From patchwork Fri Apr 28 13:49:19 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Josef Bacik <josef@toxicpanda.com>
X-Patchwork-Id: 9704753
Return-Path: <linux-block-owner@kernel.org>
Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org
	[172.30.200.125])
	by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id
	1558F60225 for <patchwork-linux-block@patchwork.kernel.org>;
	Fri, 28 Apr 2017 13:49:24 +0000 (UTC)
Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 07C272811E
	for <patchwork-linux-block@patchwork.kernel.org>;
	Fri, 28 Apr 2017 13:49:24 +0000 (UTC)
Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486)
	id F04A028602; Fri, 28 Apr 2017 13:49:23 +0000 (UTC)
X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on
	pdx-wl-mail.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-6.4 required=2.0 tests=BAYES_00,DKIM_SIGNED,
	DKIM_VALID, RCVD_IN_DNSWL_HI,
	RCVD_IN_SORBS_SPAM autolearn=ham version=3.3.1
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 94F612811E
	for <patchwork-linux-block@patchwork.kernel.org>;
	Fri, 28 Apr 2017 13:49:23 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1756649AbdD1NtX (ORCPT
	<rfc822;patchwork-linux-block@patchwork.kernel.org>);
	Fri, 28 Apr 2017 09:49:23 -0400
Received: from mail-qk0-f194.google.com ([209.85.220.194]:36741 "EHLO
	mail-qk0-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1752652AbdD1NtW (ORCPT
	<rfc822;linux-block@vger.kernel.org>);
	Fri, 28 Apr 2017 09:49:22 -0400
Received: by mail-qk0-f194.google.com with SMTP id y63so9005122qkd.3
	for <linux-block@vger.kernel.org>;
	Fri, 28 Apr 2017 06:49:22 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=toxicpanda-com.20150623.gappssmtp.com; s=20150623;
	h=from:to:subject:date:message-id;
	bh=VqYzlOeyWOUIL0mxhHezhZqPgOHjAsoritLytYUBcOs=;
	b=PCrc6uPN6+e6IIajracwcPLMBlrZPuRL8KB8dePIdz0xle6xNfk0aIJUmSspA7K6ee
	gB0CYQQb6va6z60uBpsEtKeLY1q8dTjPVcGCH2AQl6Y5Dj10LaE85WoAyEL0QRolis4q
	StCh71G1J2di9DKJrm0RoDoze9dptHfL426G8OXcxSB4y9QnvL+46oM9ISNdAjK25ADD
	jC6N1cbL3rotAbru0z1EpC1+H5UOBE+/tXBaqbDdOF2CuadMFKjFKPr6No3+ozYL80kL
	rlZ3yiN11DfX1xzm62HXC4i1ECm7NxvqRMtkz3J4vftyQEs/gaoDeg1kXYDHuzyTATIA
	yEYg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:subject:date:message-id;
	bh=VqYzlOeyWOUIL0mxhHezhZqPgOHjAsoritLytYUBcOs=;
	b=BnQ3KpOTJB+9C0+p0Vz+RZ7nVb13pStM415j0D2eOyzRoJVLiku3C74qovlyBzjOd6
	wR/H9FfrAsc9fqxoW6+1C3VP5TC+89hI/zLphVkydbCQluhHnlCYrdeY1dqpAapAcoN9
	bpTNwWOiLSnFrEO8pPTYcyrOOt07LsI+BmXxLChoMyZEDNztPmZ1nKKexTfFqzlFqIdf
	YSWOCnC2je2781uNZiDa5wHFcC0MOpupOhb51RzpBQfmAQeBFw6z2JBhqlukdJZw8bOM
	II1aaH72w7lk8Ojp7cm2w5BmT+CFTmLJbbR22b68Bfb7PbodLfeXj03H0N2thI2HEUrO
	13GA==
X-Gm-Message-State: AN3rC/6WIhjHsO6Z2iHVcRBmLXdNijiYJn8hH9Zh7OWu+Z5ejSlp8sSE
	QpxHQ8646wH4AKoIyf4=
X-Received: by 10.55.143.129 with SMTP id r123mr7874707qkd.98.1493387361359;
	Fri, 28 Apr 2017 06:49:21 -0700 (PDT)
Received: from localhost ([2606:a000:4381:1201:225:22ff:feb3:e51a])
	by smtp.gmail.com with ESMTPSA id
	i16sm3716348qta.61.2017.04.28.06.49.20
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Fri, 28 Apr 2017 06:49:20 -0700 (PDT)
From: Josef Bacik <josef@toxicpanda.com>
X-Google-Original-From: Josef Bacik <jbacik@fb.com>
To: axboe@kernel.dk, nbd-general@lists.sourceforge.net,
	linux-block@vger.kernel.org, kernel-team@fb.com
Subject: [PATCH] nbd: fix use after free on module unload
Date: Fri, 28 Apr 2017 09:49:19 -0400
Message-Id: <1493387359-9496-1-git-send-email-jbacik@fb.com>
X-Mailer: git-send-email 2.7.4
Sender: linux-block-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-block.vger.kernel.org>
X-Mailing-List: linux-block@vger.kernel.org
X-Virus-Scanned: ClamAV using ClamSMTP

list_for_each_entry() isn't super safe if we're freeing the objects
while we traverse the list.  Also don't bother taking the extra
reference, the module refcounting stuff will save us from having anybody
messing with the device while we're trying to unload.

Reported-by: Ming Lei <ming.lei@redhat.com>
Signed-off-by: Josef Bacik <jbacik@fb.com>
---
 drivers/block/nbd.c | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c
index 76e5f8f..9a6d34e 100644
--- a/drivers/block/nbd.c
+++ b/drivers/block/nbd.c
@@ -2090,7 +2090,6 @@ static int nbd_exit_cb(int id, void *ptr, void *data)
 	struct list_head *list = (struct list_head *)data;
 	struct nbd_device *nbd = ptr;
 
-	refcount_inc(&nbd->refs);
 	list_add_tail(&nbd->list, list);
 	return 0;
 }
@@ -2106,11 +2105,12 @@ static void __exit nbd_cleanup(void)
 	idr_for_each(&nbd_index_idr, &nbd_exit_cb, &del_list);
 	mutex_unlock(&nbd_index_mutex);
 
-	list_for_each_entry(nbd, &del_list, list) {
-		if (refcount_read(&nbd->refs) != 2)
+	while (!list_empty(&del_list)) {
+		nbd = list_first_entry(&del_list, struct nbd_device, list);
+		list_del_init(&nbd->list);
+		if (refcount_read(&nbd->refs) != 1)
 			printk(KERN_ERR "nbd: possibly leaking a device\n");
 		nbd_put(nbd);
-		nbd_put(nbd);
 	}
 
 	idr_destroy(&nbd_index_idr);