From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Zhang Xingcai <zhangxingcai@huawei.com>,
Giuseppe Cantavenera <giuseppe.cantavenera.ext@nokia.com>,
Alexander Sverdlin <alexander.sverdlin@nokia.com>,
Brian Norris <computersforpeace@gmail.com>
Subject: [PATCH 3.10 13/89] mtd: fix: avoid race condition when accessing mtd->usecount
Date: Fri, 31 Jul 2015 12:40:55 -0700 [thread overview]
Message-ID: <20150731194031.015519492@linuxfoundation.org> (raw)
In-Reply-To: <20150731194030.516335023@linuxfoundation.org>
3.10-stable review patch. If anyone has any objections, please let me know.
------------------
From: Brian Norris <computersforpeace@gmail.com>
commit 073db4a51ee43ccb827f54a4261c0583b028d5ab upstream.
On A MIPS 32-cores machine a BUG_ON was triggered because some acesses to
mtd->usecount were done without taking mtd_table_mutex.
kernel: Call Trace:
kernel: [<ffffffff80401818>] __put_mtd_device+0x20/0x50
kernel: [<ffffffff804086f4>] blktrans_release+0x8c/0xd8
kernel: [<ffffffff802577e0>] __blkdev_put+0x1a8/0x200
kernel: [<ffffffff802579a4>] blkdev_close+0x1c/0x30
kernel: [<ffffffff8022006c>] __fput+0xac/0x250
kernel: [<ffffffff80171208>] task_work_run+0xd8/0x120
kernel: [<ffffffff8012c23c>] work_notifysig+0x10/0x18
kernel:
kernel:
Code: 2442ffff ac8202d8 000217fe <00020336> dc820128 10400003
00000000 0040f809 00000000
kernel: ---[ end trace 080fbb4579b47a73 ]---
Fixed by taking the mutex in blktrans_open and blktrans_release.
Note that this locking is already suggested in
include/linux/mtd/blktrans.h:
struct mtd_blktrans_ops {
...
/* Called with mtd_table_mutex held; no race with add/remove */
int (*open)(struct mtd_blktrans_dev *dev);
void (*release)(struct mtd_blktrans_dev *dev);
...
};
But we weren't following it.
Originally reported by (and patched by) Zhang and Giuseppe,
independently. Improved and rewritten.
Reported-by: Zhang Xingcai <zhangxingcai@huawei.com>
Reported-by: Giuseppe Cantavenera <giuseppe.cantavenera.ext@nokia.com>
Tested-by: Giuseppe Cantavenera <giuseppe.cantavenera.ext@nokia.com>
Acked-by: Alexander Sverdlin <alexander.sverdlin@nokia.com>
Signed-off-by: Brian Norris <computersforpeace@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mtd/mtd_blkdevs.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/mtd/mtd_blkdevs.c
+++ b/drivers/mtd/mtd_blkdevs.c
@@ -199,6 +199,7 @@ static int blktrans_open(struct block_de
return -ERESTARTSYS; /* FIXME: busy loop! -arnd*/
mutex_lock(&dev->lock);
+ mutex_lock(&mtd_table_mutex);
if (dev->open)
goto unlock;
@@ -222,6 +223,7 @@ static int blktrans_open(struct block_de
unlock:
dev->open++;
+ mutex_unlock(&mtd_table_mutex);
mutex_unlock(&dev->lock);
blktrans_dev_put(dev);
return ret;
@@ -232,6 +234,7 @@ error_release:
error_put:
module_put(dev->tr->owner);
kref_put(&dev->ref, blktrans_dev_release);
+ mutex_unlock(&mtd_table_mutex);
mutex_unlock(&dev->lock);
blktrans_dev_put(dev);
return ret;
@@ -245,6 +248,7 @@ static void blktrans_release(struct gend
return;
mutex_lock(&dev->lock);
+ mutex_lock(&mtd_table_mutex);
if (--dev->open)
goto unlock;
@@ -258,6 +262,7 @@ static void blktrans_release(struct gend
__put_mtd_device(dev->mtd);
}
unlock:
+ mutex_unlock(&mtd_table_mutex);
mutex_unlock(&dev->lock);
blktrans_dev_put(dev);
}
next prev parent reply other threads:[~2015-07-31 20:21 UTC|newest]
Thread overview: 88+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-07-31 19:40 [PATCH 3.10 00/89] 3.10.85-stable review Greg Kroah-Hartman
2015-07-31 19:40 ` [PATCH 3.10 01/89] ipr: Increase default adapter init stage change timeout Greg Kroah-Hartman
2015-07-31 19:40 ` [PATCH 3.10 02/89] Disable write buffering on Toshiba ToPIC95 Greg Kroah-Hartman
2015-07-31 19:40 ` [PATCH 3.10 03/89] ALSA: hda - Add headset support to Acer Aspire V5 Greg Kroah-Hartman
2015-07-31 19:40 ` [PATCH 3.10 04/89] ALSA: hda - Fix the dock headphone output on Fujitsu Lifebook E780 Greg Kroah-Hartman
2015-07-31 19:40 ` [PATCH 3.10 05/89] ARC: add compiler barrier to LLSC based cmpxchg Greg Kroah-Hartman
