nvm_tgt_types list was protected by wrong lock for NVM_INFO ioctl call
and can race with addition or removal of target types. Also
unregistering target type was not protected correctly.
Fixes: 5cd907853 ("lightnvm: remove nested lock conflict with mm")
Signed-off-by: Rakesh Pandit <[email protected]>
---
V2: also add correct lock while unregistering and fix "Fixes" tag at
end. Note I found these while investigating another issue and
skimming the core code but worth fixing.
drivers/lightnvm/core.c | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/drivers/lightnvm/core.c b/drivers/lightnvm/core.c
index 9f9a137..1b8338d 100644
--- a/drivers/lightnvm/core.c
+++ b/drivers/lightnvm/core.c
@@ -589,9 +589,9 @@ void nvm_unregister_tgt_type(struct nvm_tgt_type *tt)
if (!tt)
return;
- down_write(&nvm_lock);
+ down_write(&nvm_tgtt_lock);
list_del(&tt->list);
- up_write(&nvm_lock);
+ up_write(&nvm_tgtt_lock);
}
EXPORT_SYMBOL(nvm_unregister_tgt_type);
@@ -1190,7 +1190,7 @@ static long nvm_ioctl_info(struct file *file, void __user *arg)
info->version[1] = NVM_VERSION_MINOR;
info->version[2] = NVM_VERSION_PATCH;
- down_write(&nvm_lock);
+ down_write(&nvm_tgtt_lock);
list_for_each_entry(tt, &nvm_tgt_types, list) {
struct nvm_ioctl_info_tgt *tgt = &info->tgts[tgt_iter];
@@ -1203,7 +1203,7 @@ static long nvm_ioctl_info(struct file *file, void __user *arg)
}
info->tgtsize = tgt_iter;
- up_write(&nvm_lock);
+ up_write(&nvm_tgtt_lock);
if (copy_to_user(arg, info, sizeof(struct nvm_ioctl_info))) {
kfree(info);
--
2.7.4
> On 16 Sep 2017, at 20.39, Rakesh Pandit <[email protected]> wrote:
>
> nvm_tgt_types list was protected by wrong lock for NVM_INFO ioctl call
> and can race with addition or removal of target types. Also
> unregistering target type was not protected correctly.
>
> Fixes: 5cd907853 ("lightnvm: remove nested lock conflict with mm")
> Signed-off-by: Rakesh Pandit <[email protected]>
> ---
>
> V2: also add correct lock while unregistering and fix "Fixes" tag at
> end. Note I found these while investigating another issue and
> skimming the core code but worth fixing.
>
> drivers/lightnvm/core.c | 8 ++++----
> 1 file changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/lightnvm/core.c b/drivers/lightnvm/core.c
> index 9f9a137..1b8338d 100644
> --- a/drivers/lightnvm/core.c
> +++ b/drivers/lightnvm/core.c
> @@ -589,9 +589,9 @@ void nvm_unregister_tgt_type(struct nvm_tgt_type *tt)
> if (!tt)
> return;
>
> - down_write(&nvm_lock);
> + down_write(&nvm_tgtt_lock);
> list_del(&tt->list);
> - up_write(&nvm_lock);
> + up_write(&nvm_tgtt_lock);
> }
> EXPORT_SYMBOL(nvm_unregister_tgt_type);
>
> @@ -1190,7 +1190,7 @@ static long nvm_ioctl_info(struct file *file, void __user *arg)
> info->version[1] = NVM_VERSION_MINOR;
> info->version[2] = NVM_VERSION_PATCH;
>
> - down_write(&nvm_lock);
> + down_write(&nvm_tgtt_lock);
> list_for_each_entry(tt, &nvm_tgt_types, list) {
> struct nvm_ioctl_info_tgt *tgt = &info->tgts[tgt_iter];
>
> @@ -1203,7 +1203,7 @@ static long nvm_ioctl_info(struct file *file, void __user *arg)
> }
>
> info->tgtsize = tgt_iter;
> - up_write(&nvm_lock);
> + up_write(&nvm_tgtt_lock);
>
> if (copy_to_user(arg, info, sizeof(struct nvm_ioctl_info))) {
> kfree(info);
> --
> 2.7.4
LGTM.
Reviewed-by: Javier González <[email protected]>
On 09/18/2017 09:53 AM, Javier González wrote:
>> On 16 Sep 2017, at 20.39, Rakesh Pandit <[email protected]> wrote:
>>
>> nvm_tgt_types list was protected by wrong lock for NVM_INFO ioctl call
>> and can race with addition or removal of target types. Also
>> unregistering target type was not protected correctly.
>>
>> Fixes: 5cd907853 ("lightnvm: remove nested lock conflict with mm")
>> Signed-off-by: Rakesh Pandit <[email protected]>
>> ---
>>
>> V2: also add correct lock while unregistering and fix "Fixes" tag at
>> end. Note I found these while investigating another issue and
>> skimming the core code but worth fixing.
>>
>> drivers/lightnvm/core.c | 8 ++++----
>> 1 file changed, 4 insertions(+), 4 deletions(-)
>>
>> diff --git a/drivers/lightnvm/core.c b/drivers/lightnvm/core.c
>> index 9f9a137..1b8338d 100644
>> --- a/drivers/lightnvm/core.c
>> +++ b/drivers/lightnvm/core.c
>> @@ -589,9 +589,9 @@ void nvm_unregister_tgt_type(struct nvm_tgt_type *tt)
>> if (!tt)
>> return;
>>
>> - down_write(&nvm_lock);
>> + down_write(&nvm_tgtt_lock);
>> list_del(&tt->list);
>> - up_write(&nvm_lock);
>> + up_write(&nvm_tgtt_lock);
>> }
>> EXPORT_SYMBOL(nvm_unregister_tgt_type);
>>
>> @@ -1190,7 +1190,7 @@ static long nvm_ioctl_info(struct file *file, void __user *arg)
>> info->version[1] = NVM_VERSION_MINOR;
>> info->version[2] = NVM_VERSION_PATCH;
>>
>> - down_write(&nvm_lock);
>> + down_write(&nvm_tgtt_lock);
>> list_for_each_entry(tt, &nvm_tgt_types, list) {
>> struct nvm_ioctl_info_tgt *tgt = &info->tgts[tgt_iter];
>>
>> @@ -1203,7 +1203,7 @@ static long nvm_ioctl_info(struct file *file, void __user *arg)
>> }
>>
>> info->tgtsize = tgt_iter;
>> - up_write(&nvm_lock);
>> + up_write(&nvm_tgtt_lock);
>>
>> if (copy_to_user(arg, info, sizeof(struct nvm_ioctl_info))) {
>> kfree(info);
>> --
>> 2.7.4
>
> LGTM.
>
> Reviewed-by: Javier González <[email protected]>
>
Thanks Rakesh.