Projects Releases Wiki Activity
linux/drivers/md
History
Luo Meng 88430ebcbc dm thin: Fix UAF in run_timer_softirq() 
When dm_resume() and dm_destroy() are concurrent, it will
lead to UAF, as follows:

 BUG: KASAN: use-after-free in __run_timers+0x173/0x710
 Write of size 8 at addr ffff88816d9490f0 by task swapper/0/0
<snip>
 Call Trace:
  <IRQ>
  dump_stack_lvl+0x73/0x9f
  print_report.cold+0x132/0xaa2
  _raw_spin_lock_irqsave+0xcd/0x160
  __run_timers+0x173/0x710
  kasan_report+0xad/0x110
  __run_timers+0x173/0x710
  __asan_store8+0x9c/0x140
  __run_timers+0x173/0x710
  call_timer_fn+0x310/0x310
  pvclock_clocksource_read+0xfa/0x250
  kvm_clock_read+0x2c/0x70
  kvm_clock_get_cycles+0xd/0x20
  ktime_get+0x5c/0x110
  lapic_next_event+0x38/0x50
  clockevents_program_event+0xf1/0x1e0
  run_timer_softirq+0x49/0x90
  __do_softirq+0x16e/0x62c
  __irq_exit_rcu+0x1fa/0x270
  irq_exit_rcu+0x12/0x20
  sysvec_apic_timer_interrupt+0x8e/0xc0

One of the concurrency UAF can be shown as below:

        use                                  free
do_resume                           |
  __find_device_hash_cell           |
    dm_get                          |
      atomic_inc(&md->holders)      |
                                    | dm_destroy
                                    |   __dm_destroy
                                    |     if (!dm_suspended_md(md))
                                    |     atomic_read(&md->holders)
                                    |     msleep(1)
  dm_resume                         |
    __dm_resume                     |
      dm_table_resume_targets       |
        pool_resume                 |
          do_waker  #add delay work |
  dm_put                            |
    atomic_dec(&md->holders)        |
                                    |     dm_table_destroy
                                    |       pool_dtr
                                    |         __pool_dec
                                    |           __pool_destroy
                                    |             destroy_workqueue
                                    |             kfree(pool) # free pool
        time out
__do_softirq
  run_timer_softirq # pool has already been freed

This can be easily reproduced using:
  1. create thin-pool
  2. dmsetup suspend pool
  3. dmsetup resume pool
  4. dmsetup remove_all # Concurrent with 3

The root cause of this UAF bug is that dm_resume() adds timer after
dm_destroy() skips cancelling the timer because of suspend status.
After timeout, it will call run_timer_softirq(), however pool has
already been freed. The concurrency UAF bug will happen.

Therefore, cancelling timer again in __pool_destroy().

