shinys000114/linux
1
0
Fork 0
mirror of https://github.com/hardkernel/linux.git synced 2026-06-11 13:27:06 +09:00
Code Issues Packages Projects Releases Wiki Activity
Files
dacfd5e4d1142bfb3809aab3634a375f6f373269
linux/kernel
History
Zhihao Cheng dacfd5e4d1 blktrace: Fix uaf in blk_trace access after removing by sysfs 
[ Upstream commit 5afedf670c ]

There is an use-after-free problem triggered by following process:

      P1(sda)				P2(sdb)
			echo 0 > /sys/block/sdb/trace/enable
			  blk_trace_remove_queue
			    synchronize_rcu
			    blk_trace_free
			      relay_close
rcu_read_lock
__blk_add_trace
  trace_note_tsk
  (Iterate running_trace_list)
			        relay_close_buf
				  relay_destroy_buf
				    kfree(buf)
    trace_note(sdb's bt)
      relay_reserve
        buf->offset <- nullptr deference (use-after-free) !!!
rcu_read_unlock

[  502.714379] BUG: kernel NULL pointer dereference, address:
0000000000000010
[  502.715260] #PF: supervisor read access in kernel mode
[  502.715903] #PF: error_code(0x0000) - not-present page
[  502.716546] PGD 103984067 P4D 103984067 PUD 17592b067 PMD 0
[  502.717252] Oops: 0000 [#1] SMP
[  502.720308] RIP: 0010:trace_note.isra.0+0x86/0x360
[  502.732872] Call Trace:
[  502.733193]  __blk_add_trace.cold+0x137/0x1a3
[  502.733734]  blk_add_trace_rq+0x7b/0xd0
[  502.734207]  blk_add_trace_rq_issue+0x54/0xa0
[  502.734755]  blk_mq_start_request+0xde/0x1b0
[  502.735287]  scsi_queue_rq+0x528/0x1140
...
[  502.742704]  sg_new_write.isra.0+0x16e/0x3e0
[  502.747501]  sg_ioctl+0x466/0x1100

Reproduce method:
  ioctl(/dev/sda, BLKTRACESETUP, blk_user_trace_setup[buf_size=127])
  ioctl(/dev/sda, BLKTRACESTART)
  ioctl(/dev/sdb, BLKTRACESETUP, blk_user_trace_setup[buf_size=127])
  ioctl(/dev/sdb, BLKTRACESTART)

  echo 0 > /sys/block/sdb/trace/enable &
  // Add delay(mdelay/msleep) before kernel enters blk_trace_free()

  ioctl$SG_IO(/dev/sda, SG_IO, ...)
  // Enters trace_note_tsk() after blk_trace_free() returned
  // Use mdelay in rcu region rather than msleep(which may schedule out)

Remove blk_trace from running_list before calling blk_trace_free() by
sysfs if blk_trace is at Blktrace_running state.

