From patchwork Mon Aug 29 21:33:41 2016 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Vegard Nossum X-Patchwork-Id: 9304505 Return-Path: Received: from mail.wl.linuxfoundation.org (pdx-wl-mail.web.codeaurora.org [172.30.200.125]) by pdx-korg-patchwork.web.codeaurora.org (Postfix) with ESMTP id 85C8560756 for ; Mon, 29 Aug 2016 21:34:35 +0000 (UTC) Received: from mail.wl.linuxfoundation.org (localhost [127.0.0.1]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 7B6332896F for ; Mon, 29 Aug 2016 21:34:35 +0000 (UTC) Received: by mail.wl.linuxfoundation.org (Postfix, from userid 486) id 70071289B4; Mon, 29 Aug 2016 21:34:35 +0000 (UTC) X-Spam-Checker-Version: SpamAssassin 3.3.1 (2010-03-16) on pdx-wl-mail.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.9 required=2.0 tests=BAYES_00,RCVD_IN_DNSWL_HI autolearn=ham version=3.3.1 Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.wl.linuxfoundation.org (Postfix) with ESMTP id 119872896F for ; Mon, 29 Aug 2016 21:34:34 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1756166AbcH2Ved (ORCPT ); Mon, 29 Aug 2016 17:34:33 -0400 Received: from userp1040.oracle.com ([156.151.31.81]:35349 "EHLO userp1040.oracle.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1754874AbcH2Ved (ORCPT ); Mon, 29 Aug 2016 17:34:33 -0400 Received: from userv0021.oracle.com (userv0021.oracle.com [156.151.31.71]) by userp1040.oracle.com (Sentrion-MTA-4.3.2/Sentrion-MTA-4.3.2) with ESMTP id u7TLXj1M021577 (version=TLSv1 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Mon, 29 Aug 2016 21:33:46 GMT Received: from userv0122.oracle.com (userv0122.oracle.com [156.151.31.75]) by userv0021.oracle.com (8.13.8/8.13.8) with ESMTP id u7TLXjI0013201 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK); Mon, 29 Aug 2016 21:33:45 GMT Received: from abhmp0015.oracle.com (abhmp0015.oracle.com [141.146.116.21]) by userv0122.oracle.com (8.14.4/8.14.4) with ESMTP id u7TLXiJh017635; Mon, 29 Aug 2016 21:33:44 GMT Received: from [10.175.181.63] (/10.175.181.63) by default (Oracle Beehive Gateway v4.0) with ESMTP ; Mon, 29 Aug 2016 14:33:44 -0700 Subject: Re: [PATCH] bdev: fix NULL pointer dereference in sync()/close() race To: Tejun Heo References: <20160827070728.12432-1-vegard.nossum@oracle.com> <20160827090328.GA9457@dator> <20160829195540.GE28713@mtj.duckdns.org> Cc: Rabin Vincent , Jens Axboe , Jan Kara , Al Viro , linux-block@vger.kernel.org, linux-kernel@vger.kernel.org, stable@vger.kernel.org From: Vegard Nossum Message-ID: <14b09a61-8e8f-166d-45b9-7dd07922286e@oracle.com> Date: Mon, 29 Aug 2016 23:33:41 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:45.0) Gecko/20100101 Thunderbird/45.2.0 MIME-Version: 1.0 In-Reply-To: <20160829195540.GE28713@mtj.duckdns.org> X-Source-IP: userv0021.oracle.com [156.151.31.71] Sender: linux-block-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-block@vger.kernel.org X-Virus-Scanned: ClamAV using ClamSMTP On 08/29/2016 09:55 PM, Tejun Heo wrote: > On Sat, Aug 27, 2016 at 11:30:22AM +0200, Vegard Nossum wrote: >> If people who are more savvy in block/fs code could ack the locking bits >> I think we should apply the patch ASAP because it's an easy local DOS if >> you have (open/read) access to any block device. > > I think the right thing to do there is doing blkdev_get() / > blkdev_put() around func() invocation in iterate_bdevs() rather than > holding bd_mutex across the callback. Can you please verify whether > that works? Didn't work for me, I kept getting use-after-free in __blkdev_get() on bdev->bd_invalidated after it calls bdev->bd_disk->fops->open(). I tried a few related things without much luck. The only thing that worked for me without holding the mutex across the call was this: if (inode->i_state & (I_FREEING|I_WILL_FREE|I_NEW) || @@ -1906,7 +1907,19 @@ void iterate_bdevs(void (*func)(struct block_device *, void *), void *arg) iput(old_inode); old_inode = inode; - func(I_BDEV(inode), arg); + bdev = I_BDEV(inode); + + mutex_lock(&bdev->bd_mutex); + bdev->bd_openers++; + bdev->bd_holders++; + mutex_unlock(&bdev->bd_mutex); + + func(bdev, arg); + + mutex_lock(&bdev->bd_mutex); + bdev->bd_openers--; + bdev->bd_holders--; + mutex_unlock(&bdev->bd_mutex); spin_lock(&blockdev_superblock->s_inode_list_lock); } I'm guessing that's too simple to work in general (especially when you bring in partitions and stuff; I'm just opening /dev/sr0 in my reproducer). It's been a long day, I'll have a look tomorrow and see if I didn't just do something stupid. Vegard --- To unsubscribe from this list: send the line "unsubscribe linux-block" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html diff --git a/fs/block_dev.c b/fs/block_dev.c index 08ae993..586d745 100644 --- a/fs/block_dev.c +++ b/fs/block_dev.c @@ -1885,6 +1885,7 @@ void iterate_bdevs(void (*func)(struct block_device *, void *), void *arg) spin_lock(&blockdev_superblock->s_inode_list_lock); list_for_each_entry(inode, &blockdev_superblock->s_inodes, i_sb_list) { struct address_space *mapping = inode->i_mapping; + struct block_device *bdev; spin_lock(&inode->i_lock);