Received: by 2002:ac0:bc90:0:0:0:0:0 with SMTP id a16csp476409img; Mon, 18 Mar 2019 07:22:36 -0700 (PDT) X-Google-Smtp-Source: APXvYqw6F3f1aCDtwnMRER/L23+ZFJtXMo7n7jMj+JnygT4xdry3o/0oxBIGzU/ixOvN3ha8LKGV X-Received: by 2002:a63:460a:: with SMTP id t10mr17438184pga.354.1552918956479; Mon, 18 Mar 2019 07:22:36 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1552918956; cv=none; d=google.com; s=arc-20160816; b=dUN7Dzxm5iXBdSmouvbOBljfn+62ZtgInqMV1v5CglaPfXMCr9Ew9nowrj22yx5Uhf pkzFUwODsFF+CmP1CNOu/XQFztxRu5uEKP3OLS+04m2vsCWTwdUEKtqluIYGU/d5gp5s p+jgBytQY0wiVDWQ+XIgvuiUsu/aVFzTvBATzIsKtc1qJ20PdE3lzvkIJxSTWa98jj28 8p2Eki133E3f2nGrlg1Qah3wO47dTbbY9ZVlmGDQmPQ7wklJf1WNHFIE+UUOwZeOrTw/ zuvIDtnuyZ2LlGU86dCTtRog/y/Ng5ZLfBvBTn8v4NKAleTnZcZr9YqwE6N8jCyChppZ 0Vhw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject:dkim-signature; bh=3+eAWS/Rmc6f7GwRJVmc9nC5CxO0UcnP7Zod6D16lqU=; b=HnUzMY/yN/6GRXoMej5hi8lLD53dr8sfJK8E4rK+8cFFC52sWgjOT4fabbiTbhvOJr OxTyhFcj3hgL//WU+VFX5ylhzxgvXAefNnEKP4CInl+4l7UG+4unmnqcoJjxtMf2dhXx 4MBKBYGz4eqWhbPktVkg9B4Nzwin1pEmGSRmdwwzSPCXegOn5We4cKH23soeBAZ45X5O baC2gop9kqnR5StYn5iOOWqiR+9aslRz9Tf4KruHV2ngCxu23O/0VpVYx8GKB3oRCC/6 v+fTm1Aozz/vuAJKBGMUSWl25BilpxnIHmBuG/F0PL/2TFvLo16y8jnpi+OiGRc4FWNW OLIA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel-dk.20150623.gappssmtp.com header.s=20150623 header.b=tSAIpPkB; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t16si7723047pgh.138.2019.03.18.07.22.20; Mon, 18 Mar 2019 07:22:36 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel-dk.20150623.gappssmtp.com header.s=20150623 header.b=tSAIpPkB; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727592AbfCROVm (ORCPT + 99 others); Mon, 18 Mar 2019 10:21:42 -0400 Received: from mail-it1-f195.google.com ([209.85.166.195]:34402 "EHLO mail-it1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726926AbfCROVm (ORCPT ); Mon, 18 Mar 2019 10:21:42 -0400 Received: by mail-it1-f195.google.com with SMTP id l4so9911642ite.1 for ; Mon, 18 Mar 2019 07:21:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel-dk.20150623.gappssmtp.com; s=20150623; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=3+eAWS/Rmc6f7GwRJVmc9nC5CxO0UcnP7Zod6D16lqU=; b=tSAIpPkB05uDR+b9SKj/vLk1S5eLFEW6C3+lscD2/hWQRnnyGnJKV8tOgvBccDQs04 LuMo6kTjA06s17gxwj8At93ZTi3DZUFUAfE+ax9aOCjLgy6VFiS1KUdD+Ssnu4FcEH2D wRo2gaNG6GXj5q4IJTsoc9/JwJ4WsqAoEmKKqeyLZmDosq8Rq5AcqdCDST94l11KHRJU RjDXY5me8VOVc0uT79cpV8pW4inrGeO7WxgSL+MhbkxEcJpY/GYgffGWq/Zfb70zvm/s Jk0LaCH05tP+vlJs2b/WcPS6YZSaE4ZdvtRG9ET9WmyLJA5i0+Yt8NDDksQTT+k2aCwx PakA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=3+eAWS/Rmc6f7GwRJVmc9nC5CxO0UcnP7Zod6D16lqU=; b=boHtvvIFmZEnEkaCkqdbZ4/NwI0nJ303QnGe6K/QbRfgWXWf58fJdFVBZnxGsle0To