* [PATCH] Fix NULL pointer dereference in sd_revalidate_disk
@ 2012-02-22 1:01 Jun'ichi Nomura
2012-02-22 1:04 ` Tejun Heo
0 siblings, 1 reply; 6+ messages in thread
From: Jun'ichi Nomura @ 2012-02-22 1:01 UTC (permalink / raw)
To: Jens Axboe, Tejun Heo
Cc: linux-kernel, linux-scsi, Naveen Goswamy, James Bottomley,
Stefan Richter, Dave Jones, sgruszka, Huajun Li
Since 2.6.39 (1196f8b), when a driver returns -ENOMEDIUM for open(),
__blkdev_get() calls rescan_partitions() to remove
in-kernel partition structures and raise KOBJ_CHANGE uevent.
However it ends up calling driver's revalidate_disk without open
and could cause oops.
In the case of SCSI:
process A process B
----------------------------------------------
sys_open
__blkdev_get
sd_open
returns -ENOMEDIUM
scsi_remove_device
<scsi_device torn down>
rescan_partitions
sd_revalidate_disk
<oops>
Oopses are reported here:
http://marc.info/?l=linux-scsi&m=132388619710052
This patch separates the partition invalidation from rescan_partitions()
and use it for -ENOMEDIUM case.
Reported-by: Huajun Li <huajun.li.lee@gmail.com>
Signed-off-by: Jun'ichi Nomura <j-nomura@ce.jp.nec.com>
--
block/partition-generic.c | 48 ++++++++++++++++++++++++++++++++++++++--------
fs/block_dev.c | 16 +++++++++++----
include/linux/genhd.h | 1
3 files changed, 53 insertions(+), 12 deletions(-)
diff --git a/include/linux/genhd.h b/include/linux/genhd.h
index fe23ee7..e61d319 100644
--- a/include/linux/genhd.h
+++ b/include/linux/genhd.h
@@ -596,6 +596,7 @@ extern char *disk_name (struct gendisk *hd, int partno, char *buf);
extern int disk_expand_part_tbl(struct gendisk *disk, int target);
extern int rescan_partitions(struct gendisk *disk, struct block_device *bdev);
+extern int invalidate_partitions(struct gendisk *disk, struct block_device *bdev);
extern struct hd_struct * __must_check add_partition(struct gendisk *disk,
int partno, sector_t start,
sector_t len, int flags,
diff --git a/fs/block_dev.c b/fs/block_dev.c
index 0e575d1..5e9f198 100644
--- a/fs/block_dev.c
+++ b/fs/block_dev.c
@@ -1183,8 +1183,12 @@ static int __blkdev_get(struct block_device *bdev, fmode_t mode, int for_part)
* The latter is necessary to prevent ghost
* partitions on a removed medium.
*/
- if (bdev->bd_invalidated && (!ret || ret == -ENOMEDIUM))
- rescan_partitions(disk, bdev);
+ if (bdev->bd_invalidated) {
+ if (!ret)
+ rescan_partitions(disk, bdev);
+ else if (ret == -ENOMEDIUM)
+ invalidate_partitions(disk, bdev);
+ }
if (ret)
goto out_clear;
} else {
@@ -1214,8 +1218,12 @@ static int __blkdev_get(struct block_device *bdev, fmode_t mode, int for_part)
if (bdev->bd_disk->fops->open)
ret = bdev->bd_disk->fops->open(bdev, mode);
/* the same as first opener case, read comment there */
- if (bdev->bd_invalidated && (!ret || ret == -ENOMEDIUM))
- rescan_partitions(bdev->bd_disk, bdev);
+ if (bdev->bd_invalidated) {
+ if (!ret)
+ rescan_partitions(bdev->bd_disk, bdev);
+ else if (ret == -ENOMEDIUM)
+ invalidate_partitions(bdev->bd_disk, bdev);
+ }
if (ret)
goto out_unlock_bdev;
}
diff --git a/block/partition-generic.c b/block/partition-generic.c
index d06ec1c..6df5d69 100644
--- a/block/partition-generic.c
+++ b/block/partition-generic.c
@@ -389,17 +389,11 @@ static bool disk_unlock_native_capacity(struct gendisk *disk)
}
}
-int rescan_partitions(struct gendisk *disk, struct block_device *bdev)
+static int drop_partitions(struct gendisk *disk, struct block_device *bdev)
{
- struct parsed_partitions *state = NULL;
struct disk_part_iter piter;
struct hd_struct *part;
- int p, highest, res;
-rescan:
