| Message ID | 20220202155659.107895-3-hch@lst.de (mailing list archive) |
|---|---|
| State | New, archived |
| Headers | show |
| Series | [1/5] block: add a ->free_disk method | expand |
On Wed, Feb 02, 2022 at 04:56:56PM +0100, Christoph Hellwig wrote: > Implement the ->free_disk method to free the virtio_blk structure only > once the last gendisk reference goes away instead of keeping a local > refcount. > > Signed-off-by: Christoph Hellwig <hch@lst.de> Acked-by: Michael S. Tsirkin <mst@redhat.com> > --- > drivers/block/virtio_blk.c | 64 +++++++------------------------------- > 1 file changed, 12 insertions(+), 52 deletions(-) > > diff --git a/drivers/block/virtio_blk.c b/drivers/block/virtio_blk.c > index c443cd64fc9b4..2d939ac1508c1 100644 > --- a/drivers/block/virtio_blk.c > +++ b/drivers/block/virtio_blk.c > @@ -69,13 +69,6 @@ struct virtio_blk { > /* Process context for config space updates */ > struct work_struct config_work; > > - /* > - * Tracks references from block_device_operations open/release and > - * virtio_driver probe/remove so this object can be freed once no > - * longer in use. > - */ > - refcount_t refs; > - > /* What host tells us, plus 2 for header & tailer. */ > unsigned int sg_elems; > > @@ -391,43 +384,6 @@ static int virtblk_get_id(struct gendisk *disk, char *id_str) > return err; > } > > -static void virtblk_get(struct virtio_blk *vblk) > -{ > - refcount_inc(&vblk->refs); > -} > - > -static void virtblk_put(struct virtio_blk *vblk) > -{ > - if (refcount_dec_and_test(&vblk->refs)) { > - ida_simple_remove(&vd_index_ida, vblk->index); > - mutex_destroy(&vblk->vdev_mutex); > - kfree(vblk); > - } > -} > - > -static int virtblk_open(struct block_device *bd, fmode_t mode) > -{ > - struct virtio_blk *vblk = bd->bd_disk->private_data; > - int ret = 0; > - > - mutex_lock(&vblk->vdev_mutex); > - > - if (vblk->vdev) > - virtblk_get(vblk); > - else > - ret = -ENXIO; > - > - mutex_unlock(&vblk->vdev_mutex); > - return ret; > -} > - > -static void virtblk_release(struct gendisk *disk, fmode_t mode) > -{ > - struct virtio_blk *vblk = disk->private_data; > - > - virtblk_put(vblk); > -} > - > /* We provide getgeo only to please some old bootloader/partitioning tools */ > static int virtblk_getgeo(struct block_device *bd, struct hd_geometry *geo) > { > @@ -460,11 +416,19 @@ static int virtblk_getgeo(struct block_device *bd, struct hd_geometry *geo) > return ret; > } > > +static void virtblk_free_disk(struct gendisk *disk) > +{ > + struct virtio_blk *vblk = disk->private_data; > + > + ida_simple_remove(&vd_index_ida, vblk->index); > + mutex_destroy(&vblk->vdev_mutex); > + kfree(vblk); > +} > + > static const struct block_device_operations virtblk_fops = { > - .owner = THIS_MODULE, > - .open = virtblk_open, > - .release = virtblk_release, > - .getgeo = virtblk_getgeo, > + .owner = THIS_MODULE, > + .getgeo = virtblk_getgeo, > + .free_disk = virtblk_free_disk, > }; > > static int index_to_minor(int index) > @@ -791,8 +755,6 @@ static int virtblk_probe(struct virtio_device *vdev) > goto out_free_index; > } > > - /* This reference is dropped in virtblk_remove(). */ > - refcount_set(&vblk->refs, 1); > mutex_init(&vblk->vdev_mutex); > > vblk->vdev = vdev; > @@ -985,8 +947,6 @@ static void virtblk_remove(struct virtio_device *vdev) > kfree(vblk->vqs); > > mutex_unlock(&vblk->vdev_mutex); > - > - virtblk_put(vblk); > } > > #ifdef CONFIG_PM_SLEEP > -- > 2.30.2
On Wed, Feb 02, 2022 at 04:56:56PM +0100, Christoph Hellwig wrote: > @@ -985,8 +947,6 @@ static void virtblk_remove(struct virtio_device *vdev) > kfree(vblk->vqs); > > mutex_unlock(&vblk->vdev_mutex); > - > - virtblk_put(vblk); > } Thank you, this is a nice cleanup! One question: File systems are unmounted and block devices are not open. PCI hot unplug calls virtblk_remove(). It looks vblk is used after being freed by virtblk_free_disk() halfway through virtblk_remove()? static void virtblk_remove(struct virtio_device *vdev) { struct virtio_blk *vblk = vdev->priv; /* Make sure no work handler is accessing the device. */ flush_work(&vblk->config_work); del_gendisk(vblk->disk); blk_cleanup_disk(vblk->disk); ^--- is virtblk_free_disk() called here? blk_mq_free_tag_set(&vblk->tag_set); ^--- use after free mutex_lock(&vblk->vdev_mutex); /* Stop all the virtqueues. */ virtio_reset_device(vdev); /* Virtqueues are stopped, nothing can use vblk->vdev anymore. */ vblk->vdev = NULL; vdev->config->del_vqs(vdev); kfree(vblk->vqs); mutex_unlock(&vblk->vdev_mutex); } Stefan
On Thu, Feb 03, 2022 at 09:15:53AM +0000, Stefan Hajnoczi wrote: > /* Make sure no work handler is accessing the device. */ > flush_work(&vblk->config_work); > > del_gendisk(vblk->disk); > blk_cleanup_disk(vblk->disk); > ^--- is virtblk_free_disk() called here? > blk_mq_free_tag_set(&vblk->tag_set); > ^--- use after free Yeah. We need to split up blk_cleanup_disk again for this into separate calls to blk_cleanup_queue and put_disk..