Fixes: c71a896154 ("blktrace: add ftrace plugin")
Signed-off-by: Zhihao Cheng <chengzhihao1@huawei.com>
Link: https://lore.kernel.org/r/20210923134921.109194-1-chengzhihao1@huawei.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
Signed-off-by: Sasha Levin <sashal@kernel.org>
2021-10-06 10:23:40 +02:00
..
bpf
bpf: Check for integer overflow when using roundup_pow_of_two()
2021-02-23 13:59:16 +01:00
configs
config: android: enable CONFIG_SECCOMP
2016-10-11 15:06:32 -07:00
debug
kdb: Make memory allocations more robust
2021-03-03 17:44:31 +01:00
events
events: Reuse value read using READ_ONCE instead of re-reading it
2021-09-22 11:43:09 +02:00
gcov
gcov: add support for GCC 10.1
2020-09-23 08:46:14 +02:00
irq
genirq: Disable interrupts for force threaded handlers
2021-03-24 10:59:26 +01:00
livepatch
livepatch/module: make TAINT_LIVEPATCH module-specific
2016-08-26 14:42:08 +02:00
locking
futex: Handle early deadlock return correctly
2021-03-30 14:41:42 +02:00
power
PM: hibernate: remove the bogus call to get_gendisk() in software_resume()
2020-10-29 09:05:43 +01:00
printk
printk: fix deadlock when kernel panic
2021-03-07 11:25:56 +01:00
rcu
rcuperf: Fix cleanup path for invalid perf_type strings
2019-05-31 06:48:30 -07:00
sched
sched/fair: Fix CFS bandwidth hrtimer expiry type
2021-07-28 09:14:25 +02:00
time
kernel, fs: Introduce and use set_restart_fn() and arch_set_restart_data()
2021-03-24 10:59:25 +01:00
trace
blktrace: Fix uaf in blk_trace access after removing by sysfs
2021-10-06 10:23:40 +02:00
.gitignore
acct.c
kernel/acct.c: fix the acct->needcheck check in check_free_space()
2018-01-10 09:29:51 +01:00
async.c
kernel/async.c: revert "async: simplify lowest_in_progress()"
2018-02-17 13:21:18 +01:00
audit_fsnotify.c
audit_tree.c
audit_watch.c
audit: CONFIG_CHANGE don't log internal bookkeeping as an event
2020-10-01 20:40:07 +02:00
audit.c
audit: fix a net reference leak in audit_list_rules_send()
2021-04-07 12:05:41 +02:00
audit.h
audit: fix a net reference leak in audit_list_rules_send()
2021-04-07 12:05:41 +02:00
auditfilter.c
audit: fix a net reference leak in audit_list_rules_send()
2021-04-07 12:05:41 +02:00
auditsc.c
audit: print empty EXECVE args
2019-11-28 18:28:55 +01:00
backtracetest.c
bounds.c
kbuild: fix kernel/bounds.c 'W=1' warning
2018-11-13 11:16:57 -08:00
capability.c
ptrace: Capture the ptracer's creds not PT_PTRACE_CAP
2017-01-06 10:40:13 +01:00
cgroup_freezer.c
cgroup_pids.c
cgroup: pids: use atomic64_t for pids->limit
2019-12-21 10:42:02 +01:00
cgroup.c
cgroup1: don't allow '\n' in renaming
2021-06-16 11:36:34 +02:00
compat.c
configs.c
context_tracking.c
cpu_pm.c
kernel/cpu_pm: Fix uninitted local in cpu_pm
2020-06-20 10:24:21 +02:00
cpu.c
kernel/cpu: add arch override for clear_tasks_mm_cpumask() mm handling
2020-12-29 13:44:50 +01:00
cpuset.c
sched/cpuset/pm: Fix cpuset vs. suspend-resume bugs
2017-10-12 11:51:25 +02:00
crash_dump.c
cred.c
memcg: account security cred as well to kmemcg
2020-01-12 11:24:13 +01:00
delayacct.c
dma.c
exec_domain.c
exit.c
futex: Mark the begin of futex exit explicitly
2021-02-03 23:19:49 +01:00
extable.c
kernel/extable.c: mark core_kernel_text notrace
2017-07-21 07:42:21 +02:00
fork.c
mm/hugetlb: initialize hugetlb_usage in mm_init
2021-09-22 11:43:08 +02:00
freezer.c
freezer, oom: check TIF_MEMDIE on the correct task
2016-07-28 16:07:41 -07:00
futex.c
mm, futex: fix shared futex pgoff on shmem huge page
2021-07-11 12:46:40 +02:00
groups.c
kernel: make groups_sort calling a responsibility group_info allocators
2018-01-10 09:29:52 +01:00
hung_task.c
kernel: hung_task.c: disable on suspend
2019-04-20 09:07:52 +02:00
irq_work.c
jump_label.c
jump_label: Invoke jump_label_test() via early_initcall()
2017-12-14 09:28:24 +01:00
kallsyms.c
kcmp.c
Kconfig.freezer
Kconfig.hz
Kconfig.locks
Kconfig.preempt
kcov.c
kcov: ensure irq code sees a valid area
2018-08-03 07:55:12 +02:00
kexec_core.c
objtool, x86: Add several functions and files to the objtool whitelist
2018-06-05 10:28:57 +02:00
kexec_file.c
kernel: kexec_file: fix error return code of kexec_calculate_store_digests()
2021-05-22 10:40:31 +02:00
