kernel_optimize_test/drivers/block
Stefan Hajnoczi 90b5feb8c4 virtio-blk: handle block_device_operations callbacks after hot unplug
A userspace process holding a file descriptor to a virtio_blk device can
still invoke block_device_operations after hot unplug.  This leads to a
use-after-free accessing vblk->vdev in virtblk_getgeo() when
ioctl(HDIO_GETGEO) is invoked:

  BUG: unable to handle kernel NULL pointer dereference at 0000000000000090
  IP: [<ffffffffc00e5450>] virtio_check_driver_offered_feature+0x10/0x90 [virtio]
  PGD 800000003a92f067 PUD 3a930067 PMD 0
  Oops: 0000 [#1] SMP
  CPU: 0 PID: 1310 Comm: hdio-getgeo Tainted: G           OE  ------------   3.10.0-1062.el7.x86_64 #1
  Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014
  task: ffff9be5fbfb8000 ti: ffff9be5fa890000 task.ti: ffff9be5fa890000
  RIP: 0010:[<ffffffffc00e5450>]  [<ffffffffc00e5450>] virtio_check_driver_offered_feature+0x10/0x90 [virtio]
  RSP: 0018:ffff9be5fa893dc8  EFLAGS: 00010246
  RAX: ffff9be5fc3f3400 RBX: ffff9be5fa893e30 RCX: 0000000000000000
  RDX: 0000000000000000 RSI: 0000000000000004 RDI: ffff9be5fbc10b40
  RBP: ffff9be5fa893dc8 R08: 0000000000000301 R09: 0000000000000301
  R10: 0000000000000000 R11: 0000000000000000 R12: ffff9be5fdc24680
  R13: ffff9be5fbc10b40 R14: ffff9be5fbc10480 R15: 0000000000000000
  FS:  00007f1bfb968740(0000) GS:ffff9be5ffc00000(0000) knlGS:0000000000000000
  CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
  CR2: 0000000000000090 CR3: 000000003a894000 CR4: 0000000000360ff0
  DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
  DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
  Call Trace:
   [<ffffffffc016ac37>] virtblk_getgeo+0x47/0x110 [virtio_blk]
   [<ffffffff8d3f200d>] ? handle_mm_fault+0x39d/0x9b0
   [<ffffffff8d561265>] blkdev_ioctl+0x1f5/0xa20
   [<ffffffff8d488771>] block_ioctl+0x41/0x50
   [<ffffffff8d45d9e0>] do_vfs_ioctl+0x3a0/0x5a0
   [<ffffffff8d45dc81>] SyS_ioctl+0xa1/0xc0

A related problem is that virtblk_remove() leaks the vd_index_ida index
when something still holds a reference to vblk->disk during hot unplug.
This causes virtio-blk device names to be lost (vda, vdb, etc).

Fix these issues by protecting vblk->vdev with a mutex and reference
counting vblk so the vd_index_ida index can be removed in all cases.

Fixes: 48e4043d45 ("virtio: add virtio disk geometry feature")
Reported-by: Lance Digby <ldigby@redhat.com>
Signed-off-by: Stefan Hajnoczi <stefanha@redhat.com>
Link: https://lore.kernel.org/r/20200430140442.171016-1-stefanha@redhat.com
Signed-off-by: Michael S. Tsirkin <mst@redhat.com>
Reviewed-by: Stefano Garzarella <sgarzare@redhat.com>
2020-05-02 10:28:13 -04:00
..
aoe block: aoe: Use scnprintf() for avoiding potential buffer overflow 2020-03-12 07:39:04 -06:00
drbd for-5.7/drivers-2020-03-29 2020-03-30 11:43:51 -07:00
mtip32xx block: mtip32xx: Spelling s/configration/configuration/ 2019-10-25 14:31:07 -06:00
paride scsi: compat_ioctl: cdrom: Replace .ioctl with .compat_ioctl in four appropriate places 2020-02-24 15:06:07 -05:00
rsxx for-5.7/drivers-2020-03-29 2020-03-30 11:43:51 -07:00
xen-blkback xen/blkback: Consistently insert one empty line between functions 2020-01-29 07:35:49 -06:00
zram block: simplify queue allocation 2020-03-27 10:23:43 -06:00
amiflop.c
ataflop.c ataflop: Remove unneeded semicolon 2019-11-28 10:40:47 -07:00
brd.c block: simplify queue allocation 2020-03-27 10:23:43 -06:00
cryptoloop.c
floppy.c floppy: rename the global "fdc" variable to "current_fdc" 2020-03-16 08:26:58 -06:00
Kconfig virtio-blk: remove VIRTIO_BLK_F_SCSI support 2020-02-06 03:40:26 -05:00
loop.c loop: Better discard support for block devices 2020-04-03 13:44:22 -06:00
loop.h
Makefile null_blk: add tracepoint helpers for zoned mode 2020-03-27 13:39:10 -06:00
nbd.c nbd: requeue command if the soecket is changed 2020-03-12 08:01:24 -06:00
null_blk_main.c null_blk: Cleanup zoned device initialization 2020-04-23 09:35:09 -06:00
null_blk_trace.c null_blk: add tracepoint helpers for zoned mode 2020-03-27 13:39:10 -06:00
null_blk_trace.h null_blk: add tracepoint helpers for zoned mode 2020-03-27 13:39:10 -06:00
null_blk_zoned.c null_blk: Cleanup zoned device initialization 2020-04-23 09:35:09 -06:00
null_blk.h null_blk: Cleanup zoned device initialization 2020-04-23 09:35:09 -06:00
pktcdvd.c block: simplify queue allocation 2020-03-27 10:23:43 -06:00
ps3disk.c
ps3vram.c block: simplify queue allocation 2020-03-27 10:23:43 -06:00
rbd_types.h
rbd.c rbd: don't mess with a page vector in rbd_notify_op_lock() 2020-04-13 08:55:49 +02:00
skd_main.c
skd_s1120.h
sunvdc.c compat_ioctl: block: handle cdrom compat ioctl in non-cdrom drivers 2020-01-03 09:33:15 +01:00
swim_asm.S
swim.c
swim3.c
sx8.c
umem.c block: simplify queue allocation 2020-03-27 10:23:43 -06:00
umem.h
virtio_blk.c virtio-blk: handle block_device_operations callbacks after hot unplug 2020-05-02 10:28:13 -04:00
xen-blkfront.c xen: branch for v5.7-rc1b 2020-04-10 17:20:06 -07:00
xsysace.c
z2ram.c