From: Li Lingfeng <lilingfeng3@huawei.com> hulk inclusion category: bugfix bugzilla: 189228 -------------------------------- Commit bd0c825c26c3 ("[Backport] nbd: use blk_mq_alloc_disk and blk_cleanup_disk") cleans up disk by blk_cleanup_disk() and it won't set disk->private_data as NULL as before. UAF may be triggered in nbd_open() if someone tries to open nbd device right after nbd_put() since refcount of nbd device is zero and private_data is not NULL. Fixes: bd0c825c26c3 ("[Backport] nbd: use blk_mq_alloc_disk and blk_cleanup_disk") Signed-off-by: Li Lingfeng <lilingfeng3@huawei.com> Signed-off-by: Li Nan <linan122@huawei.com> --- drivers/block/nbd.c | 1 + 1 file changed, 1 insertion(+) diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c index 283395b1ed3c..fe06abb9f830 100644 --- a/drivers/block/nbd.c +++ b/drivers/block/nbd.c @@ -229,6 +229,7 @@ static void nbd_dev_remove(struct nbd_device *nbd) if (disk) { del_gendisk(disk); + disk->private_data = NULL; blk_cleanup_disk(disk); blk_mq_free_tag_set(&nbd->tag_set); } -- 2.39.2