search for: virtblk_getgeo

A virtio_blk block device can still be referenced after hot unplug by userspace processes that hold the file descriptor. In this case virtblk_getgeo() can be invoked after virtblk_remove() was called. For example, a program that has /dev/vdb open can call ioctl(HDIO_GETGEO) after hot unplug. Fix this by clearing vblk->disk->private_data and checking that the virtio_blk driver instance is still around in virtblk_getgeo(). Note that the...

A virtio_blk block device can still be referenced after hot unplug by userspace processes that hold the file descriptor. In this case virtblk_getgeo() can be invoked after virtblk_remove() was called. For example, a program that has /dev/vdb open can call ioctl(HDIO_GETGEO) after hot unplug. Fix this by clearing vblk->disk->private_data and checking that the virtio_blk driver instance is still around in virtblk_getgeo(). Note that the...

...--- > 7 files changed, 142 insertions(+), 204 deletions(-) > > diff --git a/drivers/block/virtio_blk.c b/drivers/block/virtio_blk.c > index 7ffd719d89de..fbbf18ac1d5d 100644 > --- a/drivers/block/virtio_blk.c > +++ b/drivers/block/virtio_blk.c > @@ -405,6 +405,9 @@ static int virtblk_getgeo(struct block_device *bd, struct hd_geometry *geo) > > static const struct block_device_operations virtblk_fops = { > .ioctl = virtblk_ioctl, > +#ifdef CONFIG_COMPAT > + .compat_ioctl = blkdev_compat_ptr_ioctl, > +#endif > .owner = THIS_MODULE, > .getgeo = virtblk_...

...--- > 7 files changed, 142 insertions(+), 204 deletions(-) > > diff --git a/drivers/block/virtio_blk.c b/drivers/block/virtio_blk.c > index 7ffd719d89de..fbbf18ac1d5d 100644 > --- a/drivers/block/virtio_blk.c > +++ b/drivers/block/virtio_blk.c > @@ -405,6 +405,9 @@ static int virtblk_getgeo(struct block_device *bd, struct hd_geometry *geo) > > static const struct block_device_operations virtblk_fops = { > .ioctl = virtblk_ioctl, > +#ifdef CONFIG_COMPAT > + .compat_ioctl = blkdev_compat_ptr_ioctl, > +#endif > .owner = THIS_MODULE, > .getgeo = virtblk_...

A userspace process holding a file descriptor to a virtio_blk device can still invoke block_device_operations after hot unplug. For example, a program that has /dev/vdb open can call ioctl(HDIO_GETGEO) after hot unplug to invoke virtblk_getgeo(). Introduce a reference count in struct virtio_blk so that its lifetime covers both virtio_driver probe/remove and block_device_operations open/release users. This ensures that block_device_operations functions like virtblk_getgeo() can safely access struct virtio_blk. Add remove_mutex to preve...

A userspace process holding a file descriptor to a virtio_blk device can still invoke block_device_operations after hot unplug. For example, a program that has /dev/vdb open can call ioctl(HDIO_GETGEO) after hot unplug to invoke virtblk_getgeo(). Introduce a reference count in struct virtio_blk so that its lifetime covers both virtio_driver probe/remove and block_device_operations open/release users. This ensures that block_device_operations functions like virtblk_getgeo() can safely access struct virtio_blk. Add remove_mutex to preve...

A userspace process holding a file descriptor to a virtio_blk device can still invoke block_device_operations after hot unplug. This leads to a use-after-free accessing vblk->vdev in virtblk_getgeo() when ioctl(HDIO_GETGEO) is invoked: BUG: unable to handle kernel NULL pointer dereference at 0000000000000090 IP: [<ffffffffc00e5450>] virtio_check_driver_offered_feature+0x10/0x90 [virtio] PGD 800000003a92f067 PUD 3a930067 PMD 0 Oops: 0000 [#1] SMP CPU: 0 PID: 1310 Comm: hdio-ge...

