redonkable/alistair23-linux
redonkable/alistair23-linux
1
0
Fork 0
Code Releases Activity
alistair23-linux/drivers/block
History
Ming Lei 153fcd5f6d block: brd: associate with queue until adding disk 
brd_free() may be called in failure path on one brd instance which
disk isn't added yet, so release handler of gendisk may free the
associated request_queue early and causes the following use-after-free[1].

This patch fixes this issue by associating gendisk with request_queue
just before adding disk.

[1] KASAN: use-after-free Read in del_timer_syncNon-volatile memory driver v1.3
Linux agpgart interface v0.103
[drm] Initialized vgem 1.0.0 20120112 for virtual device on minor 0
usbcore: registered new interface driver udl
==================================================================
BUG: KASAN: use-after-free in __lock_acquire+0x36d9/0x4c20
kernel/locking/lockdep.c:3218
Read of size 8 at addr ffff8801d1b6b540 by task swapper/0/1

CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.19.0+ #88
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
  __dump_stack lib/dump_stack.c:77 [inline]
  dump_stack+0x244/0x39d lib/dump_stack.c:113
  print_address_description.cold.7+0x9/0x1ff mm/kasan/report.c:256
  kasan_report_error mm/kasan/report.c:354 [inline]
  kasan_report.cold.8+0x242/0x309 mm/kasan/report.c:412
  __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433
  __lock_acquire+0x36d9/0x4c20 kernel/locking/lockdep.c:3218
  lock_acquire+0x1ed/0x520 kernel/locking/lockdep.c:3844
  del_timer_sync+0xb7/0x270 kernel/time/timer.c:1283
  blk_cleanup_queue+0x413/0x710 block/blk-core.c:809
  brd_free+0x5d/0x71 drivers/block/brd.c:422
  brd_init+0x2eb/0x393 drivers/block/brd.c:518
  do_one_initcall+0x145/0x957 init/main.c:890
  do_initcall_level init/main.c:958 [inline]
  do_initcalls init/main.c:966 [inline]
  do_basic_setup init/main.c:984 [inline]
  kernel_init_freeable+0x5c6/0x6b9 init/main.c:1148
  kernel_init+0x11/0x1ae init/main.c:1068
  ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:350

Reported-by: syzbot+3701447012fe951dabb2@syzkaller.appspotmail.com
Signed-off-by: Ming Lei <ming.lei@redhat.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2018-11-01 19:59:51 -06:00
..
aoe aoe: convert aoeblk to blk-mq 2018-10-14 12:47:52 -06:00
drbd drivers/block: remove redundant 'default n' from Kconfig-s 2018-10-10 14:11:08 -06:00
mtip32xx mtip32xx: clean an indentation issue, remove extraneous tabs 2018-10-30 14:31:36 -06:00
paride paride: convert pf to blk-mq 2018-10-15 20:08:15 -06:00
rsxx pci-v4.20-changes 2018-10-25 06:50:48 -07:00
xen-blkback xen/blkback: remove unused pers_gnts_lock from struct xen_blkif_ring 2018-08-27 12:12:04 -04:00
zram drivers/block: remove redundant 'default n' from Kconfig-s 2018-10-10 14:11:08 -06:00
amiflop.c amiflop: convert to blk-mq 2018-10-16 09:49:52 -06:00
ataflop.c ataflop: convert to blk-mq 2018-10-16 09:50:09 -06:00
brd.c block: brd: associate with queue until adding disk 2018-11-01 19:59:51 -06:00
cryptoloop.c
floppy.c floppy: convert to blk-mq 2018-10-16 09:50:14 -06:00
Kconfig drivers/block: Remove DAC960 driver 2018-10-17 09:42:30 -06:00
loop.c blkcg: remove bio->bi_css and instead use bio->bi_blkg 2018-09-21 20:29:13 -06:00
loop.h
Makefile drivers/block: Remove DAC960 driver 2018-10-17 09:42:30 -06:00
nbd.c nbd: don't allow invalid blocksize settings 2018-09-04 11:54:58 -06:00
null_blk.h block: add a report_zones method 2018-10-25 11:17:40 -06:00
null_blk_main.c block: Introduce blk_revalidate_disk_zones() 2018-10-25 11:17:40 -06:00
null_blk_zoned.c block: add a report_zones method 2018-10-25 11:17:40 -06:00
pktcdvd.c pktcdvd: fix fall-through annotation 2018-10-02 08:36:58 -06:00
ps3disk.c ps3disk: convert to blk-mq 2018-10-15 20:07:56 -06:00
ps3vram.c block: genhd: add 'groups' argument to device_add_disk 2018-09-28 08:30:28 -06:00
rbd.c rbd: support cloning across namespaces 2018-09-06 16:18:04 +02:00
rbd_types.h
skd_main.c skd: fix unchecked return values 2018-10-25 11:17:39 -06:00
skd_s1120.h
sunvdc.c for-4.20/block-20181021 2018-10-22 17:46:08 +01:00
swim.c swim: convert to blk-mq 2018-10-16 09:49:18 -06:00
swim3.c swim3: convert to blk-mq 2018-10-16 09:49:36 -06:00
swim_asm.S
sx8.c sx8: switch to the generic DMA API 2018-10-18 15:14:45 -06:00
umem.c umem: switch to the generic DMA API 2018-10-18 15:14:47 -06:00
umem.h
virtio_blk.c virtio-blk: modernize sysfs attribute creation 2018-09-28 08:30:33 -06:00
xen-blkfront.c xen/blkfront: avoid NULL blkfront_info dereference on device removal 2018-10-25 11:17:39 -06:00
xsysace.c xsysace: convert to blk-mq 2018-10-15 20:08:24 -06:00
z2ram.c z2ram: convert to blk-mq 2018-10-16 09:50:43 -06:00