| Message ID | 20200429074627.5955-7-mcgrof@kernel.org (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | block: fix blktrace debugfs use after free | expand |
On Wed, Apr 29, 2020 at 07:46:27AM +0000, Luis Chamberlain wrote: > Be pedantic on removal as well and hold the mutex. > This should prevent uses of addition while we exit. > > Signed-off-by: Luis Chamberlain <mcgrof@kernel.org> > --- > drivers/block/loop.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/drivers/block/loop.c b/drivers/block/loop.c > index da693e6a834e..6dccba22c9b5 100644 > --- a/drivers/block/loop.c > +++ b/drivers/block/loop.c > @@ -2333,6 +2333,8 @@ static void __exit loop_exit(void) > > range = max_loop ? max_loop << part_shift : 1UL << MINORBITS; > > + mutex_lock(&loop_ctl_mutex); > + > idr_for_each(&loop_index_idr, &loop_exit_cb, NULL); > idr_destroy(&loop_index_idr); > > @@ -2340,6 +2342,8 @@ static void __exit loop_exit(void) > unregister_blkdev(LOOP_MAJOR, "loop"); > > misc_deregister(&loop_misc); > + > + mutex_unlock(&loop_ctl_mutex); > } > > module_init(loop_init); What type of issue is this helping with? Can it be triggered today? if so, shouldn't it be backported to stable kernels? thanks, greg k-h
On Wed, Apr 29, 2020 at 07:46:27AM +0000, Luis Chamberlain wrote: > Be pedantic on removal as well and hold the mutex. > This should prevent uses of addition while we exit. > > Signed-off-by: Luis Chamberlain <mcgrof@kernel.org> > --- > drivers/block/loop.c | 4 ++++ > 1 file changed, 4 insertions(+) > > diff --git a/drivers/block/loop.c b/drivers/block/loop.c > index da693e6a834e..6dccba22c9b5 100644 > --- a/drivers/block/loop.c > +++ b/drivers/block/loop.c > @@ -2333,6 +2333,8 @@ static void __exit loop_exit(void) > > range = max_loop ? max_loop << part_shift : 1UL << MINORBITS; > > + mutex_lock(&loop_ctl_mutex); > + > idr_for_each(&loop_index_idr, &loop_exit_cb, NULL); > idr_destroy(&loop_index_idr); > > @@ -2340,6 +2342,8 @@ static void __exit loop_exit(void) > unregister_blkdev(LOOP_MAJOR, "loop"); > > misc_deregister(&loop_misc); > + > + mutex_unlock(&loop_ctl_mutex); > } > > module_init(loop_init); > -- > 2.25.1 > Reviewed-by: Ming Lei <ming.lei@redhat.com>
On Wed, Apr 29, 2020 at 11:50:34AM +0200, Greg KH wrote: > On Wed, Apr 29, 2020 at 07:46:27AM +0000, Luis Chamberlain wrote: > > Be pedantic on removal as well and hold the mutex. > > This should prevent uses of addition while we exit. > > > > Signed-off-by: Luis Chamberlain <mcgrof@kernel.org> > > --- > > drivers/block/loop.c | 4 ++++ > > 1 file changed, 4 insertions(+) > > > > diff --git a/drivers/block/loop.c b/drivers/block/loop.c > > index da693e6a834e..6dccba22c9b5 100644 > > --- a/drivers/block/loop.c > > +++ b/drivers/block/loop.c > > @@ -2333,6 +2333,8 @@ static void __exit loop_exit(void) > > > > range = max_loop ? max_loop << part_shift : 1UL << MINORBITS; > > > > + mutex_lock(&loop_ctl_mutex); > > + > > idr_for_each(&loop_index_idr, &loop_exit_cb, NULL); > > idr_destroy(&loop_index_idr); > > > > @@ -2340,6 +2342,8 @@ static void __exit loop_exit(void) > > unregister_blkdev(LOOP_MAJOR, "loop"); > > > > misc_deregister(&loop_misc); > > + > > + mutex_unlock(&loop_ctl_mutex); > > } > > > > module_init(loop_init); > > What type of issue is this helping with? Can it be triggered today? if > so, shouldn't it be backported to stable kernels? Just code inspection. I can't trigger a userspace test script to crash the kernel yet, but suspect a race still does exist. Luis
diff --git a/drivers/block/loop.c b/drivers/block/loop.c index da693e6a834e..6dccba22c9b5 100644 --- a/drivers/block/loop.c +++ b/drivers/block/loop.c @@ -2333,6 +2333,8 @@ static void __exit loop_exit(void) range = max_loop ? max_loop << part_shift : 1UL << MINORBITS; + mutex_lock(&loop_ctl_mutex); + idr_for_each(&loop_index_idr, &loop_exit_cb, NULL); idr_destroy(&loop_index_idr); @@ -2340,6 +2342,8 @@ static void __exit loop_exit(void) unregister_blkdev(LOOP_MAJOR, "loop"); misc_deregister(&loop_misc); + + mutex_unlock(&loop_ctl_mutex); } module_init(loop_init);
Be pedantic on removal as well and hold the mutex. This should prevent uses of addition while we exit. Signed-off-by: Luis Chamberlain <mcgrof@kernel.org> --- drivers/block/loop.c | 4 ++++ 1 file changed, 4 insertions(+)