Project

General

Profile

Actions

Bug #14654

closed

blkdev softstate use after free

Added by Hans Rosenfeld 28 days ago. Updated 27 days ago.

Status:
Closed
Priority:
Normal
Category:
driver - device drivers
Start date:
Due date:
% Done:

100%

Estimated time:
Difficulty:
Bite-size
Tags:
Gerrit CR:

Description

During experimenting with namespace management I encountered panics when nvme called into blkdev. The blkdev handle was still valid, but the blkdev instance had been detached outside of nvme's control and its softstate had been freed.

The code paths in blkdev that are called with a blkdev handle and use the softstate h_bd from it always check that it's non-NULL. So blkdev's bd_attach() and bd_detach() need to make sure that the softstate link h_bd in the blkdev handle is only set if the device attach succeeded, and cleared when the device is detaching.

Actions #1

Updated by Electric Monk 28 days ago

  • Gerrit CR set to 2125
Actions #2

Updated by Hans Rosenfeld 27 days ago

Testing: I've been running with these changes for a while during developing NVMe namespace management. The panics caused by running nvmeadm after the system had detached the blkdev instances on its own (without nvme knowing) no longer happened.

Actions #3

Updated by Electric Monk 27 days ago

  • Status changed from New to Closed
  • % Done changed from 0 to 100

git commit da00bec1e7243a6545b45e42283b8549cf19de1f

commit  da00bec1e7243a6545b45e42283b8549cf19de1f
Author: Hans Rosenfeld <rosenfeld@grumpf.hope-2000.org>
Date:   2022-04-22T21:03:46.000Z

    14654 blkdev softstate use after free
    Reviewed by: Andrew Giles <agiles@tintri.com>
    Reviewed by: Guy Morrogh <gmorrogh@tintri.com>
    Reviewed by: Ben Jameson <bjameson@tintri.com>
    Reviewed by: Gordon Ross <Gordon.W.Ross@gmail.com>
    Reviewed by: Paul Winder <paul@winder.uk.net>
    Reviewed by: Toomas Soome <tsoome@me.com>
    Approved by: Robert Mustacchi <rm+illumos@fingolfin.org>

Actions

Also available in: Atom PDF