2015-07-31 19:40 ` [PATCH 3.10 06/89] arm64: Do not attempt to use init_mm in reset_context() Greg Kroah-Hartman
2015-07-31 19:40 ` [PATCH 3.10 07/89] arm64: mm: Fix freeing of the wrong memmap entries with !SPARSEMEM_VMEMMAP Greg Kroah-Hartman
2015-07-31 19:40 ` [PATCH 3.10 08/89] arm64: vdso: work-around broken ELF toolchains in Makefile Greg Kroah-Hartman
2015-07-31 19:40 ` [PATCH 3.10 09/89] cpuidle / menu: Return (-1) if there are no suitable states Greg Kroah-Hartman
2015-07-31 19:40 ` [PATCH 3.10 10/89] regmap: Fix regmap_bulk_read in BE mode Greg Kroah-Hartman
2015-07-31 19:40 ` [PATCH 3.10 11/89] regulator: core: fix constraints output buffer Greg Kroah-Hartman
2015-07-31 19:40 ` [PATCH 3.10 12/89] spi: pl022: Specify num-cs property as required in devicetree binding Greg Kroah-Hartman
2015-07-31 19:40 ` Greg Kroah-Hartman [this message]
2015-07-31 19:40 ` [PATCH 3.10 15/89] pinctrl: mvebu: armada-370: fix spi0 pin description Greg Kroah-Hartman
2015-07-31 19:40 ` [PATCH 3.10 16/89] pinctrl: mvebu: armada-xp: remove non-existing NAND pins Greg Kroah-Hartman
2015-07-31 19:40 ` [PATCH 3.10 17/89] pinctrl: mvebu: armada-xp: remove non-existing VDD cpu_pd functions Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.10 18/89] pinctrl: mvebu: armada-xp: fix functions of MPP48 Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.10 19/89] Bluetooth: btusb: Fix memory leak in Intel setup routine Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.10 20/89] ath9k: fix DMA stop sequence for AR9003+ Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.10 21/89] staging: rtl8712: prevent buffer overrun in recvbuf2recvframe Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.10 22/89] ext4: fix race between truncate and __ext4_journalled_writepage() Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.10 23/89] ext4: call sync_blockdev() before invalidate_bdev() in put_super() Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.10 24/89] ext4: dont retry file block mapping on bigalloc fs with non-extent file Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.10 25/89] ext4: fix reservation release on invalidatepage for delalloc fs Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.10 26/89] ext4: be more strict when migrating to non-extent based file Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.10 27/89] ext4: correctly migrate a file with a hole at the beginning Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.10 28/89] ext4: replace open coded nofail allocation in ext4_free_blocks() Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.10 29/89] jbd2: use GFP_NOFS in jbd2_cleanup_journal_tail() Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.10 30/89] jbd2: fix ocfs2 corrupt when updating journal superblock fails Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.10 31/89] i2c: at91: fix a race condition when using the DMA controller Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.10 32/89] iio: DAC: ad5624r_spi: fix bit shift of output data value Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.10 33/89] [media] af9013: Dont accept invalid bandwidth Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.10 34/89] [media] s5h1420: fix a buffer overflow when checking userspace params Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.10 35/89] [media] cx24116: " Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.10 37/89] ASoC: wm8955: Fix setting wrong register for WM8955_K_8_0_MASK bits Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.10 39/89] ASoC: wm8960: the enum of "DAC Polarity" should be wm8960_enum[1] Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.10 40/89] libata: add ATA_HORKAGE_BROKEN_FPDMA_AA quirk for HP 250GB SATA disk VB0250EAVER Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.10 41/89] libata: increase the timeout when setting transfer mode Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.10 42/89] usb: dwc3: gadget: return error if command sent to DGCMD register