Vegard Nossum 9a95c0cfc6 block: fix use-after-free in seq file ... commit 77da160530dd1dc94f6ae15a981f24e5f0021e84 upstream. I got a KASAN report of use-after-free: ================================================================== BUG: KASAN: use-after-free in klist_iter_exit+0x61/0x70 at addr ffff8800b6581508 Read of size 8 by task trinity-c1/315 ============================================================================= BUG kmalloc-32 (Not tainted): kasan: bad access detected ----------------------------------------------------------------------------- Disabling lock debugging due to kernel taint INFO: Allocated in disk_seqf_start+0x66/0x110 age=144 cpu=1 pid=315 ___slab_alloc+0x4f1/0x520 __slab_alloc.isra.58+0x56/0x80 kmem_cache_alloc_trace+0x260/0x2a0 disk_seqf_start+0x66/0x110 traverse+0x176/0x860 seq_read+0x7e3/0x11a0 proc_reg_read+0xbc/0x180 do_loop_readv_writev+0x134/0x210 do_readv_writev+0x565/0x660 vfs_readv+0x67/0xa0 do_preadv+0x126/0x170 SyS_preadv+0xc/0x10 do_syscall_64+0x1a1/0x460 return_from_SYSCALL_64+0x0/0x6a INFO: Freed in disk_seqf_stop+0x42/0x50 age=160 cpu=1 pid=315 __slab_free+0x17a/0x2c0 kfree+0x20a/0x220 disk_seqf_stop+0x42/0x50 traverse+0x3b5/0x860 seq_read+0x7e3/0x11a0 proc_reg_read+0xbc/0x180 do_loop_readv_writev+0x134/0x210 do_readv_writev+0x565/0x660 vfs_readv+0x67/0xa0 do_preadv+0x126/0x170 SyS_preadv+0xc/0x10 do_syscall_64+0x1a1/0x460 return_from_SYSCALL_64+0x0/0x6a CPU: 1 PID: 315 Comm: trinity-c1 Tainted: G B 4.7.0+ #62 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Ubuntu-1.8.2-1ubuntu1 04/01/2014 ffffea0002d96000 ffff880119b9f918 ffffffff81d6ce81 ffff88011a804480 ffff8800b6581500 ffff880119b9f948 ffffffff8146c7bd ffff88011a804480 ffffea0002d96000 ffff8800b6581500 fffffffffffffff4 ffff880119b9f970 Call Trace: [<ffffffff81d6ce81>] dump_stack+0x65/0x84 [<ffffffff8146c7bd>] print_trailer+0x10d/0x1a0 [<ffffffff814704ff>] object_err+0x2f/0x40 [<ffffffff814754d1>] kasan_report_error+0x221/0x520 [<ffffffff8147590e>] __asan_report_load8_noabort+0x3e/0x40 [<ffffffff83888161>] klist_iter_exit+0x61/0x70 [<ffffffff82404389>] class_dev_iter_exit+0x9/0x10 [<ffffffff81d2e8ea>] disk_seqf_stop+0x3a/0x50 [<ffffffff8151f812>] seq_read+0x4b2/0x11a0 [<ffffffff815f8fdc>] proc_reg_read+0xbc/0x180 [<ffffffff814b24e4>] do_loop_readv_writev+0x134/0x210 [<ffffffff814b4c45>] do_readv_writev+0x565/0x660 [<ffffffff814b8a17>] vfs_readv+0x67/0xa0 [<ffffffff814b8de6>] do_preadv+0x126/0x170 [<ffffffff814b92ec>] SyS_preadv+0xc/0x10 This problem can occur in the following situation: open() - pread() - .seq_start() - iter = kmalloc() // succeeds - seqf->private = iter - .seq_stop() - kfree(seqf->private) - pread() - .seq_start() - iter = kmalloc() // fails - .seq_stop() - class_dev_iter_exit(seqf->private) // boom! old pointer As the comment in disk_seqf_stop() says, stop is called even if start failed, so we need to reinitialise the private pointer to NULL when seq iteration stops. An alternative would be to set the private pointer to NULL when the kmalloc() in disk_seqf_start() fails. Signed-off-by: Vegard Nossum <vegard.nossum@oracle.com> Acked-by: Tejun Heo <tj@kernel.org> Signed-off-by: Jens Axboe <axboe@fb.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>		2016-08-16 09:30:50 +02:00
..
