未验证 提交 adc6fa98 编写于 作者: O openeuler-ci-bot 提交者: Gitee

!1318 [sync] PR-1285: nbd: fix null-ptr-dereference while accessing 'nbd->config'

Merge Pull Request from: @openeuler-sync-bot 
 

Origin pull request: 
https://gitee.com/openeuler/kernel/pulls/1285 
 
PR sync from: Zhong Jinghua <zhongjinghua@huawei.com>
https://mailweb.openeuler.org/hyperkitty/list/kernel@openeuler.org/message/PDTEZNN6BPNOCWXZPXSX5XHC4Q46NBPW/ 
nbd: fix null-ptr-dereference while accessing 'nbd->config'

Yu Kuai (3):
  nbd: fold nbd config initialization into nbd_alloc_config()
  nbd: factor out a helper to get nbd_config without holding
    'config_lock'
  nbd: fix null-ptr-dereference while accessing 'nbd->config'


-- 
2.31.1
 
 
Link:https://gitee.com/openeuler/kernel/pulls/1318 

Reviewed-by: Jialin Zhang <zhangjialin11@huawei.com> 
Reviewed-by: Yu Kuai <yukuai3@huawei.com> 
Signed-off-by: Jialin Zhang <zhangjialin11@huawei.com> 
......@@ -389,6 +389,22 @@ static u32 req_to_nbd_cmd_type(struct request *req)
}
}
static struct nbd_config *nbd_get_config_unlocked(struct nbd_device *nbd)
{
if (refcount_inc_not_zero(&nbd->config_refs)) {
/*
* Add smp_mb__after_atomic to ensure that reading nbd->config_refs
* and reading nbd->config is ordered. The pair is the barrier in
* nbd_alloc_and_init_config(), avoid nbd->config_refs is set
* before nbd->config.
*/
smp_mb__after_atomic();
return nbd->config;
}
return NULL;
}
static enum blk_eh_timer_return nbd_xmit_timeout(struct request *req,
bool reserved)
{
......@@ -404,13 +420,13 @@ static enum blk_eh_timer_return nbd_xmit_timeout(struct request *req,
return BLK_EH_DONE;
}
if (!refcount_inc_not_zero(&nbd->config_refs)) {
config = nbd_get_config_unlocked(nbd);
if (!config) {
cmd->status = BLK_STS_TIMEOUT;
__clear_bit(NBD_CMD_INFLIGHT, &cmd->flags);
mutex_unlock(&cmd->lock);
goto done;
}
config = nbd->config;
if (config->num_connections > 1 ||
(config->num_connections == 1 && nbd->tag_set.timeout)) {
......@@ -969,12 +985,12 @@ static int nbd_handle_cmd(struct nbd_cmd *cmd, int index)
struct nbd_sock *nsock;
int ret;
if (!refcount_inc_not_zero(&nbd->config_refs)) {
config = nbd_get_config_unlocked(nbd);
if (!config) {
dev_err_ratelimited(disk_to_dev(nbd->disk),
"Socks array is empty\n");
return -EINVAL;
}
config = nbd->config;
if (index >= config->num_connections) {
dev_err_ratelimited(disk_to_dev(nbd->disk),
......@@ -1536,17 +1552,20 @@ static int nbd_ioctl(struct block_device *bdev, fmode_t mode,
return error;
}
static struct nbd_config *nbd_alloc_config(void)
static int nbd_alloc_and_init_config(struct nbd_device *nbd)
{
struct nbd_config *config;
if (WARN_ON(nbd->config))
return -EINVAL;
if (!try_module_get(THIS_MODULE))
return ERR_PTR(-ENODEV);
return -ENODEV;
config = kzalloc(sizeof(struct nbd_config), GFP_NOFS);
if (!config) {
module_put(THIS_MODULE);
return ERR_PTR(-ENOMEM);
return -ENOMEM;
}
atomic_set(&config->recv_threads, 0);
