Re: [PATCH] block: protect rw_page against device teardown

From: Williams, Dan J
Date: Fri Nov 20 2015 - 13:26:27 EST

Next message: Ondrej Zary: "Re: [PATCH 00/71] More fixes, cleanup and modernization for NCR5380 drivers"
Previous message: Felipe Balbi: "Re: [RFC PATCH] clocksource: ti-32k: convert to platform device"
In reply to: Matthew Wilcox: "Re: [PATCH] block: protect rw_page against device teardown"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Fri, 2015-11-20 at 13:12 -0500, Matthew Wilcox wrote:
> I'd prefer bdev_read_page() and bdev_write_page() to be a bit more
> consistent
> (eg 'rc' vs 'result'), but:
>
> Acked-by: Matthew Wilcox <willy@xxxxxxxxxxxxxxx>

Thanks! ÂFixed up version:

8<----
Subject: block: protect rw_page against device teardown

From: Dan Williams <dan.j.williams@xxxxxxxxx>

Fix use after free crashes like the following:

Âgeneral protection fault: 0000 [#1] SMP
ÂCall Trace:
Â [<ffffffffa0050216>] ? pmem_do_bvec.isra.12+0xa6/0xf0 [nd_pmem]
Â [<ffffffffa0050ba2>] pmem_rw_page+0x42/0x80 [nd_pmem]
Â [<ffffffff8128fd90>] bdev_read_page+0x50/0x60
Â [<ffffffff812972f0>] do_mpage_readpage+0x510/0x770
Â [<ffffffff8128fd20>] ? I_BDEV+0x20/0x20
Â [<ffffffff811d86dc>] ? lru_cache_add+0x1c/0x50
Â [<ffffffff81297657>] mpage_readpages+0x107/0x170
Â [<ffffffff8128fd20>] ? I_BDEV+0x20/0x20
Â [<ffffffff8128fd20>] ? I_BDEV+0x20/0x20
Â [<ffffffff8129058d>] blkdev_readpages+0x1d/0x20
Â [<ffffffff811d615f>] __do_page_cache_readahead+0x28f/0x310
Â [<ffffffff811d6039>] ? __do_page_cache_readahead+0x169/0x310
Â [<ffffffff811c5abd>] ? pagecache_get_page+0x2d/0x1d0
Â [<ffffffff811c76f6>] filemap_fault+0x396/0x530
Â [<ffffffff811f816e>] __do_fault+0x4e/0xf0
Â [<ffffffff811fce7d>] handle_mm_fault+0x11bd/0x1b50

Cc: <stable@xxxxxxxxxxxxxxx>
Cc: Jens Axboe <axboe@xxxxxx>
Cc: Alexander Viro <viro@xxxxxxxxxxxxxxxxxx>
Reported-by: kbuild test robot <lkp@xxxxxxxxx>
Acked-by: Matthew Wilcox <willy@xxxxxxxxxxxxxxx>
[willy: symmetry fixups]
Signed-off-by: Dan Williams <dan.j.williams@xxxxxxxxx>
---
Âblock/blk.hÂÂÂÂÂÂÂÂÂÂÂÂ|ÂÂÂÂ2 --
Âfs/block_dev.cÂÂÂÂÂÂÂÂÂ|ÂÂÂ18 ++++++++++++++++--
Âinclude/linux/blkdev.h |ÂÂÂÂ2 ++
Â3 files changed, 18 insertions(+), 4 deletions(-)

diff --git a/block/blk.h b/block/blk.h
index da722eb786df..c43926d3d74d 100644
--- a/block/blk.h
+++ b/block/blk.h
@@ -72,8 +72,6 @@ void blk_dequeue_request(struct request *rq);
Âvoid __blk_queue_free_tags(struct request_queue *q);
Âbool __blk_end_bidi_request(struct request *rq, int error,
Â ÂÂÂÂunsigned int nr_bytes, unsigned int bidi_bytes);
-int blk_queue_enter(struct request_queue *q, gfp_t gfp);
-void blk_queue_exit(struct request_queue *q);
Âvoid blk_freeze_queue(struct request_queue *q);
Â
Âstatic inline void blk_queue_enter_live(struct request_queue *q)
diff --git a/fs/block_dev.c b/fs/block_dev.c
index bb0dfb1c7af1..c25639e907bd 100644
--- a/fs/block_dev.c
+++ b/fs/block_dev.c
@@ -390,9 +390,17 @@ int bdev_read_page(struct block_device *bdev, sector_t sector,
Â struct page *page)
Â{
Â const struct block_device_operations *ops = bdev->bd_disk->fops;
+ int result = -EOPNOTSUPP;
+
Â if (!ops->rw_page || bdev_get_integrity(bdev))
- return -EOPNOTSUPP;
- return ops->rw_page(bdev, sector + get_start_sect(bdev), page, READ);
+ return result;
+
+ result = blk_queue_enter(bdev->bd_queue, GFP_KERNEL);
+ if (result)
+ return result;
+ result = ops->rw_page(bdev, sector + get_start_sect(bdev), page, READ);
+ blk_queue_exit(bdev->bd_queue);
+ return result;
Â}
ÂEXPORT_SYMBOL_GPL(bdev_read_page);
Â
@@ -421,14 +429,20 @@ int bdev_write_page(struct block_device *bdev, sector_t sector,
Â int result;
Â int rw = (wbc->sync_mode == WB_SYNC_ALL) ? WRITE_SYNC : WRITE;
Â const struct block_device_operations *ops = bdev->bd_disk->fops;
+
Â if (!ops->rw_page || bdev_get_integrity(bdev))
Â return -EOPNOTSUPP;
+ result = blk_queue_enter(bdev->bd_queue, GFP_KERNEL);
+ if (result)
+ return result;
+
Â set_page_writeback(page);
Â result = ops->rw_page(bdev, sector + get_start_sect(bdev), page, rw);
Â if (result)
Â end_page_writeback(page);
Â else
Â unlock_page(page);
+ blk_queue_exit(bdev->bd_queue);
Â return result;
Â}
ÂEXPORT_SYMBOL_GPL(bdev_write_page);
diff --git a/include/linux/blkdev.h b/include/linux/blkdev.h
index 3fe27f8d91f0..c0d2b7927c1f 100644
--- a/include/linux/blkdev.h
+++ b/include/linux/blkdev.h
@@ -794,6 +794,8 @@ extern int scsi_cmd_ioctl(struct request_queue *, struct gendisk *, fmode_t,
Âextern int sg_scsi_ioctl(struct request_queue *, struct gendisk *, fmode_t,
Â Âstruct scsi_ioctl_command __user *);
Â
+extern int blk_queue_enter(struct request_queue *q, gfp_t gfp);
+extern void blk_queue_exit(struct request_queue *q);
Âextern void blk_start_queue(struct request_queue *q);
Âextern void blk_stop_queue(struct request_queue *q);
Âextern void blk_sync_queue(struct request_queue *q);N‹§²æ¸›yú²X¬¶ÇvØ–)Þ{.nÇ‰·¥Š{±‘êX§¶›¡Ü}©ž²ÆzÚj:+v‰¨¾«‘êZ+€Êzf£¢·hšˆ§~††Ûÿû®w¥¢¸?™¨è&¢)ßf”ùy§m…á«a¶Úÿ0¶ìå

Next message: Ondrej Zary: "Re: [PATCH 00/71] More fixes, cleanup and modernization for NCR5380 drivers"
Previous message: Felipe Balbi: "Re: [RFC PATCH] clocksource: ti-32k: convert to platform device"
In reply to: Matthew Wilcox: "Re: [PATCH] block: protect rw_page against device teardown"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]