From: Heiko Carstens <hca@linux.ibm.com>
To: Duoming Zhou <duoming@zju.edu.cn>, Jan Hoeppner <hoeppner@linux.ibm.com>
Cc: linux-s390@vger.kernel.org, linux-kernel@vger.kernel.org,
gor@linux.ibm.com, agordeev@linux.ibm.com,
borntraeger@linux.ibm.com, svens@linux.ibm.com, mingo@kernel.org,
tglx@linutronix.de
Subject: Re: [PATCH] s390/tape: fix use-after-free bugs caused by tape_dnr delayed work
Date: Mon, 3 Nov 2025 12:19:15 +0100 [thread overview]
Message-ID: <20251103111915.18191A14-hca@linux.ibm.com> (raw)
In-Reply-To: <20251103060544.22720-1-duoming@zju.edu.cn>
[full quote below - adding Jan]
On Mon, Nov 03, 2025 at 02:05:44PM +0800, Duoming Zhou wrote:
> The delayed work tape_dnr is initialized in tape_alloc_device(), which
> is called from tape_generic_probe(), and is scheduled in the following
> scenarios:
>
> 1. Starting an I/O operation fails with -EBUSY in __tape_start_io().
> 2. Canceling an I/O operation fails with -EBUSY in __tape_cancel_io().
> 3. A deferred error condition is detected in __tape_do_irq().
>
> When the tape device is detached via tape_generic_remove(), the
> tape_device structure might be deallocated after the final call to
> tape_put_device(). However, if the delayed work tape_dnr is still
> pending or executing at the time of detachment, it could lead to
> use-after-free bugs when the work function tape_delayed_next_request()
> accesses the already freed tape_device memory.
>
> The race condition can occur as follows:
>
> CPU 0(detach thread) | CPU 1 (delayed work)
> tape_generic_remove() |
> tape_put_device(device) | tape_delayed_next_request
> | device = container_of(...) // USE
> | device-> // USE
>
> Add disable_delayed_work_sync() in tape_generic_remove() to guarantee
> proper cancellation of the delayed work item before tape_device is
> deallocated.
>
> This bug is identified by static analysis.
>
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Signed-off-by: Duoming Zhou <duoming@zju.edu.cn>
> ---
> drivers/s390/char/tape_core.c | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/drivers/s390/char/tape_core.c b/drivers/s390/char/tape_core.c
> index 6ec812280221..722dc4737a87 100644
> --- a/drivers/s390/char/tape_core.c
> +++ b/drivers/s390/char/tape_core.c
> @@ -625,6 +625,7 @@ tape_generic_remove(struct ccw_device *cdev)
> }
> DBF_LH(3, "(%08x): tape_generic_remove(%p)\n", device->cdev_id, cdev);
>
> + disable_delayed_work_sync(&device->tape_dnr);
> spin_lock_irq(get_ccwdev_lock(device->cdev));
> switch (device->tape_state) {
> case TS_INIT:
Jan, could you please have a look at this?
prev parent reply other threads:[~2025-11-03 11:19 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-03 6:05 [PATCH] s390/tape: fix use-after-free bugs caused by tape_dnr delayed work Duoming Zhou
2025-11-03 11:19 ` Heiko Carstens [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251103111915.18191A14-hca@linux.ibm.com \
--to=hca@linux.ibm.com \
--cc=agordeev@linux.ibm.com \
--cc=borntraeger@linux.ibm.com \
--cc=duoming@zju.edu.cn \
--cc=gor@linux.ibm.com \
--cc=hoeppner@linux.ibm.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-s390@vger.kernel.org \
--cc=mingo@kernel.org \
--cc=svens@linux.ibm.com \
--cc=tglx@linutronix.de \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.