From: Li Lingfeng lilingfeng3@huawei.com
hulk inclusion category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I81XCK
--------------------------------
Commit bd0c825c26c3 ("[Backport] nbd: use blk_mq_alloc_disk and blk_cleanup_disk") cleans up disk by blk_cleanup_disk() and it won't set disk->private_data as NULL as before. UAF may be triggered in nbd_open() if someone tries to open nbd device right after nbd_put() since refcount of nbd device is zero and private_data is not NULL.
Fixes: bd0c825c26c3 ("[Backport] nbd: use blk_mq_alloc_disk and blk_cleanup_disk") Signed-off-by: Li Lingfeng lilingfeng3@huawei.com Signed-off-by: Li Nan linan122@huawei.com --- drivers/block/nbd.c | 1 + 1 file changed, 1 insertion(+)
diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c index 283395b1ed3c..fe06abb9f830 100644 --- a/drivers/block/nbd.c +++ b/drivers/block/nbd.c @@ -229,6 +229,7 @@ static void nbd_dev_remove(struct nbd_device *nbd)
if (disk) { del_gendisk(disk); + disk->private_data = NULL; blk_cleanup_disk(disk); blk_mq_free_tag_set(&nbd->tag_set); }