- if (state && !IS_ERR(state)) {
- kfree(state);
- state = NULL;
- }
+ int res;
if (bdev->bd_part_count)
return -EBUSY;
@@ -412,6 +406,24 @@ rescan:
delete_partition(disk, part->partno);
disk_part_iter_exit(&piter);
+ return 0;
+}
+
+int rescan_partitions(struct gendisk *disk, struct block_device *bdev)
+{
+ struct parsed_partitions *state = NULL;
+ struct hd_struct *part;
+ int p, highest, res;
+rescan:
+ if (state && !IS_ERR(state)) {
+ kfree(state);
+ state = NULL;
+ }
+
+ res = drop_partitions(disk, bdev);
+ if (res)
+ return res;
+
if (disk->fops->revalidate_disk)
disk->fops->revalidate_disk(disk);
check_disk_size_change(disk, bdev);
@@ -515,6 +527,26 @@ rescan:
return 0;
}
+int invalidate_partitions(struct gendisk *disk, struct block_device *bdev)
+{
+ int res;
+
+ if (!bdev->bd_invalidated)
+ return 0;
+
+ res = drop_partitions(disk, bdev);
+ if (res)
+ return res;
+
+ set_capacity(disk, 0);
+ check_disk_size_change(disk, bdev);
+ bdev->bd_invalidated = 0;
+ /* tell userspace that the media / partition table may have changed */
+ kobject_uevent(&disk_to_dev(disk)->kobj, KOBJ_CHANGE);
+
+ return 0;
+}
+
unsigned char *read_dev_sector(struct block_device *bdev, sector_t n, Sector *p)
{
struct address_space *mapping = bdev->bd_inode->i_mapping;
^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH] Fix NULL pointer dereference in sd_revalidate_disk
2012-02-22 1:01 [PATCH] Fix NULL pointer dereference in sd_revalidate_disk Jun'ichi Nomura
@ 2012-02-22 1:04 ` Tejun Heo
2012-02-22 4:58 ` Jack Wang
0 siblings, 1 reply; 6+ messages in thread
From: Tejun Heo @ 2012-02-22 1:04 UTC (permalink / raw)
To: Jun'ichi Nomura
Cc: Jens Axboe, linux-kernel, linux-scsi, Naveen Goswamy,
James Bottomley, Stefan Richter, Dave Jones, sgruszka, Huajun Li
On Wed, Feb 22, 2012 at 10:01:53AM +0900, Jun'ichi Nomura wrote:
> Since 2.6.39 (1196f8b), when a driver returns -ENOMEDIUM for open(),
> __blkdev_get() calls rescan_partitions() to remove
> in-kernel partition structures and raise KOBJ_CHANGE uevent.
>
> However it ends up calling driver's revalidate_disk without open
> and could cause oops.
>
> In the case of SCSI:
>
> process A process B
> ----------------------------------------------
> sys_open
> __blkdev_get
> sd_open
> returns -ENOMEDIUM
> scsi_remove_device
> <scsi_device torn down>
> rescan_partitions
> sd_revalidate_disk
> <oops>
>
> Oopses are reported here:
> http://marc.info/?l=linux-scsi&m=132388619710052
>
> This patch separates the partition invalidation from rescan_partitions()
> and use it for -ENOMEDIUM case.
>
> Reported-by: Huajun Li <huajun.li.lee@gmail.com>
> Signed-off-by: Jun'ichi Nomura <j-nomura@ce.jp.nec.com>
Acked-by: Tejun Heo <tj@kernel.org>
Thank you!
--
tejun
^ permalink raw reply [flat|nested] 6+ messages in thread
* RE: [PATCH] Fix NULL pointer dereference in sd_revalidate_disk
2012-02-22 1:04 ` Tejun Heo
@ 2012-02-22 4:58 ` Jack Wang
2012-02-22 5:36 ` 'Dave Jones'
0 siblings, 1 reply; 6+ messages in thread
From: Jack Wang @ 2012-02-22 4:58 UTC (permalink / raw)
To: 'Tejun Heo', 'Jun'ichi Nomura'
Cc: 'Jens Axboe', linux-kernel, 'linux-scsi',
'Naveen Goswamy', 'James Bottomley',
'Stefan Richter', 'Dave Jones',
sgruszka, 'Huajun Li'
Should this need pick up into stable too?
Jack
Re: [PATCH] Fix NULL pointer dereference in sd_revalidate_disk
>
> On Wed, Feb 22, 2012 at 10:01:53AM +0900, Jun'ichi Nomura wrote:
> > Since 2.6.39 (1196f8b), when a driver returns -ENOMEDIUM for open(),
> > __blkdev_get() calls rescan_partitions() to remove
> > in-kernel partition structures and raise KOBJ_CHANGE uevent.
> >
> > However it ends up calling driver's revalidate_disk without open
> > and could cause oops.
> >
> > In the case of SCSI:
> >
> > process A process B
> > ----------------------------------------------
> > sys_open
> > __blkdev_get
> > sd_open
> > returns -ENOMEDIUM
> > scsi_remove_device
> > <scsi_device torn down>
> > rescan_partitions
> > sd_revalidate_disk
> > <oops>
> >
> > Oopses are reported here:
> > http://marc.info/?l=linux-scsi&m=132388619710052
> >
> > This patch separates the partition invalidation from rescan_partitions()
> > and use it for -ENOMEDIUM case.
> >
> > Reported-by: Huajun Li <huajun.li.lee@gmail.com>
> > Signed-off-by: Jun'ichi Nomura <j-nomura@ce.jp.nec.com>
>
> Acked-by: Tejun Heo <tj@kernel.org>
>
> Thank you!
>
> --
> tejun
> --
> To unsubscribe from this list: send the line "unsubscribe linux-scsi" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at http://vger.kernel.org/majordomo-info.html
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] Fix NULL pointer dereference in sd_revalidate_disk
2012-02-22 4:58 ` Jack Wang
@ 2012-02-22 5:36 ` 'Dave Jones'
2012-02-29 12:57 ` Naveen Goswamy
2012-02-29 18:46 ` Naveen Goswamy
0 siblings, 2 replies; 6+ messages in thread
From: 'Dave Jones' @ 2012-02-22 5:36 UTC (permalink / raw)
To: Jack Wang
Cc: 'Tejun Heo', 'Jun'ichi Nomura',
'Jens Axboe', linux-kernel, 'linux-scsi',
'Naveen Goswamy', 'James Bottomley',
'Stefan Richter', sgruszka, 'Huajun Li'
On Wed, Feb 22, 2012 at 12:58:08PM +0800, Jack Wang wrote:
> Should this need pick up into stable too?
>
> Jack
The 3.2 backport seems fairly trivial (just some stuff moved to different files)
Here's the patch I did for Fedora.
Dave
--- linux/fs/partitions/check.c~ 2012-02-20 18:32:55.314253719 -0500
+++ linux/fs/partitions/check.c 2012-02-20 18:34:46.509859745 -0500
@@ -539,17 +539,11 @@ static bool disk_unlock_native_capacity(
}
}
-int rescan_partitions(struct gendisk *disk, struct block_device *bdev)
+static int drop_partitions(struct gendisk *disk, struct block_device *bdev)
{
- struct parsed_partitions *state = NULL;
struct disk_part_iter piter;
struct hd_struct *part;
- int p, highest, res;
-rescan:
- if (state && !IS_ERR(state)) {
- kfree(state);
- state = NULL;
- }
+ int res;
if (bdev->bd_part_count)
return -EBUSY;
@@ -562,6 +556,24 @@ rescan:
delete_partition(disk, part->partno);
disk_part_iter_exit(&piter);
+ return 0;
+}
+
+int rescan_partitions(struct gendisk *disk, struct block_device *bdev)
+{
+ struct parsed_partitions *state = NULL;
+ struct hd_struct *part;
+ int p, highest, res;
+rescan:
+ if (state && !IS_ERR(state)) {
+ kfree(state);
+ state = NULL;
+ }
+
+ res = drop_partitions(disk, bdev);
+ if (res)
+ return res;
+
if (disk->fops->revalidate_disk)
disk->fops->revalidate_disk(disk);
check_disk_size_change(disk, bdev);
@@ -665,6 +677,26 @@ rescan:
return 0;
}
+int invalidate_partitions(struct gendisk *disk, struct block_device *bdev)
+{
+ int res;
+
+ if (!bdev->bd_invalidated)
+ return 0;
+
+ res = drop_partitions(disk, bdev);
+ if (res)
+ return res;
+
+ set_capacity(disk, 0);
+ check_disk_size_change(disk, bdev);
+ bdev->bd_invalidated = 0;
+ /* tell userspace that the media / partition table may have changed */
+ kobject_uevent(&disk_to_dev(disk)->kobj, KOBJ_CHANGE);
+
+ return 0;
+}
+
unsigned char *read_dev_sector(struct block_device *bdev, sector_t n, Sector *p)
{
struct address_space *mapping = bdev->bd_inode->i_mapping;
--- linux/include/linux/genhd.h~ 2012-02-20 18:35:02.777802107 -0500
+++ linux/include/linux/genhd.h 2012-02-20 18:35:13.873762792 -0500
@@ -596,6 +596,7 @@ extern char *disk_name (struct gendisk *
extern int disk_expand_part_tbl(struct gendisk *disk, int target);
extern int rescan_partitions(struct gendisk *disk, struct block_device *bdev);
+extern int invalidate_partitions(struct gendisk *disk, struct block_device *bdev);
extern struct hd_struct * __must_check add_partition(struct gendisk *disk,
int partno, sector_t start,
sector_t len, int flags,
--- linux/fs/block_dev.c~ 2012-02-20 18:35:24.890723757 -0500
+++ linux/fs/block_dev.c 2012-02-20 18:36:25.166510197 -0500
@@ -1159,8 +1159,12 @@ static int __blkdev_get(struct block_dev
* The latter is necessary to prevent ghost
* partitions on a removed medium.