G2rXdE9XrAhkrPmN7SFdSM8OL2WJGnFdgLAr7LnolxKdMoZpucLIKJEzucbsogO7XLBD ieBczSh9sH/GObi8TKeSM9aC4CnIGWJ0HFWryjr/INqoAwq5KtiWgf+WPtvNqK40izwG TeobWKcAaR7lbcFCtKGAlm75DV2G0khIe5Zo7uliBqiXDNDc0njMLk9DM/2NqjG9XUdr 30DyYPg+SPeK7Se76TXJvWmD1xRa1Opeajgd8YUsiNn0ABxhMg1UeD7o8jk1WRyRwRXN KxJQ== X-Gm-Message-State: APjAAAXS+ZcvVbcEbYeC78gl/7iO62yb19iKWMdThq/m3ytlyWqf8IjL BBU3LOjX/MidIPRjaTAIUodRmQ== X-Received: by 2002:a24:1747:: with SMTP id 68mr8917990ith.62.1552918900809; Mon, 18 Mar 2019 07:21:40 -0700 (PDT) Received: from [192.168.1.158] ([216.160.245.98]) by smtp.gmail.com with ESMTPSA id t74sm186626itb.11.2019.03.18.07.21.39 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 18 Mar 2019 07:21:39 -0700 (PDT) Subject: Re: [PATCH 1/1] loop: access lo_backing_file only when the loop device is Lo_bound To: Dongli Zhang , linux-block@vger.kernel.org Cc: linux-kernel@vger.kernel.org, jack@suse.cz, penguin-kernel@i-love.sakura.ne.jp References: <1552911797-20455-1-git-send-email-dongli.zhang@oracle.com> From: Jens Axboe Message-ID: <2debdd71-c444-a04b-c308-097d8e51ee4c@kernel.dk> Date: Mon, 18 Mar 2019 08:21:39 -0600 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.5.1 MIME-Version: 1.0 In-Reply-To: <1552911797-20455-1-git-send-email-dongli.zhang@oracle.com> Content-Type: text/plain; charset=utf-8 Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 3/18/19 6:23 AM, Dongli Zhang wrote: > Commit 758a58d0bc67 ("loop: set GENHD_FL_NO_PART_SCAN after > blkdev_reread_part()") separates "lo->lo_backing_file = NULL" and > "lo->lo_state = Lo_unbound" into different critical regions protected by > loop_ctl_mutex. > > However, there is below race that the NULL lo->lo_backing_file would be > accessed when the backend of a loop is another loop device, e.g., loop0's > backend is a file, while loop1's backend is loop0. > > loop0's backend is file loop1's backend is loop0 > > __loop_clr_fd() > mutex_lock(&loop_ctl_mutex); > lo->lo_backing_file = NULL; --> set to NULL > mutex_unlock(&loop_ctl_mutex); > loop_set_fd() > mutex_lock_killable(&loop_ctl_mutex); > loop_validate_file() > f = l->lo_backing_file; --> NULL > access if loop0 is not Lo_unbound > mutex_lock(&loop_ctl_mutex); > lo->lo_state = Lo_unbound; > mutex_unlock(&loop_ctl_mutex); > > lo->lo_backing_file should be accessed only when the loop device is > Lo_bound. > > In fact, the problem has been introduced already in commit 7ccd0791d985 > ("loop: Push loop_ctl_mutex down into loop_clr_fd()") after which > loop_validate_file() could see devices in Lo_rundown state with which it > did not count. It was harmless at that point but still. Thanks, applied. -- Jens Axboe