diff --git a/drivers/block/virtio_blk.c b/drivers/block/virtio_blk.c index c443cd64fc9b4..2d939ac1508c1 100644 --- a/drivers/block/virtio_blk.c +++ b/drivers/block/virtio_blk.c @@ -69,13 +69,6 @@ struct virtio_blk { /* Process context for config space updates */ struct work_struct config_work; - /* - * Tracks references from block_device_operations open/release and - * virtio_driver probe/remove so this object can be freed once no - * longer in use. - */ - refcount_t refs; - /* What host tells us, plus 2 for header & tailer. */ unsigned int sg_elems; @@ -391,43 +384,6 @@ static int virtblk_get_id(struct gendisk *disk, char *id_str) return err; } -static void virtblk_get(struct virtio_blk *vblk) -{ - refcount_inc(&vblk->refs); -} - -static void virtblk_put(struct virtio_blk *vblk) -{ - if (refcount_dec_and_test(&vblk->refs)) { - ida_simple_remove(&vd_index_ida, vblk->index); - mutex_destroy(&vblk->vdev_mutex); - kfree(vblk); - } -} - -static int virtblk_open(struct block_device *bd, fmode_t mode) -{ - struct virtio_blk *vblk = bd->bd_disk->private_data; - int ret = 0; - - mutex_lock(&vblk->vdev_mutex); - - if (vblk->vdev) - virtblk_get(vblk); - else - ret = -ENXIO; - - mutex_unlock(&vblk->vdev_mutex); - return ret; -} - -static void virtblk_release(struct gendisk *disk, fmode_t mode) -{ - struct virtio_blk *vblk = disk->private_data; - - virtblk_put(vblk); -} - /* We provide getgeo only to please some old bootloader/partitioning tools */ static int virtblk_getgeo(struct block_device *bd, struct hd_geometry *geo) { @@ -460,11 +416,19 @@ static int virtblk_getgeo(struct block_device *bd, struct hd_geometry *geo) return ret; } +static void virtblk_free_disk(struct gendisk *disk) +{ + struct virtio_blk *vblk = disk->private_data; + + ida_simple_remove(&vd_index_ida, vblk->index); + mutex_destroy(&vblk->vdev_mutex); + kfree(vblk); +} + static const struct block_device_operations virtblk_fops = { - .owner = THIS_MODULE, - .open = virtblk_open, - .release = virtblk_release, - .getgeo = virtblk_getgeo, + .owner = THIS_MODULE, + .getgeo = virtblk_getgeo, + .free_disk = virtblk_free_disk, }; static int index_to_minor(int index) @@ -791,8 +755,6 @@ static int virtblk_probe(struct virtio_device *vdev) goto out_free_index; } - /* This reference is dropped in virtblk_remove(). */ - refcount_set(&vblk->refs, 1); mutex_init(&vblk->vdev_mutex); vblk->vdev = vdev; @@ -985,8 +947,6 @@ static void virtblk_remove(struct virtio_device *vdev) kfree(vblk->vqs); mutex_unlock(&vblk->vdev_mutex); - - virtblk_put(vblk); } #ifdef CONFIG_PM_SLEEP
Implement the ->free_disk method to free the virtio_blk structure only once the last gendisk reference goes away instead of keeping a local refcount. Signed-off-by: Christoph Hellwig <hch@lst.de> --- drivers/block/virtio_blk.c | 64 +++++++------------------------------- 1 file changed, 12 insertions(+), 52 deletions(-)