Commit 8847f1fd authored Mar 18, 2025 by Xiaoguang Wang Committed by Zheng Qixing Mar 18, 2025

scsi: target: tcmu: Fix possible page UAF

stable inclusion
from stable-v4.19.239
commit e3e0e067d5b34e4a68e3cc55f8eebc413f56f8ed
category: bugfix
bugzilla: https://gitee.com/src-openeuler/kernel/issues/IBP6TV
CVE: CVE-2022-49053

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=e3e0e067d5b34e4a68e3cc55f8eebc413f56f8ed

------------------

[ Upstream commit a6968f7a ]

tcmu_try_get_data_page() looks up pages under cmdr_lock, but it does not
take refcount properly and just returns page pointer. When
tcmu_try_get_data_page() returns, the returned page may have been freed by
tcmu_blocks_release().

We need to get_page() under cmdr_lock to avoid concurrent
tcmu_blocks_release().

Link: https://lore.kernel.org/r/20220311132206.24515-1-xiaoguang.wang@linux.alibaba.com


Reviewed-by: Bodo Stroesser <bostroesser@gmail.com>
Signed-off-by: Xiaoguang Wang <xiaoguang.wang@linux.alibaba.com>
Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Signed-off-by: Zheng Qixing <zhengqixing@huawei.com>

parent a304375c

drivers/target/target_core_user.c

+2 −1

Original line number	Diff line number	Diff line
		@@ -1528,6 +1528,7 @@ static struct page tcmu_try_get_block_page(struct tcmu_dev udev, uint32_t dbi)
		mutex_lock(&udev->cmdr_lock);
		page = tcmu_get_block_page(udev, dbi);
		if (likely(page)) {
		get_page(page);
		mutex_unlock(&udev->cmdr_lock);
		return page;
		}
		@@ -1566,6 +1567,7 @@ static vm_fault_t tcmu_vma_fault(struct vm_fault *vmf)
		/* For the vmalloc()ed cmd area pages */
		addr = (void *)(unsigned long)info->mem[mi].addr + offset;
		page = vmalloc_to_page(addr);
		get_page(page);
		} else {
		uint32_t dbi;

		@@ -1576,7 +1578,6 @@ static vm_fault_t tcmu_vma_fault(struct vm_fault *vmf)
		return VM_FAULT_SIGBUS;
		}

		get_page(page);
		vmf->page = page;
		return 0;
		}