| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 29 Aug 2016 19:49:29 -0400
From: Tejun Heo <tj@...nel.org>
To: Vegard Nossum <vegard.nossum@...cle.com>
Cc: Rabin Vincent <rabin@....in>, Jens Axboe <axboe@...com>,
Jan Kara <jack@...e.cz>, Al Viro <viro@...iv.linux.org.uk>,
linux-block@...r.kernel.org, linux-kernel@...r.kernel.org,
stable@...r.kernel.org
Subject: Re: [PATCH] bdev: fix NULL pointer dereference in sync()/close() race
Hello,
On Mon, Aug 29, 2016 at 11:33:41PM +0200, Vegard Nossum wrote:
> On 08/29/2016 09:55 PM, Tejun Heo wrote:
> > I think the right thing to do there is doing blkdev_get() /
> > blkdev_put() around func() invocation in iterate_bdevs() rather than
> > holding bd_mutex across the callback. Can you please verify whether
> > that works?
>
> Didn't work for me, I kept getting use-after-free in __blkdev_get() on
> bdev->bd_invalidated after it calls bdev->bd_disk->fops->open(). I tried
> a few related things without much luck.
I see. It could be that it's doing blkdev_get() on a dying device.
> The only thing that worked for me without holding the mutex across the
> call was this:
...
> + mutex_lock(&bdev->bd_mutex);
> + bdev->bd_openers++;
> + bdev->bd_holders++;
> + mutex_unlock(&bdev->bd_mutex);
> +
> + func(bdev, arg);
> +
> + mutex_lock(&bdev->bd_mutex);
> + bdev->bd_openers--;
> + bdev->bd_holders--;
> + mutex_unlock(&bdev->bd_mutex);
And this might not be too far fetched. I think what we want is
* Bump bd_openers if there are other users already; otherwise, skip.
* blkdev_put() after the callback is finished.
Thanks.
--
tejun
Powered by blists - more mailing lists