Patchwork loop: fix to a race condition due to the early registration of device

login
register
mail settings
Submitter Anton Volkov
Date Aug. 7, 2017, 12:37 p.m.
Message ID <1502109470-2945-1-git-send-email-avolkov@ispras.ru>
Download mbox | patch
Permalink /patch/9885335/
State New
Headers show

Comments

Anton Volkov - Aug. 7, 2017, 12:37 p.m.
The early device registration made possible a race leading to allocations
of disks with wrong minors.

This patch moves the device registration further down the loop_init
function to make the race infeasible.

Found by Linux Driver Verification project (linuxtesting.org).

Signed-off-by: Anton Volkov <avolkov@ispras.ru>
Reviewed-by: Ming Lei <ming.lei@redhat.com>
---
 drivers/block/loop.c | 14 ++++++++------
 1 file changed, 8 insertions(+), 6 deletions(-)
Johannes Thumshirn - Aug. 7, 2017, 12:54 p.m.
On Mon, Aug 07, 2017 at 03:37:50PM +0300, Anton Volkov wrote:
> +err_out:
>  	return err;

Any reason you can't just use return err; at the respective callsites?

Thanks,
	Johannes
Anton Volkov - Aug. 7, 2017, 1:09 p.m.
This is more of a style-oriented suggestion. This kind of template is 
commonly used in other modules.

Regards,
Anton

On 07.08.2017 15:54, Johannes Thumshirn wrote:
> On Mon, Aug 07, 2017 at 03:37:50PM +0300, Anton Volkov wrote:
>> +err_out:
>>   	return err;
> 
> Any reason you can't just use return err; at the respective callsites?
> 
> Thanks,
> 	Johannes
> 

-- Anton Volkov
Linux Verification Center, ISPRAS
web: http://linuxtesting.org
e-mail: avolkov@ispras.ru
Johannes Thumshirn - Aug. 7, 2017, 1:24 p.m.
On Mon, Aug 07, 2017 at 04:09:12PM +0300, Anton Volkov wrote:
> This is more of a style-oriented suggestion. This kind of template is
> commonly used in other modules.

Yes but there is no point in using gotos here (i.e. cleanup to be done), you
an just return directly.

And yes it is a minor nit.

Anyways,

Reviewed-by: Johannes Thumshirn <jthumshirn@suse.de>
Omar Sandoval - Aug. 8, 2017, 10 p.m.
On Mon, Aug 07, 2017 at 03:37:50PM +0300, Anton Volkov wrote:
> The early device registration made possible a race leading to allocations
> of disks with wrong minors.
> 
> This patch moves the device registration further down the loop_init
> function to make the race infeasible.
> 
> Found by Linux Driver Verification project (linuxtesting.org).
> 
> Signed-off-by: Anton Volkov <avolkov@ispras.ru>
> Reviewed-by: Ming Lei <ming.lei@redhat.com>

Hi, Anton,

Were you able to reproduce this issue or was it purely theoretical? If
the former, it'd be nice if you could add a test case to blktests [1].

1: https://github.com/osandov/blktests

Thanks!
Omar
Anton Volkov - Aug. 10, 2017, 3:46 p.m.
Hello, Omar.

It was a purely theoretical race that had been considered to be possible 
in real-life.

Regards,
Anton

On 09.08.2017 01:00, Omar Sandoval wrote:
> On Mon, Aug 07, 2017 at 03:37:50PM +0300, Anton Volkov wrote:
>> The early device registration made possible a race leading to allocations
>> of disks with wrong minors.
>>
>> This patch moves the device registration further down the loop_init
>> function to make the race infeasible.
>>
>> Found by Linux Driver Verification project (linuxtesting.org).
>>
>> Signed-off-by: Anton Volkov <avolkov@ispras.ru>
>> Reviewed-by: Ming Lei <ming.lei@redhat.com>
> 
> Hi, Anton,
> 
> Were you able to reproduce this issue or was it purely theoretical? If
> the former, it'd be nice if you could add a test case to blktests [1].
> 
> 1: https://github.com/osandov/blktests
> 
> Thanks!
> Omar
> 

-- Anton Volkov
Linux Verification Center, ISPRAS
web: http://linuxtesting.org
e-mail: avolkov@ispras.ru
Jens Axboe - Aug. 15, 2017, 6:51 p.m.
On 08/07/2017 06:37 AM, Anton Volkov wrote:
> The early device registration made possible a race leading to allocations
> of disks with wrong minors.
> 
> This patch moves the device registration further down the loop_init
> function to make the race infeasible.
> 
> Found by Linux Driver Verification project (linuxtesting.org).

Added for 4.14, thanks.

Patch

diff --git a/drivers/block/loop.c b/drivers/block/loop.c
index ef83349..2fbd4089 100644
--- a/drivers/block/loop.c
+++ b/drivers/block/loop.c
@@ -1996,10 +1996,6 @@  static int __init loop_init(void)
 	struct loop_device *lo;
 	int err;
 
-	err = misc_register(&loop_misc);
-	if (err < 0)
-		return err;
-
 	part_shift = 0;
 	if (max_part > 0) {
 		part_shift = fls(max_part);
@@ -2017,12 +2013,12 @@  static int __init loop_init(void)
 
 	if ((1UL << part_shift) > DISK_MAX_PARTS) {
 		err = -EINVAL;
-		goto misc_out;
+		goto err_out;
 	}
 
 	if (max_loop > 1UL << (MINORBITS - part_shift)) {
 		err = -EINVAL;
-		goto misc_out;
+		goto err_out;
 	}
 
 	/*
@@ -2041,6 +2037,11 @@  static int __init loop_init(void)
 		range = 1UL << MINORBITS;
 	}
 
+	err = misc_register(&loop_misc);
+	if (err < 0)
+		goto err_out;
+
+
 	if (register_blkdev(LOOP_MAJOR, "loop")) {
 		err = -EIO;
 		goto misc_out;
@@ -2060,6 +2061,7 @@  static int __init loop_init(void)
 
 misc_out:
 	misc_deregister(&loop_misc);
+err_out:
 	return err;
 }