Received: by 2002:a05:6358:1087:b0:cb:c9d3:cd90 with SMTP id j7csp4102964rwi;
        Mon, 17 Oct 2022 01:12:26 -0700 (PDT)
X-Google-Smtp-Source: AMsMyM6ibZMXHWvxjQ4b9yK7/6L2oCozXEISUmFopVnmAHhOFa6Fjt87ElFK/zaAjD1RCz95juuE
X-Received: by 2002:a17:906:7304:b0:6ff:a76:5b09 with SMTP id di4-20020a170906730400b006ff0a765b09mr7578576ejc.193.1665994345742;
        Mon, 17 Oct 2022 01:12:25 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1665994345; cv=none;
        d=google.com; s=arc-20160816;
        b=QSqiRluvHpY1qjKRQm+nP50zO2CGFwJMr1BtbFg4AMm3RgS6WxTI0SjGUJgYmy1dQX
         7iCtcsmG0pYk3v2ExgnZ+4dNqEMglkwUklyEwFGPYc8hcb2xArE5mgdLc30pfrREksem
         Rel/7pn3P5WYU21yucqh517OlMnCjnx1JWPNAozt1tyNhBi7MAlLVjLb97z9ZBNoWpiF
         NUpuH4+DAeNQvS9TgHbdspTmwD9v8wkRG3yYONt/NaI0hZoCX2iiXyf202XjLvEJOR8/
         /WJcZN/al6oJGLeBUTVI+6/E0YS16DRYfffdCjSzuRkSim7KFZSoDnOnbzPrJFKyxzwW
         q0fQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:in-reply-to:content-disposition:mime-version
         :references:message-id:subject:cc:to:from:date:dkim-signature;
        bh=NNyhKS1LpdHKzGlhsSngZkfLfmvQiTMJTVobRoTSZr8=;
        b=Ehu6vaaLH/HQfKy/MrLVJ1T/VN+SPIB+TZrW7K9VEyb/0KAjF4zZNyhiH7zhVXtQGx
         9aSvi97LsxsAJjMIoEDtJBu9BLXev/xZGJOOV50Qkx9LbJXw4eHF1z73dsDfc7+Cm8jy
         H6m9E7Gm7vYLJYSKP9rclTe6qeN0f1Xw++I/zmTiMq5x4BeiiW24FZ/K+uxxf0HHPjux
         TeoF8chqeu0hl8nL1twllawUD36AUi9R2p0cZ3/BGfKTIozJizVRa5OpG/Aj1nZ2mGqq
         eGj9ziBh6XjRktmbbRdlDwBqxmpPEoXnnCWBFf7sLfgRgahYsioKTnI5ZpnnIuEExyoU
         jmFw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@infradead.org header.s=bombadil.20210309 header.b=ux+1aQMq;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id a21-20020a1709066d5500b007801a197a1bsi7024664ejt.449.2022.10.17.01.12.00;
        Mon, 17 Oct 2022 01:12:25 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@infradead.org header.s=bombadil.20210309 header.b=ux+1aQMq;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S229739AbiJQH7Z (ORCPT <rfc822;aradford@gmail.com> + 99 others);
        Mon, 17 Oct 2022 03:59:25 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40838 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229509AbiJQH7R (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 17 Oct 2022 03:59:17 -0400
Received: from bombadil.infradead.org (bombadil.infradead.org [IPv6:2607:7c80:54:3::133])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 71C145B525;
        Mon, 17 Oct 2022 00:59:17 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed;
        d=infradead.org; s=bombadil.20210309; h=In-Reply-To:Content-Type:MIME-Version
        :References:Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To:
        Content-Transfer-Encoding:Content-ID:Content-Description;
        bh=NNyhKS1LpdHKzGlhsSngZkfLfmvQiTMJTVobRoTSZr8=; b=ux+1aQMqtNdH6h0aSC/KxZ2E5O
        cRRvPau+voI+2jeHHXNSL9fcb0xU1JN8x1oFbPzyBRBBqVR2BKejLIED+mDhXoR+2K5Wh2WC11FM+
        UR4PNu7hZ9jsaB4FueNdRkgHxSGitQfNbROvuC+OKhPb3YBXz0Dml/4vwXx94w1iZ7k6ZGyg8oyxz
        SE4htmF/4joPg3bF7k40oEXNCsMEGYQOj3Q3F79i+IIG4ez37VtWLpV6eQabiZrLV7aETiOgbZCK4
        ZnqHBOgLLHpJuKnqOc+q6PSf1VNtBklnKXwuk+6/BsGfOdrRaWFpnnzpyAi9uzeYwUB88bVjsKTwu
        0Xv+qGVg==;
Received: from hch by bombadil.infradead.org with local (Exim 4.94.2 #2 (Red Hat Linux))
        id 1okL1g-008knX-Ld; Mon, 17 Oct 2022 07:59:08 +0000
Date:   Mon, 17 Oct 2022 00:59:08 -0700
From:   Christoph Hellwig <hch@infradead.org>
To:     Yu Kuai <yukuai1@huaweicloud.com>
Cc:     axboe@kernel.dk, gregkh@linuxfoundation.org, willy@infradead.org,
        kch@nvidia.com, martin.petersen@oracle.com,
        johannes.thumshirn@wdc.com, linux-block@vger.kernel.org,
        linux-kernel@vger.kernel.org, yukuai3@huawei.com,
        yi.zhang@huawei.com
Subject: Re: [PATCH RFC] block: fix use after free for bd_holder_dir/slave_dir
Message-ID: <Y00LTH0yk3obS22m@infradead.org>
References: <20221012125838.1608619-1-yukuai1@huaweicloud.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20221012125838.1608619-1-yukuai1@huaweicloud.com>
X-SRS-Rewrite: SMTP reverse-path rewritten from <hch@infradead.org> by bombadil.infradead.org. See http://www.infradead.org/rpr.html
X-Spam-Status: No, score=-4.4 required=5.0 tests=BAYES_00,DKIM_SIGNED,
        DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_MED,SPF_HELO_NONE,
        SPF_NONE autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

