Received: by 2002:ac0:a5b6:0:0:0:0:0 with SMTP id m51-v6csp1198564imm; Wed, 13 Jun 2018 15:15:16 -0700 (PDT) X-Google-Smtp-Source: ADUXVKJswzJHYUm9XDkJ57GjIuBpTrc0pFc/MpyFNPH/KUY/lqWIEe6CYp5FodCbZtV5+z2i6ZPy X-Received: by 2002:a62:e816:: with SMTP id c22-v6mr6645720pfi.124.1528928116343; Wed, 13 Jun 2018 15:15:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1528928116; cv=none; d=google.com; s=arc-20160816; b=PEYDsJb2xXw9+vZE1qJxlkNGLMLGk9+7PM40CQTmA1tQwKH1FbEmzAfG8dwg6WnwG/ CDABsXR6pwCuaR8/WjpvQQtGWbIWJjbcg81NWn0Q48OjHNdXfKvs7CGX6EUKBquw9DQ2 MJmZrc5CUeYTnJuNZ+7qoYbPt19A6M/AwNIeur6GU2RYnGr3gb+yCGtABN9xGzuld9tB Va9G4QrBEpkPAatFIUikdDJV2om/XSL1lH+PibfmIIAmLpWbCP0mt695Qx8X5xkzhFga MYy2zSgoGzzSuz3aN2nCTFcP/74jivRd1ZRah611iGsPq8hLYxz4k9XG/UMlv4PxAac8 AEjA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:content-disposition :mime-version:message-id:subject:cc:to:from:date:dkim-signature :arc-authentication-results; bh=UW9sSW50Nqqcm62yVd75791q2L5Ws36u3/sT32ffQh4=; b=Fdq1fPLTvHrEZxhe2t8znk8Fn26Z2521ASgFs7Yp6BLNiYGMlGyjjLQ50Fy1G7xmtM YqS/qj+V8GSIgRkDpOeq2JmlItJsg9coyy9KQxxOt1YZGFa1e8W5Hpq+TKrfYsj7cTjz RLoIvXFeUS7c563xCM5BiuQfVVOzrZF4LDzy51xdHM7zaQexsKfMS5GGa1h1981cCPl4 RlNfdc/ChNY2DJq9YkbYPBk0XTSn0MZ/ldzchs0SBmkMuRZXkrplA1UeEVXDqzEuxdcE 0fU8/VJp1IopUTcBShytvbLPBWrkLuRgLuWKLeTtzaQNlag6bWvYSSGAYnChzFRUySl2 BuGg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=he9FZNqJ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id i73-v6si3053073pgd.691.2018.06.13.15.15.02; Wed, 13 Jun 2018 15:15:16 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=he9FZNqJ; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S935863AbeFMWOZ (ORCPT + 99 others); Wed, 13 Jun 2018 18:14:25 -0400 Received: from mail-pg0-f68.google.com ([74.125.83.68]:39934 "EHLO mail-pg0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S935315AbeFMWOW (ORCPT ); Wed, 13 Jun 2018 18:14:22 -0400 Received: by mail-pg0-f68.google.com with SMTP id w12-v6so1927542pgc.6; Wed, 13 Jun 2018 15:14:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=date:from:to:cc:subject:message-id:mime-version:content-disposition :user-agent; bh=UW9sSW50Nqqcm62yVd75791q2L5Ws36u3/sT32ffQh4=; b=he9FZNqJc0eO2bkBQLV7rl9p/XWZnWpdjWl5nX4Clvxznea4xJTFmNtAmyrUZGqOBH evvxBFaQK/6kAzzVT8rH58nKMuO8GpSTwOdD22YONi7tgLkbiM3fg6ifWt64c6GFosts aU3yLMi2c0T9M2LmCcYxd+KU8fAN+NC9SS2mso1uyGX2ErKbGDCU3TtKK6ydzSWSmcta nP3jImNmjXI1wybu3UwUvplyCOl9/pPQs/Df9WWiYZJwoLceJ4BeFzlt7ZjLZFj3Xmv4 TQRDB2UX9aeGrvXMWw0H1MoxAemLzhGMpXs1GzQ+c6KlDnrLx6zmiQ9K33a/dtvkQBq7 WHGw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:message-id:mime-version :content-disposition:user-agent; bh=UW9sSW50Nqqcm62yVd75791q2L5Ws36u3/sT32ffQh4=; b=tVhBg33YVTjBaE41kIKDXiIkB3w/dmn7kzoJ4rEr48zzmp5a7yrLUjr60MuRRlcWRe NFFWlUKRzzG0LLhNyQn6TGbKgPdAAWevq4I0v+21/7UPIBgrPTadU5ty6MKk530IaRbr rThCPdFsbV4DLCZAPWHn5rqHXhevIIN8xPkPm7pwl24hvuVkzAXDedbpyFc0CYatKvug HnbFkfyOcluIAipb4vFOKMZQ8Fi2PLt0jgPc/isK+ryBC3ZZn+JYTu0Scp4tuKiliI4O ATeXpYKn94ijlkNXeQSt7laTqZeEkdBrSyyr7cAgwtr+NM3zUPM9LD+bBlyL+ZDbsJh7 fINw== X-Gm-Message-State: APt69E2OPXaF+ngw5hmoDiHE1UUik/B4/ZnytAU+r2B1Ys9wbm2bk4SA DhjiAoYIrcF8CvlC3lG7RO6tvQdm X-Received: by 2002:a62:3c96:: with SMTP id b22-v6mr6518786pfk.235.1528928061885; Wed, 13 Jun 2018 15:14:21 -0700 (PDT) Received: from xldev-tmpl.dev.purestorage.com ([192.30.188.252]) by smtp.gmail.com with ESMTPSA id h16-v6sm5022028pfn.80.2018.06.13.15.14.20 (version=TLS1_2 cipher=AES128-SHA bits=128/128); Wed, 13 Jun 2018 15:14:21 -0700 (PDT) Date: Wed, 13 Jun 2018 16:14:18 -0600 From: Anatoliy Glagolev To: linux-block@vger.kernel.org, "James E.J. Bottomley" , FUJITA Tomonori , Jens Axboe , linux-scsi@vger.kernel.org, Christoph Hellwig Cc: linux-kernel@vger.kernel.org Subject: [PATCH] block: fix bsg_unregister and bsg_open race Message-ID: <20180613221417.GA22778@xldev-tmpl.dev.purestorage.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The existing implementation allows races between bsg_unregister and bsg_open paths. bsg_ungegister and request_queue cleanup and deletion may start and complete right after bsg_get_device (in bsg_open path) retrieves bsg_class_device and releases the mutex. Then bsg_open path touches freed memory of bsg_class_device and request_queue. One possible fix is to hold the mutex all the way through bsg_get_device instead of releasing it after bsg_class_device retrieval. From a8647f9cfb3b2b69dcac493554cb6ea2f9b4c2dd Mon Sep 17 00:00:00 2001 From: Anatoliy Glagolev Date: Wed, 13 Jun 2018 15:38:51 -0600 Subject: [PATCH] Fix race of bsg_open and bsg_unregister Signed-Off-By: Anatoliy Glagolev --- block/bsg.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) diff --git a/block/bsg.c b/block/bsg.c index 132e657..10bc6a4 100644 --- a/block/bsg.c +++ b/block/bsg.c @@ -693,6 +693,8 @@ static struct bsg_device *bsg_add_device(struct inode *inode, struct bsg_device *bd; unsigned char buf[32]; + lockdep_assert_held(&bsg_mutex); + if (!blk_get_queue(rq)) return ERR_PTR(-ENXIO); @@ -707,14 +709,12 @@ static struct bsg_device *bsg_add_device(struct inode *inode, bsg_set_block(bd, file); atomic_set(&bd->ref_count, 1); - mutex_lock(&bsg_mutex); hlist_add_head(&bd->dev_list, bsg_dev_idx_hash(iminor(inode))); strncpy(bd->name, dev_name(rq->bsg_dev.class_dev), sizeof(bd->name) - 1); bsg_dbg(bd, "bound to <%s>, max queue %d\n", format_dev_t(buf, inode->i_rdev), bd->max_queue); - mutex_unlock(&bsg_mutex); return bd; } @@ -722,7 +722,7 @@ static struct bsg_device *__bsg_get_device(int minor, struct request_queue *q) { struct bsg_device *bd; - mutex_lock(&bsg_mutex); + lockdep_assert_held(&bsg_mutex); hlist_for_each_entry(bd, bsg_dev_idx_hash(minor), dev_list) { if (bd->queue == q) { @@ -732,7 +732,6 @@ static struct bsg_device *__bsg_get_device(int minor, struct request_queue *q) } bd = NULL; found: - mutex_unlock(&bsg_mutex); return bd; } @@ -746,16 +745,18 @@ static struct bsg_device *bsg_get_device(struct inode *inode, struct file *file) */ mutex_lock(&bsg_mutex); bcd = idr_find(&bsg_minor_idr, iminor(inode)); - mutex_unlock(&bsg_mutex); if (!bcd) return ERR_PTR(-ENODEV); bd = __bsg_get_device(iminor(inode), bcd->queue); - if (bd) + if (bd) { + mutex_unlock(&bsg_mutex); return bd; + } bd = bsg_add_device(inode, bcd->queue, file); + mutex_unlock(&bsg_mutex); return bd; } -- 1.9.1