Cc: stable@vger.kernel.org
Fixes: 991d9fa02d ("dm: add thin provisioning target")
Signed-off-by: Luo Meng <luomeng12@huawei.com>
Signed-off-by: Mike Snitzer <snitzer@kernel.org>
2022-11-30 13:29:34 -05:00
..
bcache treewide: use prandom_u32_max() when possible, part 1 2022-10-11 17:42:55 -06:00
persistent-data dm bufio: Add flags argument to dm_bufio_client_create 2022-07-28 17:46:14 -04:00
dm-audit.c dm: introduce audit event module for device mapper 2021-10-27 16:53:47 -04:00
dm-audit.h dm: introduce audit event module for device mapper 2021-10-27 16:53:47 -04:00
dm-bio-prison-v1.c
dm-bio-prison-v1.h
dm-bio-prison-v2.c
dm-bio-prison-v2.h
dm-bio-record.h block: move integrity handling out of <linux/blkdev.h> 2021-10-18 06:17:02 -06:00
dm-bufio.c dm bufio: Fix missing decrement of no_sleep_enabled if dm_bufio_client_create failed 2022-11-18 10:23:55 -05:00
dm-builtin.c
dm-cache-background-tracker.c
dm-cache-background-tracker.h
dm-cache-block-types.h
dm-cache-metadata.c dm cache metadata: remove unnecessary variable in __dump_mapping 2022-05-09 15:40:10 -04:00
dm-cache-metadata.h dm cache: fix typo in 2 comment blocks 2022-07-07 11:49:37 -04:00
dm-cache-policy-internal.h
dm-cache-policy-smq.c dm cache policy smq: make static read-only array table const 2022-02-22 10:35:53 -05:00
dm-cache-policy.c
dm-cache-policy.h dm cache: delete the redundant word 'each' in comment 2022-10-18 17:17:47 -04:00
dm-cache-target.c dm cache: fix typo in 2 comment blocks 2022-07-07 11:49:37 -04:00
dm-clone-metadata.c dm clone metadata: remove unused function 2021-04-19 13:20:31 -04:00
dm-clone-metadata.h
dm-clone-target.c dm clone: Fix typo in block_device format specifier 2022-10-18 17:17:48 -04:00
dm-core.h dm table: audit all dm_table_get_target() callers 2022-07-07 11:49:34 -04:00
dm-crypt.c dm-crypt: provide dma_alignment limit in io_hints 2022-11-16 15:58:11 -07:00
dm-delay.c dm: simplify basic targets 2022-05-05 17:31:35 -04:00
dm-dust.c dm: use bdev_nr_sectors and bdev_nr_bytes instead of open coding them 2021-10-18 14:43:22 -06:00
dm-ebs-target.c - Add flags argument to dm_bufio_client_create and introduce 2022-08-06 11:09:55 -07:00
dm-era-target.c dm era: commit metadata in postsuspend after worker stops 2022-06-21 13:35:01 -04:00
dm-exception-store.c
dm-exception-store.h dm: use bdev_nr_sectors and bdev_nr_bytes instead of open coding them 2021-10-18 14:43:22 -06:00
dm-flakey.c dm/dm-flakey: Use the new blk_opf_t type 2022-07-14 12:14:31 -06:00
dm-ima.c dm table: audit all dm_table_get_target() callers 2022-07-07 11:49:34 -04:00
dm-ima.h dm ima: add version info to dm related events in ima log 2021-08-20 15:59:47 -04:00
dm-init.c
dm-integrity.c block-6.1-2022-11-18 2022-11-18 13:59:45 -08:00
dm-io-rewind.c dm: add two stage requeue mechanism 2022-07-07 11:49:32 -04:00
dm-io-tracker.h dm writecache: make writeback pause configurable 2021-06-28 16:30:13 -04:00
dm-io.c dm/core: Combine request operation type and flags 2022-07-14 12:14:31 -06:00
dm-ioctl.c dm ioctl: fix misbehavior if list_versions races with module loading 2022-11-18 10:23:55 -05:00
dm-kcopyd.c - Refactor DM core's mempool allocation so that it clearer by not 2022-08-02 14:21:25 -07:00
dm-linear.c libnvdimm for 5.19 2022-05-27 15:49:30 -07:00
dm-log-userspace-base.c dm: update target status functions to support IMA measurement 2021-08-10 13:34:23 -04:00
dm-log-userspace-transfer.c
dm-log-userspace-transfer.h
dm-log-writes.c dm-log-writes: set dma_alignment limit in io_hints 2022-11-16 15:58:11 -07:00
dm-log.c dm mirror log: Use the new blk_opf_t type 2022-07-14 12:14:31 -06:00
dm-mpath.c dm mpath: provide high-resolution timer to HST for bio-based 2022-05-09 15:39:23 -04:00
dm-mpath.h
dm-path-selector.c
dm-path-selector.h dm mpath: provide high-resolution timer to HST for bio-based 2022-05-09 15:39:23 -04:00
dm-ps-historical-service-time.c dm mpath: provide high-resolution timer to HST for bio-based 2022-05-09 15:39:23 -04:00
dm-ps-io-affinity.c dm: update target status functions to support IMA measurement 2021-08-10 13:34:23 -04:00
dm-ps-queue-length.c dm: update target status functions to support IMA measurement 2021-08-10 13:34:23 -04:00
dm-ps-round-robin.c dm: update target status functions to support IMA measurement 2021-08-10 13:34:23 -04:00
dm-ps-service-time.c dm: update target status functions to support IMA measurement 2021-08-10 13:34:23 -04:00
dm-raid.c dm raid: fix typo in analyse_superblocks code comment 2022-10-18 17:17:47 -04:00
dm-raid1.c dm/core: Reduce the size of struct dm_io_request 2022-07-14 12:14:31 -06:00
dm-region-hash.c