*/
- if (bdev->bd_invalidated && (!ret || ret == -ENOMEDIUM))
- rescan_partitions(disk, bdev);
+ if (bdev->bd_invalidated) {
+ if (!ret)
+ rescan_partitions(disk, bdev);
+ else if (ret == -ENOMEDIUM)
+ invalidate_partitions(disk, bdev);
+ }
if (ret)
goto out_clear;
} else {
@@ -1190,8 +1194,12 @@ static int __blkdev_get(struct block_dev
if (bdev->bd_disk->fops->open)
ret = bdev->bd_disk->fops->open(bdev, mode);
/* the same as first opener case, read comment there */
- if (bdev->bd_invalidated && (!ret || ret == -ENOMEDIUM))
- rescan_partitions(bdev->bd_disk, bdev);
+ if (bdev->bd_invalidated) {
+ if (!ret)
+ rescan_partitions(bdev->bd_disk, bdev);
+ else if (ret == -ENOMEDIUM)
+ invalidate_partitions(bdev->bd_disk, bdev);
+ }
if (ret)
goto out_unlock_bdev;
}
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] Fix NULL pointer dereference in sd_revalidate_disk
2012-02-22 5:36 ` 'Dave Jones'
@ 2012-02-29 12:57 ` Naveen Goswamy
2012-02-29 18:46 ` Naveen Goswamy
1 sibling, 0 replies; 6+ messages in thread
From: Naveen Goswamy @ 2012-02-29 12:57 UTC (permalink / raw)
To: 'Dave Jones'
Cc: Jack Wang, 'Tejun Heo', 'Jun'ichi Nomura',
'Jens Axboe', linux-kernel, 'linux-scsi',
'James Bottomley', 'Stefan Richter',
sgruszka, 'Huajun Li'
I have tested this patch, and it fixes the problem where when I ejected the SD
card it would oops and crash and burn my kernel, as reported here :
https://lkml.org/lkml/2012/2/7/462
and here:
https://bugs.gentoo.org/show_bug.cgi?id=402433
I tested it with the 3.3-rc5 sources, found here:
http://www.kernel.org/pub/linux/kernel/v3.0/testing/
Thanks,
Tested-by:Naveen Goswamy
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH] Fix NULL pointer dereference in sd_revalidate_disk
2012-02-22 5:36 ` 'Dave Jones'
2012-02-29 12:57 ` Naveen Goswamy
@ 2012-02-29 18:46 ` Naveen Goswamy
1 sibling, 0 replies; 6+ messages in thread
From: Naveen Goswamy @ 2012-02-29 18:46 UTC (permalink / raw)
To: 'Dave Jones'
Cc: Jack Wang, 'Tejun Heo', 'Jun'ichi Nomura',
'Jens Axboe', linux-kernel, 'linux-scsi',
'James Bottomley', 'Stefan Richter',
sgruszka, 'Huajun Li'
I have tested Dave Jones' 3.2 backport patch in gentoo, against kernel sources
3.2.1-gentoo-r2 and it works as well.
Regards,
Naveen
Quoting 'Dave Jones' <davej@redhat.com>:
> On Wed, Feb 22, 2012 at 12:58:08PM +0800, Jack Wang wrote:
> > Should this need pick up into stable too?
> >
> > Jack
>
> The 3.2 backport seems fairly trivial (just some stuff moved to different
> files)
> Here's the patch I did for Fedora.
