)]}'
{
  "commit": "49289b1fa5a67011c4010e4e9c801b9d565ce395",
  "tree": "20408b31827abed7639793a34493821e40a88f64",
  "parents": [
    "2788511b09b7c1208836d5f6752e6ae0acc5b7b6"
  ],
  "author": {
    "name": "Jason Yan",
    "email": "yanaijie@huawei.com",
    "time": "Tue Jun 16 20:16:55 2020 +0800"
  },
  "committer": {
    "name": "Greg Kroah-Hartman",
    "email": "gregkh@linuxfoundation.org",
    "time": "Thu Jun 25 15:33:06 2020 +0200"
  },
  "message": "block: Fix use-after-free in blkdev_get()\n\n[ Upstream commit 2d3a8e2deddea6c89961c422ec0c5b851e648c14 ]\n\nIn blkdev_get() we call __blkdev_get() to do some internal jobs and if\nthere is some errors in __blkdev_get(), the bdput() is called which\nmeans we have released the refcount of the bdev (actually the refcount of\nthe bdev inode). This means we cannot access bdev after that point. But\nacctually bdev is still accessed in blkdev_get() after calling\n__blkdev_get(). This results in use-after-free if the refcount is the\nlast one we released in __blkdev_get(). Let\u0027s take a look at the\nfollowing scenerio:\n\n  CPU0            CPU1                    CPU2\nblkdev_open     blkdev_open           Remove disk\n                  bd_acquire\n\t\t  blkdev_get\n\t\t    __blkdev_get      del_gendisk\n\t\t\t\t\tbdev_unhash_inode\n  bd_acquire          bdev_get_gendisk\n    bd_forget           failed because of unhashed\n\t  bdput\n\t              bdput (the last one)\n\t\t        bdev_evict_inode\n\n\t  \t    access bdev \u003d\u003e use after free\n\n[  459.350216] BUG: KASAN: use-after-free in __lock_acquire+0x24c1/0x31b0\n[  459.351190] Read of size 8 at addr ffff88806c815a80 by task syz-executor.0/20132\n[  459.352347]\n[  459.352594] CPU: 0 PID: 20132 Comm: syz-executor.0 Not tainted 4.19.90 #2\n[  459.353628] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.10.2-1ubuntu1 04/01/2014\n[  459.354947] Call Trace:\n[  459.355337]  dump_stack+0x111/0x19e\n[  459.355879]  ? __lock_acquire+0x24c1/0x31b0\n[  459.356523]  print_address_description+0x60/0x223\n[  459.357248]  ? __lock_acquire+0x24c1/0x31b0\n[  459.357887]  kasan_report.cold+0xae/0x2d8\n[  459.358503]  __lock_acquire+0x24c1/0x31b0\n[  459.359120]  ? _raw_spin_unlock_irq+0x24/0x40\n[  459.359784]  ? lockdep_hardirqs_on+0x37b/0x580\n[  459.360465]  ? _raw_spin_unlock_irq+0x24/0x40\n[  459.361123]  ? finish_task_switch+0x125/0x600\n[  459.361812]  ? finish_task_switch+0xee/0x600\n[  459.362471]  ? mark_held_locks+0xf0/0xf0\n[  459.363108]  ? __schedule+0x96f/0x21d0\n[  459.363716]  lock_acquire+0x111/0x320\n[  459.364285]  ? blkdev_get+0xce/0xbe0\n[  459.364846]  ? blkdev_get+0xce/0xbe0\n[  459.365390]  __mutex_lock+0xf9/0x12a0\n[  459.365948]  ? blkdev_get+0xce/0xbe0\n[  459.366493]  ? bdev_evict_inode+0x1f0/0x1f0\n[  459.367130]  ? blkdev_get+0xce/0xbe0\n[  459.367678]  ? destroy_inode+0xbc/0x110\n[  459.368261]  ? mutex_trylock+0x1a0/0x1a0\n[  459.368867]  ? __blkdev_get+0x3e6/0x1280\n[  459.369463]  ? bdev_disk_changed+0x1d0/0x1d0\n[  459.370114]  ? blkdev_get+0xce/0xbe0\n[  459.370656]  blkdev_get+0xce/0xbe0\n[  459.371178]  ? find_held_lock+0x2c/0x110\n[  459.371774]  ? __blkdev_get+0x1280/0x1280\n[  459.372383]  ? lock_downgrade+0x680/0x680\n[  459.373002]  ? lock_acquire+0x111/0x320\n[  459.373587]  ? bd_acquire+0x21/0x2c0\n[  459.374134]  ? do_raw_spin_unlock+0x4f/0x250\n[  459.374780]  blkdev_open+0x202/0x290\n[  459.375325]  do_dentry_open+0x49e/0x1050\n[  459.375924]  ? blkdev_get_by_dev+0x70/0x70\n[  459.376543]  ? __x64_sys_fchdir+0x1f0/0x1f0\n[  459.377192]  ? inode_permission+0xbe/0x3a0\n[  459.377818]  path_openat+0x148c/0x3f50\n[  459.378392]  ? kmem_cache_alloc+0xd5/0x280\n[  