A userspace process holding a file descriptor to a virtio_blk device can still invoke block_device_operations after hot unplug. This leads to a use-after-free accessing vblk->vdev in virtblk_getgeo() when ioctl(HDIO_GETGEO) is invoked: BUG: unable to handle kernel NULL pointer dereference at 0000000000000090 IP: [<ffffffffc00e5450>] virtio_check_driver_offered_feature+0x10/0x90 [virtio] PGD 800000003a92f067 PUD 3a930067 PMD 0 Oops: 0000 [#1] SMP CPU: 0 PID: 1310 Comm: hdio-ge...

...+0100, Stefan Hajnoczi wrote: > > A userspace process holding a file descriptor to a virtio_blk device can > > still invoke block_device_operations after hot unplug. For example, a > > program that has /dev/vdb open can call ioctl(HDIO_GETGEO) after hot > > unplug to invoke virtblk_getgeo(). > > > which causes what? a use after free? Yes, use after free. I will include the kernel panic in the next revision. virtio_check_driver_offered_feature() accesses vdev->dev.driver, which doesn't work after virtblk_remove() has freed vdev :). > > > > Introduce...

A userspace process holding a file descriptor to a virtio_blk device can still invoke block_device_operations after hot unplug. This leads to a use-after-free accessing vblk->vdev in virtblk_getgeo() when ioctl(HDIO_GETGEO) is invoked: BUG: unable to handle kernel NULL pointer dereference at 0000000000000090 IP: [<ffffffffc00e5450>] virtio_check_driver_offered_feature+0x10/0x90 [virtio] PGD 800000003a92f067 PUD 3a930067 PMD 0 Oops: 0000 [#1] SMP CPU: 0 PID: 1310 Comm: hdio-ge...

A userspace process holding a file descriptor to a virtio_blk device can still invoke block_device_operations after hot unplug. This leads to a use-after-free accessing vblk->vdev in virtblk_getgeo() when ioctl(HDIO_GETGEO) is invoked: BUG: unable to handle kernel NULL pointer dereference at 0000000000000090 IP: [<ffffffffc00e5450>] virtio_check_driver_offered_feature+0x10/0x90 [virtio] PGD 800000003a92f067 PUD 3a930067 PMD 0 Oops: 0000 [#1] SMP CPU: 0 PID: 1310 Comm: hdio-ge...

On Thu, Apr 23, 2020 at 01:37:17PM +0100, Stefan Hajnoczi wrote: > A virtio_blk block device can still be referenced after hot unplug by > userspace processes that hold the file descriptor. In this case > virtblk_getgeo() can be invoked after virtblk_remove() was called. For > example, a program that has /dev/vdb open can call ioctl(HDIO_GETGEO) > after hot unplug. > > Fix this by clearing vblk->disk->private_data and checking that the > virtio_blk driver instance is still around in virtblk_...

...2020 at 03:30:09PM +0100, Stefan Hajnoczi wrote: > A userspace process holding a file descriptor to a virtio_blk device can > still invoke block_device_operations after hot unplug. For example, a > program that has /dev/vdb open can call ioctl(HDIO_GETGEO) after hot > unplug to invoke virtblk_getgeo(). which causes what? a use after free? > > Introduce a reference count in struct virtio_blk so that its lifetime > covers both virtio_driver probe/remove and block_device_operations > open/release users. This ensures that block_device_operations functions > like virtblk_getgeo(...

On Wed, Apr 29, 2020 at 05:53:45PM +0100, Stefan Hajnoczi wrote: > A userspace process holding a file descriptor to a virtio_blk device can > still invoke block_device_operations after hot unplug. This leads to a > use-after-free accessing vblk->vdev in virtblk_getgeo() when > ioctl(HDIO_GETGEO) is invoked: > > BUG: unable to handle kernel NULL pointer dereference at 0000000000000090 > IP: [<ffffffffc00e5450>] virtio_check_driver_offered_feature+0x10/0x90 [virtio] > PGD 800000003a92f067 PUD 3a930067 PMD 0 > Oops: 0000 [#1] SMP &g...