kexec_internal.h
kexec.c
kexec: allow architectures to override boot mapping
2016-08-02 19:35:27 -04:00
kmod.c
usermodehelper: reset umask to default before executing user process
2020-10-14 09:48:14 +02:00
kprobes.c
kretprobe: Avoid re-registration of the same kretprobe earlier
2021-02-10 09:09:25 +01:00
ksysfs.c
kexec: add a kexec_crash_loaded() function
2016-08-02 19:35:30 -04:00
kthread.c
kthread: prevent deadlock when kthread_mod_delayed_work() races with kthread_cancel_delayed_work_sync()
2021-07-11 12:46:41 +02:00
latencytop.c
Makefile
elfcore: fix building with clang
2021-02-10 09:09:25 +01:00
membarrier.c
Fix: Disable sys_membarrier when nohz_full is enabled
2017-03-12 06:41:45 +01:00
memremap.c
mm, devm_memremap_pages: kill mapping "System RAM" support
2019-01-13 10:03:51 +01:00
module_signing.c
module-internal.h
module.c
module: Ignore _GLOBAL_OFFSET_TABLE_ when warning for undefined symbols
2021-03-03 17:44:44 +01:00
notifier.c
x86/mm: split vmalloc_sync_all()
2020-04-02 17:20:26 +02:00
nsproxy.c
padata.c
padata: purge get_cpu and reorder_via_wq from padata_do_serial
2020-05-27 16:41:53 +02:00
panic.c
panic: ensure preemption is disabled during panic()
2019-10-17 13:42:25 -07:00
params.c
pid_namespace.c
memcg: enable accounting for pids in nested pid namespaces
2021-09-22 11:43:08 +02:00
pid.c
pidns: disable pid allocation if pid_ns_prepare_proc() is failed in alloc_pid()
2018-04-13 19:47:53 +02:00
profile.c
profiling: fix shift-out-of-bounds bugs
2021-09-26 13:36:18 +02:00
ptrace.c
ptrace: make ptrace() fail if the tracee changed its pid unexpectedly
2021-05-26 11:29:06 +02:00
range.c
reboot.c
reboot: fix overflow parsing reboot cpu number
2020-11-18 18:26:32 +01:00
relay.c
kernel/relay.c: fix memleak on destroy relay channel
2020-08-26 10:29:03 +02:00
resource.c
resource: fix integer overflow at reallocation
2018-04-24 09:34:09 +02:00
seccomp.c
seccomp: Add missing return in non-void function
2021-03-03 17:44:43 +01:00
signal.c
signal: Extend exec_id to 64bits
2020-04-24 07:58:54 +02:00
smp.c
cpu/hotplug: Fix SMT supported evaluation
2018-08-15 18:14:53 +02:00
smpboot.c
kthread/smpboot: do not park in kthread_create_on_cpu()
2016-10-11 15:06:33 -07:00
smpboot.h
softirq.c
Mark HI and TASKLET softirq synchronous
2018-08-15 18:14:42 +02:00
stacktrace.c
stacktrace, lockdep: Fix address, newline ugliness
2017-02-14 15:25:42 -08:00
stop_machine.c
stop_machine: Use raw spinlocks
2018-08-03 07:55:24 +02:00
sys_ni.c
x86/pkeys: Fix pkeys build breakage for some non-x86 arches
2016-09-13 14:41:36 +02:00
sys.c
prctl: allow to setup brk for et_dyn executables
2021-09-26 13:36:18 +02:00
sysctl_binary.c
sysctl.c
sched/rt: Show the 'sched_rr_timeslice' SCHED_RR timeslice tuning knob in milliseconds
2020-07-09 09:35:55 +02:00
task_work.c
task_work: use READ_ONCE/lockless_dereference, avoid pi_lock if !task_works
2016-08-02 19:35:02 -04:00
taskstats.c
taskstats: fix data-race
2020-01-12 11:24:12 +01:00
test_kprobes.c
torture.c
torture: Convert torture_shutdown() to hrtimer
2016-08-22 10:01:49 -07:00
tracepoint.c
tracepoint: Do not fail unregistering a probe due to memory failure
2021-03-03 17:44:38 +01:00
tsacct.c
ucount.c
kernel/ucount.c: mark user_header with kmemleak_ignore()
2017-06-17 06:41:51 +02:00
uid16.c
kernel: make groups_sort calling a responsibility group_info allocators
2018-01-10 09:29:52 +01:00
up.c
smp: Add function to execute a function synchronously on a CPU
2016-09-05 13:52:39 +02:00
user_namespace.c
userns: move user access out of the mutex
2018-09-09 20:01:24 +02:00
user-return-notifier.c
user.c
utsname_sysctl.c
sys: don't hold uts_sem while accessing userspace memory
2018-09-09 20:01:24 +02:00
utsname.c
Merge branch 'nsfs-ioctls' into HEAD
2016-09-22 20:00:36 -05:00
watchdog_hld.c
kernel/watchdog: prevent false hardlockup on overloaded system
2017-06-17 06:41:57 +02:00
watchdog.c
kernel/watchdog: prevent false hardlockup on overloaded system
2017-06-17 06:41:57 +02:00
workqueue_internal.h
workqueue: Fix NULL pointer dereference
2017-11-15 15:53:17 +01:00
workqueue.c
workqueue: fix UAF in pwq_unbound_release_workfn()
2021-08-04 11:58:01 +02:00