Unverified Commit 03d56375 authored by openeuler-ci-bot's avatar openeuler-ci-bot Committed by Gitee
Browse files

!1429 nbd: fix null-ptr-dereference while accessing 'nbd->config' 

Merge Pull Request from: @ci-robot 
 
PR sync from: Zhong Jinghua <zhongjinghua@huawei.com>
https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/HOVMIDKZMBMNOQNYQNFHPUF5WRMSNV76/ 
From: Zhong Jinghua <zhongjinghua@huaweicloud.com>

nbd: fix null-ptr-dereference while accessing 'nbd->config'

Yu Kuai (3):
  nbd: fold nbd config initialization into nbd_alloc_config()
  nbd: factor out a helper to get nbd_config without holding
    'config_lock'
  nbd: fix null-ptr-dereference while accessing 'nbd->config'


-- 
2.31.1
 
https://gitee.com/openeuler/kernel/issues/I7EENU 
 
Link:https://gitee.com/openeuler/kernel/pulls/1429

 

Reviewed-by: default avatarYu Kuai <yukuai3@huawei.com>
Reviewed-by: default avatarJialin Zhang <zhangjialin11@huawei.com>
Signed-off-by: default avatarJialin Zhang <zhangjialin11@huawei.com>
parents 8f65c814 749eccf1

drivers/block/nbd.c

+53 −29
Original line number Diff line number Diff line
@@ -389,6 +389,22 @@ static u32 req_to_nbd_cmd_type(struct request *req) 
	}

}



static struct nbd_config *nbd_get_config_unlocked(struct nbd_device *nbd)

{

	if (refcount_inc_not_zero(&nbd->config_refs)) {

		/*

		 * Add smp_mb__after_atomic to ensure that reading nbd->config_refs

		 * and reading nbd->config is ordered. The pair is the barrier in

		 * nbd_alloc_and_init_config(), avoid nbd->config_refs is set

		 * before nbd->config.

		 */

		smp_mb__after_atomic();

		return nbd->config;

	}



	return NULL;

}



static enum blk_eh_timer_return nbd_xmit_timeout(struct request *req,

						 bool reserved)

{
@@ -404,13 +420,13 @@ static enum blk_eh_timer_return nbd_xmit_timeout(struct request *req, 
		return BLK_EH_DONE;

	}



	if (!refcount_inc_not_zero(&nbd->config_refs)) {

	config = nbd_get_config_unlocked(nbd);

	if (!config) {

		cmd->status = BLK_STS_TIMEOUT;

		__clear_bit(NBD_CMD_INFLIGHT, &cmd->flags);

		mutex_unlock(&cmd->lock);

		goto done;

	}

	config = nbd->config;



	if (config->num_connections > 1 ||

	    (config->num_connections == 1 && nbd->tag_set.timeout)) {
@@ -969,12 +985,12 @@ static int nbd_handle_cmd(struct nbd_cmd *cmd, int index) 
	struct nbd_sock *nsock;

	int ret;



	if (!refcount_inc_not_zero(&nbd->config_refs)) {

	config = nbd_get_config_unlocked(nbd);

	if (!config) {

		dev_err_ratelimited(disk_to_dev(nbd->disk),

				    "Socks array is empty\n");

		return -EINVAL;

	}

	config = nbd->config;



	if (index >= config->num_connections) {

		dev_err_ratelimited(disk_to_dev(nbd->disk),
@@ -1534,17 +1550,20 @@ static int nbd_ioctl(struct block_device *bdev, fmode_t mode, 
	return error;

}



static struct nbd_config *nbd_alloc_config(void)

static int nbd_alloc_and_init_config(struct nbd_device *nbd)

{

	struct nbd_config *config;



	if (WARN_ON(nbd->config))

		return -EINVAL;



	if (!try_module_get(THIS_MODULE))

		return ERR_PTR(-ENODEV);

		return -ENODEV;



	config = kzalloc(sizeof(struct nbd_config), GFP_NOFS);

	if (!config) {

		module_put(THIS_MODULE);

		return ERR_PTR(-ENOMEM);

		return -ENOMEM;

	}



	atomic_set(&config->recv_threads, 0);
@@ -1552,12 +1571,24 @@ static struct nbd_config *nbd_alloc_config(void) 
	init_waitqueue_head(&config->conn_wait);

	config->blksize = NBD_DEF_BLKSIZE;

	atomic_set(&config->live_connections, 0);

	return config;



	nbd->config = config;

	/*

	 * Order refcount_set(&nbd->config_refs, 1) and nbd->config assignment,

	 * its pair is the barrier in nbd_get_config_unlocked().

