Received: by 10.223.185.116 with SMTP id b49csp2392736wrg; Mon, 12 Feb 2018 08:51:28 -0800 (PST) X-Google-Smtp-Source: AH8x225czLQ8J0ySXEgvwVhBGizN9hogU+p7RvwWOMVwEip0Ld+TPh283AS9kuqfiCvOO8zb8/FK X-Received: by 2002:a17:902:14cb:: with SMTP id y11-v6mr10868258plg.294.1518454288693; Mon, 12 Feb 2018 08:51:28 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1518454288; cv=none; d=google.com; s=arc-20160816; b=WiBs1cuaJ+ZqZf3e+CoNqryJsMclCEV7U9cdi+b5qAmpCF8hiMqzo0SKjZU7iQrVx5 1T6suT06DbIUw5YgJ/6Fa+qavw+804rCyJhoXMsyr1k/iiYTEPZa1SLoGkabb3Cni2X3 mspQRiK82YlqZM/6LV0c/YkuCERcmypC7SaEh/vqaswCGi8EBfB9T3sIs+9fIYeFSdTZ oOAmCPyG97NimnUS0A34/ma5CBzVH7NFc+b/BQ20mLpHMOCMvkeg+KUXiYLhiFx3Mbmw wwxbK/AhxsU8blRsRSwiLbBtnxBDDUB29vdV5adjR1jhBe4yzbn3aTdTTG/XN87JeecQ zyhA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature:arc-authentication-results; bh=N2q3yKkDH7LSflKr04mqREN+2pDojy7MakryOQGlKPw=; b=DODfPMzZRqe8xmiIkYPSugc+ikfC4386qZ4/Bf8/7tQGs6HsxyeuCB2lQ1V3FiSrET M2d35edNZGf8iPPgmx8btHGQSrlZBZizlde9yrbWzA6NhX8tN5L4dgSLnj/L+VfeYAKf OEZCm3Edjh3w/9JoNnyrZI4jLPxCT2zECnldXnNSYiql5vLSD6u0E+5HSgNIEAAQjH1N l1NSRpbOCgZcfbKD8TngpKD0xT4yERArCMpv+e41vQfGijwRy1oGRUP7jheQWhdjZr8T ffAkG6aJUUBA+07C9PO1i89grwVIKaNWLIRI3gLgCQ3/dRXtcRo/boMcxnPfS4zUu0PS GZog== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2017-10-26 header.b=FxGmZx3Q; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t21-v6si646419plj.269.2018.02.12.08.51.14; Mon, 12 Feb 2018 08:51:28 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@oracle.com header.s=corp-2017-10-26 header.b=FxGmZx3Q; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=oracle.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S935079AbeBLM6E (ORCPT + 99 others); Mon, 12 Feb 2018 07:58:04 -0500 Received: from userp2120.oracle.com ([156.151.31.85]:57034 "EHLO userp2120.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S935065AbeBLM6A (ORCPT ); Mon, 12 Feb 2018 07:58:00 -0500 Received: from pps.filterd (userp2120.oracle.com [127.0.0.1]) by userp2120.oracle.com (8.16.0.22/8.16.0.22) with SMTP id w1CCvOAr109816; Mon, 12 Feb 2018 12:57:30 GMT DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=oracle.com; h=from : to : cc : subject : date : message-id; s=corp-2017-10-26; bh=N2q3yKkDH7LSflKr04mqREN+2pDojy7MakryOQGlKPw=; b=FxGmZx3Q8e68p4jK0Iqv5qWwXnxGyqZjeStBp29ef8eqxqEijMbIZ2QJ669tovdhVMqJ B9J3sj8QFVhSPReo6qORG4CZF5V7KBCHckqoxVfe0EgUpFtVWJKllBrT5Egzqj/yB0DN zewGp5hAwFweBZe/lzGuvCWHQcKwmCXAymrDSuRxpDIrKalG89S/X+fWzo8R/Q4xz7H1 WGtb1wvh/FmM6iBHWFa40qUEYJfWFQK3qklA+TLAhQ8dOy+cNVArUqnwu0ayKwqFZFBY dLJZiEfH3Gs61gJ+04OoEgjVGauxh98g0MOwYugbn893B2q1+0L4sjIlzsK8J9PjzHxS 9Q== Received: from userv0021.oracle.com (userv0021.oracle.com [156.151.31.71]) by userp2120.oracle.com with ESMTP id 2g3ahv8720-1 (version=TLSv1.2 cipher=ECDHE-RSA-AES256-GCM-SHA384 bits=256 verify=OK); Mon, 12 Feb 2018 12:57:27 +0000 Received: from aserv0122.oracle.com (aserv0122.oracle.com [141.146.126.236]) by