459.379016]  ? entry_SYSCALL_64_after_hwframe+0x49/0xbe\n[  459.379802]  ? path_lookupat.isra.0+0x900/0x900\n[  459.380489]  ? __lock_is_held+0xad/0x140\n[  459.381093]  do_filp_open+0x1a1/0x280\n[  459.381654]  ? may_open_dev+0xf0/0xf0\n[  459.382214]  ? find_held_lock+0x2c/0x110\n[  459.382816]  ? lock_downgrade+0x680/0x680\n[  459.383425]  ? __lock_is_held+0xad/0x140\n[  459.384024]  ? do_raw_spin_unlock+0x4f/0x250\n[  459.384668]  ? _raw_spin_unlock+0x1f/0x30\n[  459.385280]  ? __alloc_fd+0x448/0x560\n[  459.385841]  do_sys_open+0x3c3/0x500\n[  459.386386]  ? filp_open+0x70/0x70\n[  459.386911]  ? trace_hardirqs_on_thunk+0x1a/0x1c\n[  459.387610]  ? trace_hardirqs_off_caller+0x55/0x1c0\n[  459.388342]  ? do_syscall_64+0x1a/0x520\n[  459.388930]  do_syscall_64+0xc3/0x520\n[  459.389490]  entry_SYSCALL_64_after_hwframe+0x49/0xbe\n[  459.390248] RIP: 0033:0x416211\n[  459.390720] Code: 75 14 b8 02 00 00 00 0f 05 48 3d 01 f0 ff ff 0f 83\n04 19 00 00 c3 48 83 ec 08 e8 0a fa ff ff 48 89 04 24 b8 02 00 00 00 0f\n   05 \u003c48\u003e 8b 3c 24 48 89 c2 e8 53 fa ff ff 48 89 d0 48 83 c4 08 48 3d\n      01\n[  459.393483] RSP: 002b:00007fe45dfe9a60 EFLAGS: 00000293 ORIG_RAX: 0000000000000002\n[  459.394610] RAX: ffffffffffffffda RBX: 00007fe45dfea6d4 RCX: 0000000000416211\n[  459.395678] RDX: 00007fe45dfe9b0a RSI: 0000000000000002 RDI: 00007fe45dfe9b00\n[  459.396758] RBP: 000000000076bf20 R08: 0000000000000000 R09: 000000000000000a\n[  459.397930] R10: 0000000000000075 R11: 0000000000000293 R12: 00000000ffffffff\n[  459.399022] R13: 0000000000000bd9 R14: 00000000004cdb80 R15: 000000000076bf2c\n[  459.400168]\n[  459.400430] Allocated by task 20132:\n[  459.401038]  kasan_kmalloc+0xbf/0xe0\n[  459.401652]  kmem_cache_alloc+0xd5/0x280\n[  459.402330]  bdev_alloc_inode+0x18/0x40\n[  459.402970]  alloc_inode+0x5f/0x180\n[  459.403510]  iget5_locked+0x57/0xd0\n[  459.404095]  bdget+0x94/0x4e0\n[  459.404607]  bd_acquire+0xfa/0x2c0\n[  459.405113]  blkdev_open+0x110/0x290\n[  459.405702]  do_dentry_open+0x49e/0x1050\n[  459.406340]  path_openat+0x148c/0x3f50\n[  459.406926]  do_filp_open+0x1a1/0x280\n[  459.407471]  do_sys_open+0x3c3/0x500\n[  459.408010]  do_syscall_64+0xc3/0x520\n[  459.408572]  entry_SYSCALL_64_after_hwframe+0x49/0xbe\n[  459.409415]\n[  459.409679] Freed by task 1262:\n[  459.410212]  __kasan_slab_free+0x129/0x170\n[  459.410919]  kmem_cache_free+0xb2/0x2a0\n[  459.411564]  rcu_process_callbacks+0xbb2/0x2320\n[  459.412318]  __do_softirq+0x225/0x8ac\n\nFix this by delaying bdput() to the end of blkdev_get() which means we\nhave finished accessing bdev.\n\nFixes: 77ea887e433a (\"implement in-kernel gendisk events handling\")\nReported-by: Hulk Robot \u003chulkci@huawei.com\u003e\nSigned-off-by: Jason Yan \u003cyanaijie@huawei.com\u003e\nTested-by: Sedat Dilek \u003csedat.dilek@gmail.com\u003e\nReviewed-by: Jan Kara \u003cjack@suse.cz\u003e\nReviewed-by: Christoph Hellwig \u003chch@lst.de\u003e\nReviewed-by: Dan Carpenter \u003cdan.carpenter@oracle.com\u003e\nCc: Christoph Hellwig \u003chch@lst.de\u003e\nCc: Jens Axboe \u003caxboe@kernel.dk\u003e\nCc: Ming Lei \u003cming.lei@redhat.com\u003e\nCc: Jan Kara \u003cjack@suse.cz\u003e\nCc: Dan Carpenter \u003cdan.carpenter@oracle.com\u003e\nSigned-off-by: Jens Axboe \u003caxboe@kernel.dk\u003e\nSigned-off-by: Sasha Levin \u003csashal@kernel.org\u003e\n",
  "tree_diff": [
    {
      "type": "modify",
      "old_id": "c158bad9a0752d71c61d5045c06357783f05f205",
      "old_mode": 33188,
      "old_path": "fs/block_dev.c",
      "new_id": "8ac8f7469354b58958325660285ee579a22177fe",
      "new_mode": 33188,
      "new_path": "fs/block_dev.c"
    }
  ]
}