bcache: fix NULL pointer reference in cached_dev_detach_finish

mainline inclusion from v5.16-rc6 commit aa97f6cd category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I59A5L?from=project-issue CVE: N/A ----------------------------------- Commit 0259d449 ("bcache: move calc_cached_dev_sectors to proper place on backing device detach") tries to fix calc_cached_dev_sectors when bcache device detaches, but now we have: cached_dev_detach_finish ... bcache_device_detach(&dc->disk); ... closure_put(&d->c->caching); d->c = NULL; [*explicitly set dc->disk.c to NULL*] list_move(&dc->list, &uncached_devices); calc_cached_dev_sectors(dc->disk.c); [*passing a NULL pointer*] ... Upper codeflows shows how bug happens, this patch fix the problem by caching dc->disk.c beforehand, and cache_set won't be freed under us because c->caching closure at least holds a reference count and closure callback __cache_set_unregister only being called by bch_cache_set_stop which using closure_queue(&c->caching), that means c->caching closure callback for destroying cache_set won't be trigger by previous closure_put(&d->c->caching). So at this stage(while cached_dev_detach_finish is calling) it's safe to access cache_set dc->disk.c. Fixes: 0259d449 ("bcache: move calc_cached_dev_sectors to proper place on backing device detach") Signed-off-by: N Lin Feng <linf@wangsu.com> Signed-off-by: N Coly Li <colyli@suse.de> Link: https://lore.kernel.org/r/20211112053629.3437-2-colyli@suse.deSigned-off-by: N Jens Axboe <axboe@kernel.dk> Reviewed-by: N Jason Yan <yanaijie@huawei.com> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com>

bcache: fix NULL pointer reference in cached_dev_detach_finish
mainline inclusion from v5.16-rc6 commit aa97f6cd category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/I59A5L?from=project-issue CVE: N/A ----------------------------------- Commit 0259d449 ("bcache: move calc_cached_dev_sectors to proper place on backing device detach") tries to fix calc_cached_dev_sectors when bcache device detaches, but now we have: cached_dev_detach_finish ... bcache_device_detach(&dc->disk); ... closure_put(&d->c->caching); d->c = NULL; [*explicitly set dc->disk.c to NULL*] list_move(&dc->list, &uncached_devices); calc_cached_dev_sectors(dc->disk.c); [*passing a NULL pointer*] ... Upper codeflows shows how bug happens, this patch fix the problem by caching dc->disk.c beforehand, and cache_set won't be freed under us because c->caching closure at least holds a reference count and closure callback __cache_set_unregister only being called by bch_cache_set_stop which using closure_queue(&c->caching), that means c->caching closure callback for destroying cache_set won't be trigger by previous closure_put(&d->c->caching). So at this stage(while cached_dev_detach_finish is calling) it's safe to access cache_set dc->disk.c. Fixes: 0259d449 ("bcache: move calc_cached_dev_sectors to proper place on backing device detach") Signed-off-by: N Lin Feng <linf@wangsu.com> Signed-off-by: N Coly Li <colyli@suse.de> Link: https://lore.kernel.org/r/20211112053629.3437-2-colyli@suse.deSigned-off-by: N Jens Axboe <axboe@kernel.dk> Reviewed-by: N Jason Yan <yanaijie@huawei.com> Signed-off-by: N Zheng Zengkai <zhengzengkai@huawei.com>
97ada023 · Lin Feng · Zheng Zengkai · cf14b17b · 97ada023
隐藏空白更改
内联并排

Showing with 2 addition and 1 deletion

drivers/md/bcache/super.c drivers/md/bcache/super.c +2 -1

未找到文件。
--- a/drivers/md/bcache/super.c
+++ b/drivers/md/bcache/super.c
@@ -1150,6 +1150,7 @@ static void cancel_writeback_rate_update_dwork(struct cached_dev *dc)
 static void cached_dev_detach_finish(struct work_struct *w)
 {
 	struct cached_dev *dc = container_of(w, struct cached_dev, detach);
+	struct cache_set *c = dc->disk.c;

 	BUG_ON(!test_bit(BCACHE_DEV_DETACHING, &dc->disk.flags));
 	BUG_ON(refcount_read(&dc->count));
@@ -1167,7 +1168,7 @@ static void cached_dev_detach_finish(struct work_struct *w)

 	bcache_device_detach(&dc->disk);
 	list_move(&dc->list, &uncached_devices);
-	calc_cached_dev_sectors(dc->disk.c);
+	calc_cached_dev_sectors(c);

 	clear_bit(BCACHE_DEV_DETACHING, &dc->disk.flags);
 	clear_bit(BCACHE_DEV_UNLINK_DONE, &dc->disk.flags);