dm-rq.c dm: change from DMWARN to DMERR or DMCRIT for fatal errors 2022-10-18 17:16:00 -04:00
dm-rq.h
dm-snap-persistent.c - Add flags argument to dm_bufio_client_create and introduce 2022-08-06 11:09:55 -07:00
dm-snap-transient.c dm: update target status functions to support IMA measurement 2021-08-10 13:34:23 -04:00
dm-snap.c dm snapshot: fix typo in snapshot_map() comment 2022-07-07 11:49:39 -04:00
dm-stats.c dm: change from DMWARN to DMERR or DMCRIT for fatal errors 2022-10-18 17:16:00 -04:00
dm-stats.h dm stats: fix too short end duration_ns when using precise_timestamps 2022-02-21 15:35:39 -05:00
dm-stripe.c dax: add .recovery_write dax_operation 2022-05-16 13:37:59 -07:00
dm-switch.c dm: use bdev_nr_sectors and bdev_nr_bytes instead of open coding them 2021-10-18 14:43:22 -06:00
dm-sysfs.c dm sysfs: use default_groups in kobj_type 2022-01-06 09:48:55 -05:00
dm-table.c dm: change from DMWARN to DMERR or DMCRIT for fatal errors 2022-10-18 17:16:00 -04:00
dm-target.c dax: introduce DAX_RECOVERY_WRITE dax access mode 2022-05-16 13:35:56 -07:00
dm-thin-metadata.c dm thin: fix use-after-free crash in dm_sm_register_threshold_callback 2022-07-15 18:09:14 -04:00
dm-thin-metadata.h dm thin metadata: remove unused dm_thin_remove_block and __remove 2022-02-22 13:55:50 -05:00
dm-thin.c dm thin: Fix UAF in run_timer_softirq() 2022-11-30 13:29:34 -05:00
dm-uevent.c
dm-uevent.h
dm-unstripe.c dm: update target status functions to support IMA measurement 2021-08-10 13:34:23 -04:00
dm-verity-fec.c dm bufio: Add flags argument to dm_bufio_client_create 2022-07-28 17:46:14 -04:00
dm-verity-fec.h dm verity fec: fix misaligned RS roots IO 2021-04-14 14:28:29 -04:00
dm-verity-loadpin.c dm: verity-loadpin: Only trust verity targets with enforcement 2022-09-07 16:37:27 -07:00
dm-verity-target.c dm verity: enable WQ_HIGHPRI on verify_wq 2022-10-18 17:17:47 -04:00
dm-verity-verify-sig.c dm verity: fix require_signatures module_param permissions 2021-05-25 16:14:05 -04:00
dm-verity-verify-sig.h
dm-verity.h dm: verity-loadpin: Only trust verity targets with enforcement 2022-09-07 16:37:27 -07:00
dm-writecache.c - A few fixes for the DM verity and bufio changes from the 6.0 merge. 2022-08-11 19:46:48 -07:00
dm-zero.c
dm-zone.c - Refactor DM core's mempool allocation so that it clearer by not 2022-08-02 14:21:25 -07:00
dm-zoned-metadata.c - The usual batches of cleanups from Baoquan He, Muchun Song, Miaohe 2022-08-05 16:32:45 -07:00
dm-zoned-reclaim.c dm kcopyd: avoid useless atomic operations 2021-06-04 12:07:24 -04:00
dm-zoned-target.c dm-zoned: cleanup dmz_fixup_devices 2022-07-06 06:46:26 -06:00
dm-zoned.h dm/dm-zoned: Use the enum req_op type 2022-07-14 12:14:31 -06:00
dm.c dm: remove unnecessary assignment statement in alloc_dev() 2022-10-18 17:17:48 -04:00
dm.h dm table: audit all dm_table_get_target() callers 2022-07-07 11:49:34 -04:00
Kconfig blk-mq: make the blk-mq stacking code optional 2022-02-16 19:39:09 -07:00
Makefile hardening updates for v5.20-rc1 2022-08-02 14:38:59 -07:00
md-autodetect.c md: return the allocated devices from md_alloc 2022-08-02 17:22:46 -06:00
md-bitmap.c fs/buffer: Combine two submit_bh() and ll_rw_block() arguments 2022-07-14 12:14:32 -06:00
md-bitmap.h
md-cluster.c fs: dlm: remove DLM_LSFL_FS from uapi 2022-08-23 14:54:54 -05:00
md-cluster.h
md-faulty.c block: pass a block_device to bio_clone_fast 2022-02-04 07:43:18 -07:00
md-linear.c md: remove most calls to bdevname 2022-05-22 23:07:21 -07:00
md-linear.h
md-multipath.c md: remove most calls to bdevname 2022-05-22 23:07:21 -07:00
md-multipath.h
md.c for-6.1/block-2022-10-03 2022-10-07 09:19:14 -07:00
md.h md: return the allocated devices from md_alloc 2022-08-02 17:22:46 -06:00
raid0.c md: Replace snprintf with scnprintf 2022-09-22 00:05:03 -07:00
raid0.h
raid1-10.c md: raid1/raid10: drop pending_cnt 2022-03-08 15:16:54 -08:00
raid1.c md/raid1: Use the new blk_opf_t type 2022-07-14 12:14:31 -06:00
raid1.h md: raid1/raid10: drop pending_cnt 2022-03-08 15:16:54 -08:00
raid5-cache.c treewide: use get_random_u32() when possible 2022-10-11 17:42:58 -06:00
raid5-log.h md/raid5-ppl: Drop unused argument from ppl_handle_flush_request() 2022-08-02 17:14:31 -06:00
raid5-ppl.c md/raid5-ppl: Drop unused argument from ppl_handle_flush_request() 2022-08-02 17:14:31 -06:00
raid5.c md/raid5: Wait for MD_SB_CHANGE_PENDING in raid5d 2022-09-22 00:05:06 -07:00
raid5.h md/raid5: Cleanup prototype of raid5_get_active_stripe() 2022-09-22 00:05:04 -07:00
raid10.c for-6.1/block-2022-10-03 2022-10-07 09:19:14 -07:00
raid10.h md/raid10: convert resync_lock to use seqlock 2022-09-22 00:05:05 -07:00