partitions	mac: validate mac_partition is within sector	2015-11-20 08:49:28 -07:00
bio-integrity.c	block: blk_flush_integrity() for bio-based drivers	2015-10-21 14:43:44 -06:00
bio.c	bio: return EINTR if copying to user space got interrupted	2016-03-03 15:07:28 -08:00
blk-cgroup.c	cgroup: fix handling of multi-destination migration from subtree_control enabling	2015-12-03 10:18:21 -05:00
blk-core.c	dm: fix excessive dm-mq context switching	2016-04-12 09:08:40 -07:00
blk-exec.c	block: move PM request support to IDE	2015-05-05 13:40:42 -06:00
blk-flush.c	Revert "blk-flush: Queue through IO scheduler when flush not required"	2015-11-25 10:12:54 -07:00
blk-integrity.c	block, libnvdimm, nvme: provide a built-in blk_integrity nop profile	2015-10-21 14:43:45 -06:00
blk-ioc.c	mm, page_alloc: distinguish between being unable to sleep, unwilling to sleep and avoiding waking kswapd	2015-11-06 17:50:42 -08:00
blk-iopoll.c	Merge branch 'locking-core-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip into next	2014-06-03 12:57:53 -07:00
blk-lib.c	block: re-add discard_granularity and alignment checks	2015-10-28 09:12:58 +09:00
blk-map.c	block: Copy a user iovec if it includes gaps	2015-09-11 09:03:50 -06:00
blk-merge.c	block: fix bio splitting on max sectors	2016-02-17 12:30:56 -08:00
blk-mq-cpu.c	blk-mq: add file comments and update copyright notices	2014-05-28 10:15:41 -06:00
blk-mq-cpumap.c	blk-mq: avoid inserting requests before establishing new mapping	2015-09-29 11:32:50 -06:00
blk-mq-sysfs.c	block: add block polling support	2015-11-07 10:40:47 -07:00
blk-mq-tag.c	mm, page_alloc: distinguish between being unable to sleep, unwilling to sleep and avoiding waking kswapd	2015-11-06 17:50:42 -08:00
blk-mq-tag.h	blk-mq: factor out a helper to iterate all tags for a request_queue	2015-10-01 10:10:57 +02:00
blk-mq.c	blk-mq: fix calling unplug callbacks with preempt disabled	2015-11-20 20:29:45 -07:00
blk-mq.h	blk-mq: mark __blk_mq_complete_request() static	2015-11-11 09:36:56 -07:00
blk-settings.c	block: Initialize max_dev_sectors to 0	2016-03-09 15:34:49 -08:00
blk-softirq.c	block: fix regression with block enabled tagging	2014-04-09 21:54:06 -06:00
blk-sysfs.c	Merge branch 'mkp-fixes' into fixes	2015-12-03 09:32:33 -08:00
blk-tag.c	block: support different tag allocation policy	2015-01-23 14:15:46 -07:00
blk-throttle.c	cgroup: replace cgroup_on_dfl() tests in controllers with cgroup_subsys_on_dfl()	2015-09-18 11:56:28 -04:00
blk-timeout.c	block: fix blk_abort_request for blk-mq drivers	2015-11-24 15:24:10 -07:00
blk.h	block: protect rw_page against device teardown	2015-11-19 13:47:10 -08:00
bounce.c	Merge branch 'for-linus' of git://git.kernel.dk/linux-block	2015-09-19 18:57:09 -07:00
bsg-lib.c	bsg: Remove unused function bsg_goose_queue()	2012-12-06 14:33:02 +01:00
bsg.c	block: Simplify bsg complete all	2015-02-04 09:57:52 -07:00
cfq-iosched.c	cgroup: replace cgroup_on_dfl() tests in controllers with cgroup_subsys_on_dfl()	2015-09-18 11:56:28 -04:00
cmdline-parser.c	block: remove unrelated header files and export symbol	2014-01-21 20:18:26 -08:00
compat_ioctl.c	block, bdi: an active gendisk always has a request_queue associated with it	2014-09-08 10:00:35 -06:00
deadline-iosched.c	block: Stop abusing csd.list for fifo_time	2014-02-24 14:46:32 -08:00
elevator.c	block: check bio_mergeable() early before merging	2015-10-21 15:00:54 -06:00
genhd.c	block: fix use-after-free in seq file	2016-08-16 09:30:50 +02:00
ioctl.c	block: add an API for Persistent Reservations	2015-10-21 14:46:56 -06:00
ioprio.c	block: fix use-after-free in sys_ioprio_get()	2016-08-10 11:49:28 +02:00
Kconfig	block: Add T10 Protection Information functions	2014-09-27 09:14:59 -06:00
Kconfig.iosched	blkcg: make CONFIG_BLK_CGROUP bool	2012-03-06 21:27:21 +01:00
Makefile	block: Add T10 Protection Information functions	2014-09-27 09:14:59 -06:00
noop-iosched.c	elevator: use list_{first,prev,next}_entry	2015-11-16 15:21:48 -07:00
partition-generic.c	block: partition: initialize percpuref before sending out KOBJ_ADD	2016-05-04 14:48:39 -07:00
scsi_ioctl.c	mm, page_alloc: rename __GFP_WAIT to __GFP_RECLAIM	2015-11-06 17:50:42 -08:00
t10-pi.c	block: Consolidate static integrity profile properties	2015-10-21 14:42:38 -06:00