GitHub-Mirror/linux-bl808
2
0
Fork 0
mirror of https://github.com/Fishwaldo/linux-bl808.git synced 2025-06-17 20:25:19 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

genhd: Fix use after free in __blkdev_get()

Browse source 
When two blkdev_open() calls race with device removal and recreation,
__blkdev_get() can use looked up gendisk after it is freed:

CPU0				CPU1			CPU2
							del_gendisk(disk);
							  bdev_unhash_inode(inode);
blkdev_open()			blkdev_open()
  bdev = bd_acquire(inode);
    - creates and returns new inode
				  bdev = bd_acquire(inode);
				    - returns the same inode
  __blkdev_get(devt)		  __blkdev_get(devt)
    disk = get_gendisk(devt);
      - got structure of device going away
							<finish device removal>
							<new device gets
							 created under the same
							 device number>
				  disk = get_gendisk(devt);
				    - got new device structure
				  if (!bdev->bd_openers) {
				    does the first open
				  }
    if (!bdev->bd_openers)
      - false
    } else {
      put_disk_and_module(disk)
        - remember this was old device - this was last ref and disk is
          now freed
    }
    disk_unblock_events(disk); -> oops

Fix the problem by making sure we drop reference to disk in
__blkdev_get() only after we are really done with it.

Reported-by: Hou Tao <houtao1@huawei.com>
Tested-by: Hou Tao <houtao1@huawei.com>
Signed-off-by: Jan Kara <jack@suse.cz>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
This commit is contained in:
Jan Kara 2018-02-26 13:01:40 +01:00 committed by Jens Axboe
parent 9df6c29912
commit 897366537f
1 changed files with 5 additions and 2 deletions
Download patch file Download diff file Expand all files Collapse all files

7
fs/block_dev.c
View file

@ -1409,6 +1409,7 @@ static int __blkdev_get(struct block_device *bdev, fmode_t mode, int for_part)
int ret; int ret;
int partno; int partno;
int perm = 0; int perm = 0;
bool first_open = false;
if (mode & FMODE_READ) if (mode & FMODE_READ)
perm |= MAY_READ; perm |= MAY_READ;
@ -1435,6 +1436,7 @@ static int __blkdev_get(struct block_device *bdev, fmode_t mode, int for_part)
disk_block_events(disk); disk_block_events(disk);
mutex_lock_nested(&bdev->bd_mutex, for_part); mutex_lock_nested(&bdev->bd_mutex, for_part);
if (!bdev->bd_openers) { if (!bdev->bd_openers) {
first_open = true;
bdev->bd_disk = disk; bdev->bd_disk = disk;
bdev->bd_queue = disk->queue; bdev->bd_queue = disk->queue;
bdev->bd_contains = bdev; bdev->bd_contains = bdev;
@ -1520,14 +1522,15 @@ static int __blkdev_get(struct block_device *bdev, fmode_t mode, int for_part)
if (ret) if (ret)
goto out_unlock_bdev; goto out_unlock_bdev;
} }
/* only one opener holds refs to the module and disk */
put_disk_and_module(disk);
} }
bdev->bd_openers++; bdev->bd_openers++;
if (for_part) if (for_part)
bdev->bd_part_count++; bdev->bd_part_count++;
mutex_unlock(&bdev->bd_mutex); mutex_unlock(&bdev->bd_mutex);
disk_unblock_events(disk); disk_unblock_events(disk);
/* only one opener holds refs to the module and disk */
if (!first_open)
put_disk_and_module(disk);
return 0; return 0;
out_clear: out_clear: