From 0e73ac52e1547fd66ecc02475962bae7d83f5af0 Mon Sep 17 00:00:00 2001 From: Greg Kroah-Hartman Date: Sat, 30 Jan 2021 15:56:43 +0100 Subject: [PATCH] 4.19-stable patches added patches: nbd-freeze-the-queue-while-we-re-adding-connections.patch --- ...queue-while-we-re-adding-connections.patch | 60 +++++++++++++++++++ 1 file changed, 60 insertions(+) create mode 100644 queue-4.19/nbd-freeze-the-queue-while-we-re-adding-connections.patch diff --git a/queue-4.19/nbd-freeze-the-queue-while-we-re-adding-connections.patch b/queue-4.19/nbd-freeze-the-queue-while-we-re-adding-connections.patch new file mode 100644 index 00000000000..f3ea13cd0d7 --- /dev/null +++ b/queue-4.19/nbd-freeze-the-queue-while-we-re-adding-connections.patch @@ -0,0 +1,60 @@ +From b98e762e3d71e893b221f871825dc64694cfb258 Mon Sep 17 00:00:00 2001 +From: Josef Bacik +Date: Mon, 25 Jan 2021 12:21:02 -0500 +Subject: nbd: freeze the queue while we're adding connections + +From: Josef Bacik + +commit b98e762e3d71e893b221f871825dc64694cfb258 upstream. + +When setting up a device, we can krealloc the config->socks array to add +new sockets to the configuration. However if we happen to get a IO +request in at this point even though we aren't setup we could hit a UAF, +as we deref config->socks without any locking, assuming that the +configuration was setup already and that ->socks is safe to access it as +we have a reference on the configuration. + +But there's nothing really preventing IO from occurring at this point of +the device setup, we don't want to incur the overhead of a lock to +access ->socks when it will never change while the device is running. +To fix this UAF scenario simply freeze the queue if we are adding +sockets. This will protect us from this particular case without adding +any additional overhead for the normal running case. + +Cc: stable@vger.kernel.org +Signed-off-by: Josef Bacik +Signed-off-by: Jens Axboe +Signed-off-by: Greg Kroah-Hartman + +--- + drivers/block/nbd.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +--- a/drivers/block/nbd.c ++++ b/drivers/block/nbd.c +@@ -966,6 +966,12 @@ static int nbd_add_socket(struct nbd_dev + if (!sock) + return err; + ++ /* ++ * We need to make sure we don't get any errant requests while we're ++ * reallocating the ->socks array. ++ */ ++ blk_mq_freeze_queue(nbd->disk->queue); ++ + if (!netlink && !nbd->task_setup && + !test_bit(NBD_BOUND, &config->runtime_flags)) + nbd->task_setup = current; +@@ -1004,10 +1010,12 @@ static int nbd_add_socket(struct nbd_dev + nsock->cookie = 0; + socks[config->num_connections++] = nsock; + atomic_inc(&config->live_connections); ++ blk_mq_unfreeze_queue(nbd->disk->queue); + + return 0; + + put_socket: ++ blk_mq_unfreeze_queue(nbd->disk->queue); + sockfd_put(sock); + return err; + } -- 2.47.3