github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-06-08 22:52:35 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity Graph
0987f00a76
linux/drivers
History
Kirill Tkhai 0987f00a76 dm: fix use-after-free in dm_cleanup_zoned_dev() 
commit 588b7f5df0 upstream.

dm_cleanup_zoned_dev() uses queue, so it must be called
before blk_cleanup_disk() starts its killing:

blk_cleanup_disk->blk_cleanup_queue()->kobject_put()->blk_release_queue()->
->...RCU...->blk_free_queue_rcu()->kmem_cache_free()

Otherwise, RCU callback may be executed first and
dm_cleanup_zoned_dev() will touch free'd memory:

 BUG: KASAN: use-after-free in dm_cleanup_zoned_dev+0x33/0xd0
 Read of size 8 at addr ffff88805ac6e430 by task dmsetup/681

 CPU: 4 PID: 681 Comm: dmsetup Not tainted 5.17.0-rc2+ #6
 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.14.0-2 04/01/2014
 Call Trace:
  <TASK>
  dump_stack_lvl+0x57/0x7d
  print_address_description.constprop.0+0x1f/0x150
  ? dm_cleanup_zoned_dev+0x33/0xd0
  kasan_report.cold+0x7f/0x11b
  ? dm_cleanup_zoned_dev+0x33/0xd0
  dm_cleanup_zoned_dev+0x33/0xd0
  __dm_destroy+0x26a/0x400
  ? dm_blk_ioctl+0x230/0x230
  ? up_write+0xd8/0x270
  dev_remove+0x156/0x1d0
  ctl_ioctl+0x269/0x530
  ? table_clear+0x140/0x140
  ? lock_release+0xb2/0x750
  ? remove_all+0x40/0x40
  ? rcu_read_lock_sched_held+0x12/0x70
  ? lock_downgrade+0x3c0/0x3c0
  ? rcu_read_lock_sched_held+0x12/0x70
  dm_ctl_ioctl+0xa/0x10
  __x64_sys_ioctl+0xb9/0xf0
  do_syscall_64+0x3b/0x90
  entry_SYSCALL_64_after_hwframe+0x44/0xae
 RIP: 0033:0x7fb6dfa95c27