	 * So nbd_get_config_unlocked() won't see nbd->config as null after

	 * refcount_inc_not_zero() succeed.

	 */

	smp_mb__before_atomic();

	refcount_set(&nbd->config_refs, 1);



	return 0;

}



static int nbd_open(struct block_device *bdev, fmode_t mode)

{

	struct nbd_device *nbd;

	struct nbd_config *config;

	int ret = 0;



	mutex_lock(&nbd_index_mutex);
@@ -1570,26 +1601,24 @@ static int nbd_open(struct block_device *bdev, fmode_t mode) 
		ret = -ENXIO;

		goto out;

	}

	if (!refcount_inc_not_zero(&nbd->config_refs)) {

		struct nbd_config *config;



	config = nbd_get_config_unlocked(nbd);

	if (!config) {

		mutex_lock(&nbd->config_lock);

		if (refcount_inc_not_zero(&nbd->config_refs)) {

			mutex_unlock(&nbd->config_lock);

			goto out;

		}

		config = nbd_alloc_config();

		if (IS_ERR(config)) {

			ret = PTR_ERR(config);

		ret = nbd_alloc_and_init_config(nbd);

		if (ret) {

			mutex_unlock(&nbd->config_lock);

			goto out;

		}

		nbd->config = config;

		refcount_set(&nbd->config_refs, 1);



		refcount_inc(&nbd->refs);

		mutex_unlock(&nbd->config_lock);

		set_bit(GD_NEED_PART_SCAN, &bdev->bd_disk->state);

	} else if (nbd_disconnected(nbd->config)) {

	} else if (nbd_disconnected(config)) {

		set_bit(GD_NEED_PART_SCAN, &bdev->bd_disk->state);

	}

out:
@@ -2006,22 +2035,17 @@ static int nbd_genl_connect(struct sk_buff *skb, struct genl_info *info) 
		printk(KERN_ERR "nbd: nbd%d already in use\n", index);

		return -EBUSY;

	}

	if (WARN_ON(nbd->config)) {

		mutex_unlock(&nbd->config_lock);

		nbd_put(nbd);

		return -EINVAL;

	}

	config = nbd_alloc_config();

	if (IS_ERR(config)) {



	ret = nbd_alloc_and_init_config(nbd);

	if (ret) {

		mutex_unlock(&nbd->config_lock);

		nbd_put(nbd);

		printk(KERN_ERR "nbd: couldn't allocate config\n");

		return PTR_ERR(config);

		return ret;

	}

	nbd->config = config;

	refcount_set(&nbd->config_refs, 1);

	set_bit(NBD_RT_BOUND, &config->runtime_flags);



	config = nbd->config;

	set_bit(NBD_RT_BOUND, &config->runtime_flags);

	ret = nbd_genl_size_set(info, nbd);

	if (ret)

		goto out;
@@ -2199,7 +2223,8 @@ static int nbd_genl_reconfigure(struct sk_buff *skb, struct genl_info *info) 
	}

	mutex_unlock(&nbd_index_mutex);



	if (!refcount_inc_not_zero(&nbd->config_refs)) {

	config = nbd_get_config_unlocked(nbd);

	if (!config) {

		dev_err(nbd_to_dev(nbd),

			"not configured, cannot reconfigure\n");

		nbd_put(nbd);
@@ -2207,7 +2232,6 @@ static int nbd_genl_reconfigure(struct sk_buff *skb, struct genl_info *info) 
	}



	mutex_lock(&nbd->config_lock);

	config = nbd->config;

	if (!test_bit(NBD_RT_BOUND, &config->runtime_flags) ||

	    !nbd->pid) {

		dev_err(nbd_to_dev(nbd),