| Message ID | 20170916183931.GA2824@hercules.tuxera.com (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
> On 16 Sep 2017, at 20.39, Rakesh Pandit <rakesh@tuxera.com> wrote: > > nvm_tgt_types list was protected by wrong lock for NVM_INFO ioctl call > and can race with addition or removal of target types. Also > unregistering target type was not protected correctly. > > Fixes: 5cd907853 ("lightnvm: remove nested lock conflict with mm") > Signed-off-by: Rakesh Pandit <rakesh@tuxera.com> > --- > > V2: also add correct lock while unregistering and fix "Fixes" tag at > end. Note I found these while investigating another issue and > skimming the core code but worth fixing. > > drivers/lightnvm/core.c | 8 ++++---- > 1 file changed, 4 insertions(+), 4 deletions(-) > > diff --git a/drivers/lightnvm/core.c b/drivers/lightnvm/core.c > index 9f9a137..1b8338d 100644 > --- a/drivers/lightnvm/core.c > +++ b/drivers/lightnvm/core.c > @@ -589,9 +589,9 @@ void nvm_unregister_tgt_type(struct nvm_tgt_type *tt) > if (!tt) > return; > > - down_write(&nvm_lock); > + down_write(&nvm_tgtt_lock); > list_del(&tt->list); > - up_write(&nvm_lock); > + up_write(&nvm_tgtt_lock); > } > EXPORT_SYMBOL(nvm_unregister_tgt_type); > > @@ -1190,7 +1190,7 @@ static long nvm_ioctl_info(struct file *file, void __user *arg) > info->version[1] = NVM_VERSION_MINOR; > info->version[2] = NVM_VERSION_PATCH; > > - down_write(&nvm_lock); > + down_write(&nvm_tgtt_lock); > list_for_each_entry(tt, &nvm_tgt_types, list) { > struct nvm_ioctl_info_tgt *tgt = &info->tgts[tgt_iter]; > > @@ -1203,7 +1203,7 @@ static long nvm_ioctl_info(struct file *file, void __user *arg) > } > > info->tgtsize = tgt_iter; > - up_write(&nvm_lock); > + up_write(&nvm_tgtt_lock); > > if (copy_to_user(arg, info, sizeof(struct nvm_ioctl_info))) { > kfree(info); > -- > 2.7.4 LGTM. Reviewed-by: Javier González <javier@cnexlabs.com>
On 09/18/2017 09:53 AM, Javier González wrote: >> On 16 Sep 2017, at 20.39, Rakesh Pandit <rakesh@tuxera.com> wrote: >> >> nvm_tgt_types list was protected by wrong lock for NVM_INFO ioctl call >> and can race with addition or removal of target types. Also >> unregistering target type was not protected correctly. >> >> Fixes: 5cd907853 ("lightnvm: remove nested lock conflict with mm") >> Signed-off-by: Rakesh Pandit <rakesh@tuxera.com> >> --- >> >> V2: also add correct lock while unregistering and fix "Fixes" tag at >> end. Note I found these while investigating another issue and >> skimming the core code but worth fixing. >> >> drivers/lightnvm/core.c | 8 ++++---- >> 1 file changed, 4 insertions(+), 4 deletions(-) >> >> diff --git a/drivers/lightnvm/core.c b/drivers/lightnvm/core.c >> index 9f9a137..1b8338d 100644 >> --- a/drivers/lightnvm/core.c >> +++ b/drivers/lightnvm/core.c >> @@ -589,9 +589,9 @@ void nvm_unregister_tgt_type(struct nvm_tgt_type *tt) >> if (!tt) >> return; >> >> - down_write(&nvm_lock); >> + down_write(&nvm_tgtt_lock); >> list_del(&tt->list); >> - up_write(&nvm_lock); >> + up_write(&nvm_tgtt_lock); >> } >> EXPORT_SYMBOL(nvm_unregister_tgt_type); >> >> @@ -1190,7 +1190,7 @@ static long nvm_ioctl_info(struct file *file, void __user *arg) >> info->version[1] = NVM_VERSION_MINOR; >> info->version[2] = NVM_VERSION_PATCH; >> >> - down_write(&nvm_lock); >> + down_write(&nvm_tgtt_lock); >> list_for_each_entry(tt, &nvm_tgt_types, list) { >> struct nvm_ioctl_info_tgt *tgt = &info->tgts[tgt_iter]; >> >> @@ -1203,7 +1203,7 @@ static long nvm_ioctl_info(struct file *file, void __user *arg) >> } >> >> info->tgtsize = tgt_iter; >> - up_write(&nvm_lock); >> + up_write(&nvm_tgtt_lock); >> >> if (copy_to_user(arg, info, sizeof(struct nvm_ioctl_info))) { >> kfree(info); >> -- >> 2.7.4 > > LGTM. > > Reviewed-by: Javier González <javier@cnexlabs.com> > Thanks Rakesh.
diff --git a/drivers/lightnvm/core.c b/drivers/lightnvm/core.c index 9f9a137..1b8338d 100644 --- a/drivers/lightnvm/core.c +++ b/drivers/lightnvm/core.c @@ -589,9 +589,9 @@ void nvm_unregister_tgt_type(struct nvm_tgt_type *tt) if (!tt) return; - down_write(&nvm_lock); + down_write(&nvm_tgtt_lock); list_del(&tt->list); - up_write(&nvm_lock); + up_write(&nvm_tgtt_lock); } EXPORT_SYMBOL(nvm_unregister_tgt_type); @@ -1190,7 +1190,7 @@ static long nvm_ioctl_info(struct file *file, void __user *arg) info->version[1] = NVM_VERSION_MINOR; info->version[2] = NVM_VERSION_PATCH; - down_write(&nvm_lock); + down_write(&nvm_tgtt_lock); list_for_each_entry(tt, &nvm_tgt_types, list) { struct nvm_ioctl_info_tgt *tgt = &info->tgts[tgt_iter]; @@ -1203,7 +1203,7 @@ static long nvm_ioctl_info(struct file *file, void __user *arg) } info->tgtsize = tgt_iter; - up_write(&nvm_lock); + up_write(&nvm_tgtt_lock); if (copy_to_user(arg, info, sizeof(struct nvm_ioctl_info))) { kfree(info);
nvm_tgt_types list was protected by wrong lock for NVM_INFO ioctl call and can race with addition or removal of target types. Also unregistering target type was not protected correctly. Fixes: 5cd907853 ("lightnvm: remove nested lock conflict with mm") Signed-off-by: Rakesh Pandit <rakesh@tuxera.com> --- V2: also add correct lock while unregistering and fix "Fixes" tag at end. Note I found these while investigating another issue and skimming the core code but worth fixing. drivers/lightnvm/core.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-)