lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date:	Sat, 21 May 2016 01:36:00 +0300
From:	Alexey Khoroshilov <khoroshilov@...ras.ru>
To:	Keith Busch <keith.busch@...el.com>, Jens Axboe <axboe@...com>
Cc:	Alexey Khoroshilov <khoroshilov@...ras.ru>,
	linux-nvme@...ts.infradead.org, linux-kernel@...r.kernel.org,
	ldv-project@...uxtesting.org
Subject: [PATCH] NVMe: fix deadlock on failure branch in nvme_get_ns_from_disk()

kref_put(&ns->kref, nvme_free_ns) is called in nvme_get_ns_from_disk()
under dev_list_lock spinlock, while nvme_free_ns() locks the spinlock
by itself. This can lead to a deadlock.

The patch moves try_module_get() and its error handling
out of spinlock section.

Found by Linux Driver Verification project (linuxtesting.org).

Signed-off-by: Alexey Khoroshilov <khoroshilov@...ras.ru>
Fixes: e439bb12e75c ("nvme/host: reference the fabric module for each bdev open callout")
---
 drivers/nvme/host/core.c | 21 +++++++++++----------
 1 file changed, 11 insertions(+), 10 deletions(-)

diff --git a/drivers/nvme/host/core.c b/drivers/nvme/host/core.c
index 643f457131c2..761d4c73a233 100644
--- a/drivers/nvme/host/core.c
+++ b/drivers/nvme/host/core.c
@@ -83,24 +83,25 @@ static void nvme_put_ns(struct nvme_ns *ns)
 static struct nvme_ns *nvme_get_ns_from_disk(struct gendisk *disk)
 {
 	struct nvme_ns *ns;
+	struct module *module;
 
 	spin_lock(&dev_list_lock);
 	ns = disk->private_data;
 	if (ns) {
-		if (!kref_get_unless_zero(&ns->kref))
-			goto fail;
-		if (!try_module_get(ns->ctrl->ops->module))
-			goto fail_put_ns;
+		if (!kref_get_unless_zero(&ns->kref)) {
+			spin_unlock(&dev_list_lock);
+			return NULL;
+		}
+		module = ns->ctrl->ops->module;
 	}
 	spin_unlock(&dev_list_lock);
 
-	return ns;
+	if (!try_module_get(module)) {
+		nvme_put_ns(ns);
+		return NULL;
+	}
 
-fail_put_ns:
-	kref_put(&ns->kref, nvme_free_ns);
-fail:
-	spin_unlock(&dev_list_lock);
-	return NULL;
+	return ns;
 }
 
 void nvme_requeue_req(struct request *req)
-- 
1.9.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