Fixes: bb37d77239 ("dm: introduce zone append emulation")
Cc: stable@vger.kernel.org
Signed-off-by: Kirill Tkhai <ktkhai@virtuozzo.com>
Reviewed-by: Damien Le Moal <damien.lemoal@opensource.wdc.com>
Signed-off-by: Mike Snitzer <snitzer@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2022-04-08 14:22:57 +02:00
..
accessibility speakup-dectlk: Restore pitch setting 2022-02-16 12:56:37 +01:00
acpi ACPI: video: Force backlight native for Clevo NL5xRU and NL5xNU 2022-03-28 09:58:45 +02:00
amba ARM: 9120/1: Revert "amba: make use of -1 IRQs warn" 2021-11-06 14:13:31 +01:00
android binder: avoid potential data leakage when copying txn 2022-01-27 11:04:09 +01:00
ata ata: pata_hpt37x: fix PCI clock detection 2022-03-08 19:12:33 +01:00
atm atm: eni: Add check for dma_map_single 2022-03-23 09:16:41 +01:00
auxdisplay auxdisplay: lcd2s: Use proper API to free the instance of charlcd object 2022-03-08 19:12:47 +01:00
base driver core: Free DMA range map when device is released 2022-03-02 11:48:07 +01:00
bcma
block virtio-blk: Use blk_validate_block_size() to validate block size 2022-04-08 14:22:48 +02:00
bluetooth Bluetooth: btusb: Add one more Bluetooth part for the Realtek RTL8852AE 2022-03-28 09:58:45 +02:00
bus bus: mhi: Fix MHI DMA structure endianness 2022-04-08 14:22:49 +02:00
cdrom
char tpm: fix reference counting for struct tpm_chip 2022-04-08 14:22:48 +02:00
clk clk: uniphier: Fix fixed-rate initialization 2022-04-08 14:22:50 +02:00
clocksource ARM: dts: Use 32KiHz oscillator on devkit8000 2022-03-08 19:12:49 +01:00
comedi comedi: vmk80xx: fix bulk and interrupt message timeouts 2021-11-12 15:05:51 +01:00
connector
counter
cpufreq cpufreq: Fix initialization of min and max frequency QoS requests 2022-01-27 11:04:44 +01:00
cpuidle cpuidle: Fix kobject memory leaks in error paths 2021-11-18 19:16:29 +01:00
crypto crypto: qat - disable registration of algorithms 2022-03-28 09:58:45 +02:00
cxl cxl/pmem: Fix reference counting for delayed work 2022-01-27 11:02:58 +01:00
dax
dca
devfreq
dio
dma dmaengine: shdma: Fix runtime PM imbalance on error 2022-03-08 19:12:31 +01:00
dma-buf dma-buf: cma_heap: Fix mutex locking section 2022-03-08 19:12:37 +01:00
edac EDAC: Fix calculation of returned address and next offset in edac_align_ptr() 2022-02-23 12:03:20 +01:00
eisa
extcon
firewire
firmware firmware: sysfb: fix platform-device leak in error path 2022-04-08 14:22:51 +02:00
fpga
fsi
gnss
gpio Revert "gpio: Revert regression in sysfs-gpio (gpiolib.c)" 2022-04-08 14:22:47 +02:00
gpu drm/simpledrm: Add "panel orientation" property on non-upright mounted LCD panels 2022-04-08 14:22:56 +02:00
greybus greybus: svc: fix an error handling bug in gb_svc_hello() 2022-04-08 14:22:50 +02:00
hid HID: intel-ish-hid: Use dma_alloc_coherent for firmware update 2022-04-08 14:22:51 +02:00
hsi HSI: core: Fix return freed object in hsi_new_client 2022-01-27 11:04:31 +01:00
hv hv: utils: add PTP_1588_CLOCK to Kconfig to fix build 2022-04-08 14:22:46 +02:00
hwmon hwmon: (pmbus) Clear pmbus fault/warning bits after read 2022-03-16 14:23:41 +01:00
hwspinlock
hwtracing coresight: syscfg: Fix memleak on registration failure in cscfg_create_device 2022-04-08 14:22:50 +02:00
i2c i2c: qup: allow COMPILE_TEST 2022-03-08 19:12:31 +01:00
i3c i3c: master: dw: check return of dw_i3c_master_get_free_pos() 2022-03-08 19:12:37 +01:00
idle
iio iio: inkern: make a best effort on offset calculation 2022-04-08 14:22:50 +02:00
infiniband IB/qib: Fix duplicate sysfs directory name 2022-03-02 11:48:08 +01:00
input Revert "Input: clear BTN_RIGHT/MIDDLE on buttonpads" 2022-04-08 14:22:55 +02:00
interconnect interconnect: qcom: rpm: Prevent integer overflow in rate 2022-01-27 11:05:00 +01:00
iommu iommu/iova: Improve 32-bit free space estimate 2022-04-08 14:22:48 +02:00
ipack
irqchip irqchip/sifive-plic: Add missing thead,c900-plic match string 2022-02-23 12:03:17 +01:00
isdn isdn: hfcpci: check the return value of dma_set_mask() in setup_hw() 2022-03-16 14:23:36 +01:00
leds leds: lp55xx: initialise output direction from dts 2022-01-27 11:04:21 +01:00
macintosh
mailbox mailbox: change mailbox-mpfs compatible string 2022-01-27 11:05:05 +01:00
mcb
md dm: fix use-after-free in dm_cleanup_zoned_dev() 2022-04-08 14:22:57 +02:00
media media: correct MEDIA_TEST_SUPPORT help text 2022-01-27 11:05:20 +01:00
memory memory: renesas-rpc-if: Return error in case devm_ioremap_resource() fails 2022-01-27 11:03:11 +01:00