userv0021.oracle.com (8.14.4/8.14.4) with ESMTP id w1CCsikf001619 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=FAIL); Mon, 12 Feb 2018 12:54:44 GMT Received: from abhmp0018.oracle.com (abhmp0018.oracle.com [141.146.116.24]) by aserv0122.oracle.com (8.14.4/8.14.4) with ESMTP id w1CCsh0g013953; Mon, 12 Feb 2018 12:54:43 GMT Received: from will-ThinkCentre-M910s.cn.oracle.com (/10.182.70.254) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Mon, 12 Feb 2018 04:54:43 -0800 From: Jianchao Wang To: keith.busch@intel.com, axboe@fb.com, hch@lst.de, sagi@grimberg.me Cc: linux-nvme@lists.infradead.org, linux-kernel@vger.kernel.org Subject: [PATCH 1/3] nvme: fix the dangerous reference of namespaces list Date: Mon, 12 Feb 2018 20:54:44 +0800 Message-Id: <1518440086-583-1-git-send-email-jianchao.w.wang@oracle.com> X-Mailer: git-send-email 2.7.4 X-Proofpoint-Virus-Version: vendor=nai engine=5900 definitions=8802 signatures=668668 X-Proofpoint-Spam-Details: rule=notspam policy=default score=0 suspectscore=0 malwarescore=0 phishscore=0 bulkscore=0 spamscore=0 mlxscore=0 mlxlogscore=812 adultscore=0 classifier=spam adjust=0 reason=mlx scancount=1 engine=8.0.1-1711220000 definitions=main-1802120168 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org nvme_remove_namespaces and nvme_remove_invalid_namespaces reference the ctrl->namespaces list w/o holding namespaces_mutext. It is ok to invoke nvme_ns_remove there, but what if there is others. To be safer, reference the ctrl->namespaces list under namespaces_mutext. Signed-off-by: Jianchao Wang --- drivers/nvme/host/core.c | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c index 2fd8688..d05855b 100644 --- a/drivers/nvme/host/core.c +++ b/drivers/nvme/host/core.c @@ -3094,11 +3094,18 @@ static void nvme_remove_invalid_namespaces(struct nvme_ctrl *ctrl, unsigned nsid) { struct nvme_ns *ns, *next; + LIST_HEAD(rm_list); + mutex_lock(&ctrl->namespaces_mutex); list_for_each_entry_safe(ns, next, &ctrl->namespaces, list) { if (ns->head->ns_id > nsid) - nvme_ns_remove(ns); + list_move_tail(&ns->list, &rm_list); } + mutex_unlock(&ctrl->namespaces_mutex); + + list_for_each_entry_safe(ns, next, &rm_list, list) + nvme_ns_remove(ns); + } static int nvme_scan_ns_list(struct nvme_ctrl *ctrl, unsigned nn) @@ -3198,6 +3205,7 @@ EXPORT_SYMBOL_GPL(nvme_queue_scan); void nvme_remove_namespaces(struct nvme_ctrl *ctrl) { struct nvme_ns *ns, *next; + LIST_HEAD(ns_list); /* * The dead states indicates the controller was not gracefully @@ -3208,7 +3216,11 @@ void nvme_remove_namespaces(struct nvme_ctrl *ctrl) if (ctrl->state == NVME_CTRL_DEAD) nvme_kill_queues(ctrl); - list_for_each_entry_safe(ns, next, &ctrl->namespaces, list) + mutex_lock(&ctrl->namespaces_mutex); + list_splice_init(&ctrl->namespaces, &ns_list); + mutex_unlock(&ctrl->namespaces_mutex); + + list_for_each_entry_safe(ns, next, &ns_list, list) nvme_ns_remove(ns); } EXPORT_SYMBOL_GPL(nvme_remove_namespaces); -- 2.7.4