......@@ -1554,12 +1573,24 @@ static struct nbd_config *nbd_alloc_config(void)
init_waitqueue_head(&config->conn_wait);
config->blksize = NBD_DEF_BLKSIZE;
atomic_set(&config->live_connections, 0);
return config;
nbd->config = config;
/*
* Order refcount_set(&nbd->config_refs, 1) and nbd->config assignment,
* its pair is the barrier in nbd_get_config_unlocked().
* So nbd_get_config_unlocked() won't see nbd->config as null after
* refcount_inc_not_zero() succeed.
*/
smp_mb__before_atomic();
refcount_set(&nbd->config_refs, 1);
return 0;
}
static int nbd_open(struct block_device *bdev, fmode_t mode)
{
struct nbd_device *nbd;
struct nbd_config *config;
int ret = 0;
mutex_lock(&nbd_index_mutex);
......@@ -1572,26 +1603,24 @@ static int nbd_open(struct block_device *bdev, fmode_t mode)
ret = -ENXIO;
goto out;
}
if (!refcount_inc_not_zero(&nbd->config_refs)) {
struct nbd_config *config;
config = nbd_get_config_unlocked(nbd);
if (!config) {
mutex_lock(&nbd->config_lock);
if (refcount_inc_not_zero(&nbd->config_refs)) {
mutex_unlock(&nbd->config_lock);
goto out;
}
config = nbd_alloc_config();
if (IS_ERR(config)) {
ret = PTR_ERR(config);
ret = nbd_alloc_and_init_config(nbd);
if (ret) {
mutex_unlock(&nbd->config_lock);
goto out;
}
nbd->config = config;
refcount_set(&nbd->config_refs, 1);
refcount_inc(&nbd->refs);
mutex_unlock(&nbd->config_lock);
set_bit(GD_NEED_PART_SCAN, &bdev->bd_disk->state);
} else if (nbd_disconnected(nbd->config)) {
} else if (nbd_disconnected(config)) {
set_bit(GD_NEED_PART_SCAN, &bdev->bd_disk->state);
}
out:
......@@ -2008,22 +2037,17 @@ static int nbd_genl_connect(struct sk_buff *skb, struct genl_info *info)
printk(KERN_ERR "nbd: nbd%d already in use\n", index);
return -EBUSY;
}
if (WARN_ON(nbd->config)) {
mutex_unlock(&nbd->config_lock);
nbd_put(nbd);
return -EINVAL;
}
config = nbd_alloc_config();
if (IS_ERR(config)) {
ret = nbd_alloc_and_init_config(nbd);
if (ret) {
mutex_unlock(&nbd->config_lock);
nbd_put(nbd);
printk(KERN_ERR "nbd: couldn't allocate config\n");
return PTR_ERR(config);
return ret;
}
nbd->config = config;
refcount_set(&nbd->config_refs, 1);
set_bit(NBD_RT_BOUND, &config->runtime_flags);
config = nbd->config;
set_bit(NBD_RT_BOUND, &config->runtime_flags);
ret = nbd_genl_size_set(info, nbd);
if (ret)
goto out;
......@@ -2201,7 +2225,8 @@ static int nbd_genl_reconfigure(struct sk_buff *skb, struct genl_info *info)
}
mutex_unlock(&nbd_index_mutex);
if (!refcount_inc_not_zero(&nbd->config_refs)) {
config = nbd_get_config_unlocked(nbd);
if (!config) {
dev_err(nbd_to_dev(nbd),
"not configured, cannot reconfigure\n");
nbd_put(nbd);
......@@ -2209,7 +2234,6 @@ static int nbd_genl_reconfigure(struct sk_buff *skb, struct genl_info *info)
}
mutex_lock(&nbd->config_lock);
config = nbd->config;
if (!test_bit(NBD_RT_BOUND, &config->runtime_flags) ||
!nbd->pid) {
dev_err(nbd_to_dev(nbd),
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册