AFAICS the problem is the that pre-registered holders don't get
unregistered for a late add_disk failure.

Something like this should fix your error:

diff --git a/block/genhd.c b/block/genhd.c
index 17b33c62423df..6123005154b2a 100644
--- a/block/genhd.c
+++ b/block/genhd.c
@@ -484,7 +484,7 @@ int __must_check device_add_disk(struct device *parent, struct gendisk *disk,
 
 	ret = blk_register_queue(disk);
 	if (ret)
-		goto out_put_slave_dir;
+		goto out_unregister_holders;
 
 	if (!(disk->flags & GENHD_FL_HIDDEN)) {
 		ret = bdi_register(disk->bdi, "%u:%u",
@@ -526,6 +526,8 @@ int __must_check device_add_disk(struct device *parent, struct gendisk *disk,
 		bdi_unregister(disk->bdi);
 out_unregister_queue:
 	blk_unregister_queue(disk);
+out_unregister_holders:
+	bd_unregister_all_holders(disk);
 out_put_slave_dir:
 	kobject_put(disk->slave_dir);
 out_put_holder_dir:
diff --git a/block/holder.c b/block/holder.c
index 5283bc804cc14..12c09d5c21280 100644
--- a/block/holder.c
+++ b/block/holder.c
@@ -169,3 +169,13 @@ int bd_register_pending_holders(struct gendisk *disk)
 	mutex_unlock(&disk->open_mutex);
 	return ret;
 }
+
+void bd_unregister_all_holders(struct gendisk *disk)
+{
+	struct bd_holder_disk *holder;
+
+	mutex_lock(&disk->open_mutex);
+	list_for_each_entry(holder, &disk->slave_bdevs, list)
+		__unlink_disk_holder(holder->bdev, disk);
+	mutex_unlock(&disk->open_mutex);
+}
diff --git a/include/linux/blkdev.h b/include/linux/blkdev.h
index 50e358a19d986..ccab9a2dae4bd 100644
--- a/include/linux/blkdev.h
+++ b/include/linux/blkdev.h
@@ -840,6 +840,7 @@ void set_capacity(struct gendisk *disk, sector_t size);
 int bd_link_disk_holder(struct block_device *bdev, struct gendisk *disk);
 void bd_unlink_disk_holder(struct block_device *bdev, struct gendisk *disk);
 int bd_register_pending_holders(struct gendisk *disk);
+void bd_unregister_all_holders(struct gendisk *disk);
 #else
 static inline int bd_link_disk_holder(struct block_device *bdev,
 				      struct gendisk *disk)
@@ -854,6 +855,9 @@ static inline int bd_register_pending_holders(struct gendisk *disk)
 {
 	return 0;
 }
+static inline void bd_unregister_all_holders(struct gendisk *disk)
+{
+}
 #endif /* CONFIG_BLOCK_HOLDER_DEPRECATED */
 
 dev_t part_devt(struct gendisk *disk, u8 partno);