memstick memstick: jmb38x_ms: use appropriate free function in jmb38x_ms_alloc_host() 2021-11-18 19:16:32 +01:00
message
mfd mfd: tps65910: Set PWR_OFF bit during driver probe 2022-01-27 11:05:07 +01:00
misc mei: avoid iterator usage outside of list_for_each_entry 2022-04-08 14:22:49 +02:00
mmc mmc: meson: Fix usage of meson_mmc_post_req() 2022-03-16 14:23:42 +01:00
most most: fix control-message timeouts 2021-11-18 19:16:08 +01:00
mtd mtd: rawnand: protect access to rawnand devices while in suspend 2022-04-08 14:22:53 +02:00
mux
net qed: validate and restrict untrusted VFs vlan promisc mode 2022-04-08 14:22:54 +02:00
nfc nfc: st21nfca: Fix potential buffer overflows in EVT_TRANSACTION 2022-03-28 09:58:42 +02:00
ntb ntb: intel: fix port config status offset for SPR 2022-03-08 19:12:44 +01:00
nubus
nvdimm nvdimm/pmem: cleanup the disk if pmem_release_disk() is yet assigned 2021-11-18 19:17:07 +01:00
nvme nvme: also mark passthrough-only namespaces ready in nvme_update_ns_info 2022-03-02 11:47:56 +01:00
nvmem nvmem: core: Fix a conflict between MTD and NVMEM on wp-gpios property 2022-03-02 11:48:06 +01:00
of of: net: move of_net under net/ 2022-03-08 19:12:41 +01:00
opp opp: Fix return in _opp_add_static_v2() 2021-11-18 19:17:00 +01:00
parisc parisc: Fix sglist access in ccio-dma.c 2022-02-23 12:03:03 +01:00
parport
pci PCI: Mark all AMD Navi10 and Navi14 GPU ATS as broken 2022-03-16 14:23:41 +01:00
pcmcia pcmcia: fix setting of kthread task states 2022-01-27 11:04:02 +01:00
perf perf/arm-cmn: Fix CPU hotplug unregistration 2022-01-27 11:03:36 +01:00
phy phy: phy-mtk-tphy: Fix duplicated argument in phy-mtk-tphy 2022-02-23 12:03:17 +01:00
pinctrl pinctrl: samsung: drop pin banks references on error paths 2022-04-08 14:22:53 +02:00
platform surface: surface3_power: Fix battery readings on batteries without a serial number 2022-03-02 11:47:59 +01:00
pnp
power power: reset: mt6397: Check for null res pointer 2022-01-27 11:03:49 +01:00
powercap
pps
ps3
ptp net: fix SOF_TIMESTAMPING_BIND_PHC to work with multiple sockets 2022-01-27 11:03:52 +01:00
pwm
rapidio
ras
regulator regulator: core: fix false positive in regulator_late_cleanup() 2022-03-08 19:12:29 +01:00
remoteproc remoteproc: Fix count check in rproc_coredump_write() 2022-04-08 14:22:52 +02:00
reset reset: renesas: Fix Runtime PM usage 2022-01-11 15:35:16 +01:00
rpmsg rpmsg: char: Fix race between the release of rpmsg_eptdev and cdev 2022-02-01 17:27:07 +01:00
rtc rtc: pl031: fix rtc features null pointer dereference 2022-04-08 14:22:56 +02:00
s390 block: drop unused includes in <linux/genhd.h> 2022-03-16 14:23:46 +01:00
sbus
scsi scsi: libsas: Fix sas_ata_qc_issue() handling of NCQ NON DATA commands 2022-04-08 14:22:54 +02:00
sh maple: fix wrong return value of maple_bus_init(). 2021-11-25 09:48:31 +01:00
siox
slimbus
soc soc: fsl: qe: Check of ioremap return value 2022-03-08 19:12:49 +01:00
soundwire soundwire: bus: stop dereferencing invalid slave pointer 2021-11-18 19:16:54 +01:00
spi spi: mxic: Fix the transmit path 2022-04-08 14:22:53 +02:00
spmi
ssb
staging staging: gdm724x: fix use after free in gdm_lte_rx() 2022-03-16 14:23:42 +01:00
target scsi: target: iscsi: Make sure the np under each tpg is unique 2022-02-16 12:56:12 +01:00
tc
tee optee: use driver internal tee_context for some rpc 2022-03-02 11:47:51 +01:00
thermal thermal: core: Fix TZ_GET_TRIP NULL pointer dereference 2022-03-08 19:12:43 +01:00
thunderbolt thunderbolt: Runtime PM activate both ends of the device link 2022-01-27 11:04:36 +01:00
tty serial: stm32: prevent TDR register overwrite when sending x_char 2022-03-08 19:12:32 +01:00
uio
usb xhci: fix uninitialized string returned by xhci_decode_ctrl_ctx() 2022-04-08 14:22:49 +02:00
vdpa vdpa/mlx5: should verify CTRL_VQ feature exists for MQ 2022-04-08 14:22:46 +02:00
vfio
vhost vsock: each transport cycles only on its own sockets 2022-03-23 09:16:41 +01:00
video fbcon: Avoid 'cap' set but not used warning 2022-02-16 12:56:27 +01:00
virt nitro_enclaves: Use get_user_pages_unlocked() call to handle mmap assert 2022-01-05 12:42:39 +01:00
virtio virtio: acknowledge all features before access 2022-03-16 14:23:43 +01:00
visorbus
vlynq
vme
w1 w1: Misuse of get_user()/put_user() reported by sparse 2022-01-27 11:04:59 +01:00
watchdog ar7: fix kernel builds for compiler test 2021-11-18 19:17:03 +01:00
xen xen/gnttab: fix gnttab_end_foreign_access() without page specified 2022-03-11 12:22:37 +01:00
zorro
Kconfig
Makefile virtio: always enter drivers/virtio/ 2021-12-22 09:32:39 +01:00