From: Dan Carpenter <dan.carpenter@oracle.com>
To: Jason Yan <yanaijie@huawei.com>
Cc: axboe@kernel.dk, linux-block@vger.kernel.org,
linux-fsdevel@vger.kernel.org, Christoph Hellwig <hch@lst.de>,
Ming Lei <ming.lei@redhat.com>, Jan Kara <jack@suse.cz>,
Hulk Robot <hulkci@huawei.com>,
Sedat Dilek <sedat.dilek@gmail.com>
Subject: Re: [PATCH v6] block: Fix use-after-free in blkdev_get()
Date: Tue, 16 Jun 2020 13:20:48 +0300 [thread overview]
Message-ID: <20200616102048.GL4282@kadam> (raw)
In-Reply-To: <20200616034002.2473743-1-yanaijie@huawei.com>
On Tue, Jun 16, 2020 at 11:40:02AM +0800, Jason Yan wrote:
>
> Fixes: e525fd89d380 ("block: make blkdev_get/put() handle exclusive access")
I still don't understand how this is the correct fixes tag... :/
git show e525fd89d380:fs/block_dev.c | cat -n
1208 int blkdev_get(struct block_device *bdev, fmode_t mode, void *holder)
1209 {
1210 struct block_device *whole = NULL;
1211 int res;
1212
1213 WARN_ON_ONCE((mode & FMODE_EXCL) && !holder);
1214
1215 if ((mode & FMODE_EXCL) && holder) {
1216 whole = bd_start_claiming(bdev, holder);
1217 if (IS_ERR(whole)) {
1218 bdput(bdev);
1219 return PTR_ERR(whole);
1220 }
1221 }
1222
1223 res = __blkdev_get(bdev, mode, 0);
1224
1225 if (whole) {
1226 if (res == 0)
^^^^^^^^
1227 bd_finish_claiming(bdev, whole, holder);
1228 else
1229 bd_abort_claiming(whole, holder);
^^^^^^^^^^^^^
If __blkdev_get() then this doesn't dereference "bdev" so it's not a
use after free bug.
1230 }
1231
1232 return res;
1233 }
So far as I can see the Fixes tag should be what I said earlier.
Fixes: 89e524c04fa9 ("loop: Fix mount(2) failure due to race with LOOP_SET_FD")
Otherwise the patch looks good to me.
Reviewed-by: Dan Carpenter <dan.carpenter@oracle.com>
regards,
dan carpenter
next prev parent reply other threads:[~2020-06-16 10:21 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-16 3:40 [PATCH v6] block: Fix use-after-free in blkdev_get() Jason Yan
2020-06-16 10:20 ` Dan Carpenter [this message]
2020-06-16 11:24 ` Jason Yan
2020-06-16 11:49 ` Dan Carpenter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200616102048.GL4282@kadam \
--to=dan.carpenter@oracle.com \
--cc=axboe@kernel.dk \
--cc=hch@lst.de \
--cc=hulkci@huawei.com \
--cc=jack@suse.cz \
--cc=linux-block@vger.kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=ming.lei@redhat.com \
--cc=sedat.dilek@gmail.com \
--cc=yanaijie@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).