...m: Stefan Hajnoczi <stefanha at redhat.com> [ Upstream commit 90b5feb8c4bebc76c27fcaf3e1a0e5ca2d319e9e ] A userspace process holding a file descriptor to a virtio_blk device can still invoke block_device_operations after hot unplug. This leads to a use-after-free accessing vblk->vdev in virtblk_getgeo() when ioctl(HDIO_GETGEO) is invoked: BUG: unable to handle kernel NULL pointer dereference at 0000000000000090 IP: [<ffffffffc00e5450>] virtio_check_driver_offered_feature+0x10/0x90 [virtio] PGD 800000003a92f067 PUD 3a930067 PMD 0 Oops: 0000 [#1] SMP CPU: 0 PID: 1310 Comm: hdio-ge...

...m: Stefan Hajnoczi <stefanha at redhat.com> [ Upstream commit 90b5feb8c4bebc76c27fcaf3e1a0e5ca2d319e9e ] A userspace process holding a file descriptor to a virtio_blk device can still invoke block_device_operations after hot unplug. This leads to a use-after-free accessing vblk->vdev in virtblk_getgeo() when ioctl(HDIO_GETGEO) is invoked: BUG: unable to handle kernel NULL pointer dereference at 0000000000000090 IP: [<ffffffffc00e5450>] virtio_check_driver_offered_feature+0x10/0x90 [virtio] PGD 800000003a92f067 PUD 3a930067 PMD 0 Oops: 0000 [#1] SMP CPU: 0 PID: 1310 Comm: hdio-ge...

...m: Stefan Hajnoczi <stefanha at redhat.com> [ Upstream commit 90b5feb8c4bebc76c27fcaf3e1a0e5ca2d319e9e ] A userspace process holding a file descriptor to a virtio_blk device can still invoke block_device_operations after hot unplug. This leads to a use-after-free accessing vblk->vdev in virtblk_getgeo() when ioctl(HDIO_GETGEO) is invoked: BUG: unable to handle kernel NULL pointer dereference at 0000000000000090 IP: [<ffffffffc00e5450>] virtio_check_driver_offered_feature+0x10/0x90 [virtio] PGD 800000003a92f067 PUD 3a930067 PMD 0 Oops: 0000 [#1] SMP CPU: 0 PID: 1310 Comm: hdio-ge...

...m: Stefan Hajnoczi <stefanha at redhat.com> [ Upstream commit 90b5feb8c4bebc76c27fcaf3e1a0e5ca2d319e9e ] A userspace process holding a file descriptor to a virtio_blk device can still invoke block_device_operations after hot unplug. This leads to a use-after-free accessing vblk->vdev in virtblk_getgeo() when ioctl(HDIO_GETGEO) is invoked: BUG: unable to handle kernel NULL pointer dereference at 0000000000000090 IP: [<ffffffffc00e5450>] virtio_check_driver_offered_feature+0x10/0x90 [virtio] PGD 800000003a92f067 PUD 3a930067 PMD 0 Oops: 0000 [#1] SMP CPU: 0 PID: 1310 Comm: hdio-ge...

...rella wrote: > On Wed, Apr 29, 2020 at 05:53:45PM +0100, Stefan Hajnoczi wrote: > > A userspace process holding a file descriptor to a virtio_blk device can > > still invoke block_device_operations after hot unplug. This leads to a > > use-after-free accessing vblk->vdev in virtblk_getgeo() when > > ioctl(HDIO_GETGEO) is invoked: > > > > BUG: unable to handle kernel NULL pointer dereference at 0000000000000090 > > IP: [<ffffffffc00e5450>] virtio_check_driver_offered_feature+0x10/0x90 [virtio] > > PGD 800000003a92f067 PUD 3a930067 PMD 0 >...

...rella wrote: > On Wed, Apr 29, 2020 at 05:53:45PM +0100, Stefan Hajnoczi wrote: > > A userspace process holding a file descriptor to a virtio_blk device can > > still invoke block_device_operations after hot unplug. This leads to a > > use-after-free accessing vblk->vdev in virtblk_getgeo() when > > ioctl(HDIO_GETGEO) is invoked: > > > > BUG: unable to handle kernel NULL pointer dereference at 0000000000000090 > > IP: [<ffffffffc00e5450>] virtio_check_driver_offered_feature+0x10/0x90 [virtio] > > PGD 800000003a92f067 PUD 3a930067 PMD 0 >...