>
> Dave
>
> --- linux/fs/partitions/check.c~ 2012-02-20 18:32:55.314253719 -0500
> +++ linux/fs/partitions/check.c 2012-02-20 18:34:46.509859745 -0500
> @@ -539,17 +539,11 @@ static bool disk_unlock_native_capacity(
> }
> }
>
> -int rescan_partitions(struct gendisk *disk, struct block_device *bdev)
> +static int drop_partitions(struct gendisk *disk, struct block_device *bdev)
> {
> - struct parsed_partitions *state = NULL;
> struct disk_part_iter piter;
> struct hd_struct *part;
> - int p, highest, res;
> -rescan:
> - if (state && !IS_ERR(state)) {
> - kfree(state);
> - state = NULL;
> - }
> + int res;
>
> if (bdev->bd_part_count)
> return -EBUSY;
> @@ -562,6 +556,24 @@ rescan:
> delete_partition(disk, part->partno);
> disk_part_iter_exit(&piter);
>
> + return 0;
> +}
> +
> +int rescan_partitions(struct gendisk *disk, struct block_device *bdev)
> +{
> + struct parsed_partitions *state = NULL;
> + struct hd_struct *part;
> + int p, highest, res;
> +rescan:
> + if (state && !IS_ERR(state)) {
> + kfree(state);
> + state = NULL;
> + }
> +
> + res = drop_partitions(disk, bdev);
> + if (res)
> + return res;
> +
> if (disk->fops->revalidate_disk)
> disk->fops->revalidate_disk(disk);
> check_disk_size_change(disk, bdev);
> @@ -665,6 +677,26 @@ rescan:
> return 0;
> }
>
> +int invalidate_partitions(struct gendisk *disk, struct block_device *bdev)
> +{
> + int res;
> +
> + if (!bdev->bd_invalidated)
> + return 0;
> +
> + res = drop_partitions(disk, bdev);
> + if (res)
> + return res;
> +
> + set_capacity(disk, 0);
> + check_disk_size_change(disk, bdev);
> + bdev->bd_invalidated = 0;
> + /* tell userspace that the media / partition table may have changed */
> + kobject_uevent(&disk_to_dev(disk)->kobj, KOBJ_CHANGE);
> +
> + return 0;
> +}
> +
> unsigned char *read_dev_sector(struct block_device *bdev, sector_t n, Sector
> *p)
> {
> struct address_space *mapping = bdev->bd_inode->i_mapping;
> --- linux/include/linux/genhd.h~ 2012-02-20 18:35:02.777802107 -0500
> +++ linux/include/linux/genhd.h 2012-02-20 18:35:13.873762792 -0500
> @@ -596,6 +596,7 @@ extern char *disk_name (struct gendisk *
>
> extern int disk_expand_part_tbl(struct gendisk *disk, int target);
> extern int rescan_partitions(struct gendisk *disk, struct block_device
> *bdev);
> +extern int invalidate_partitions(struct gendisk *disk, struct block_device
> *bdev);
> extern struct hd_struct * __must_check add_partition(struct gendisk *disk,
> int partno, sector_t start,
> sector_t len, int flags,
> --- linux/fs/block_dev.c~ 2012-02-20 18:35:24.890723757 -0500
> +++ linux/fs/block_dev.c 2012-02-20 18:36:25.166510197 -0500
> @@ -1159,8 +1159,12 @@ static int __blkdev_get(struct block_dev
> * The latter is necessary to prevent ghost
> * partitions on a removed medium.
> */
> - if (bdev->bd_invalidated && (!ret || ret == -ENOMEDIUM))
> - rescan_partitions(disk, bdev);
> + if (bdev->bd_invalidated) {
> + if (!ret)
> + rescan_partitions(disk, bdev);
> + else if (ret == -ENOMEDIUM)
> + invalidate_partitions(disk, bdev);
> + }
> if (ret)
> goto out_clear;
> } else {
> @@ -1190,8 +1194,12 @@ static int __blkdev_get(struct block_dev
> if (bdev->bd_disk->fops->open)
> ret = bdev->bd_disk->fops->open(bdev, mode);
> /* the same as first opener case, read comment there */
> - if (bdev->bd_invalidated && (!ret || ret == -ENOMEDIUM))
> - rescan_partitions(bdev->bd_disk, bdev);
> + if (bdev->bd_invalidated) {
> + if (!ret)
> + rescan_partitions(bdev->bd_disk, bdev);
> + else if (ret == -ENOMEDIUM)
> + invalidate_partitions(bdev->bd_disk, bdev);
> + }
> if (ret)
> goto out_unlock_bdev;
> }
>
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2012-02-29 18:47 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2012-02-22 1:01 [PATCH] Fix NULL pointer dereference in sd_revalidate_disk Jun'ichi Nomura
2012-02-22 1:04 ` Tejun Heo
2012-02-22 4:58 ` Jack Wang
2012-02-22 5:36 ` 'Dave Jones'
2012-02-29 12:57 ` Naveen Goswamy
2012-02-29 18:46 ` Naveen Goswamy
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).