fails Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.10 43/89] usb: dwc3: gadget: return error if command sent to DEPCMD " Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.10 44/89] usb: dwc3: Reset the transfer resource index on SET_INTERFACE Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.10 45/89] USB: devio: fix a condition in async_completed() Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.10 46/89] USB: cp210x: add ID for Aruba Networks controllers Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.10 47/89] USB: option: add 2020:4000 ID Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.10 48/89] usb: xhci: Bugfix for NULL pointer deference in xhci_endpoint_init() function Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.10 49/89] dm btree remove: fix bug in redistribute3 Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.10 50/89] dm btree: silence lockdep lock inversion in dm_btree_del() Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.10 51/89] mmc: block: Add missing mmc_blk_put() in power_ro_lock_show() Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.10 52/89] drm/qxl: Do not cause spice-server to clean our objects Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.10 53/89] drm/radeon: take the mode_config mutex when dealing with hpds (v2) Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.10 55/89] drm: add a check for x/y in drm_mode_setcrtc Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.10 56/89] xfs: fix remote symlinks on V5/CRC filesystems Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.10 57/89] vTPM: set virtual device before passing to ibmvtpm_reset_crq Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.10 58/89] libata: add ATA_HORKAGE_NOTRIM Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.10 59/89] libata: force disable trim for SuperSSpeed S238 Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.10 60/89] tracing/filter: Do not WARN on operand count going below zero Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.10 61/89] tracing/filter: Do not allow infix to exceed end of string Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.10 62/89] tracing: Have branch tracer use recursive field of task struct Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.10 63/89] dmaengine: mv_xor: bug fix for racing condition in descriptors cleanup Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.10 64/89] hwmon: (mcp3021) Fix broken output scaling Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.10 65/89] md: fix a build warning Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.10 66/89] Btrfs: use kmem_cache_free when freeing entry in inode cache Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.10 67/89] fuse: initialize fc->release before calling it Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.10 68/89] crush: fix a bug in tree bucket decode Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.10 69/89] ACPICA: Tables: Fix an issue that FACS initialization is performed twice Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.10 70/89] iscsi-target: Convert iscsi_thread_set usage to kthread.h Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.10 71/89] iser-target: Fix possible deadlock in RDMA_CM connection error Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.10 72/89] iser-target: release stale iser connections Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.10 73/89] mmc: card: Fixup request missing in mmc_blk_issue_rw_rq Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.10 74/89] __bitmap_parselist: fix bug in empty string handling Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.10 75/89] mac80211: prevent possible crypto tx tailroom corruption Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.10 76/89] USB: usbfs: allow URBs to be reaped after disconnection Greg Kroah-Hartman
2015-07-31 19:42 ` [PATCH 3.10 78/89] NFS: Fix size of NFSACL SETACL operations Greg Kroah-Hartman
2015-07-31 19:42 ` [PATCH 3.10 79/89] fixing infinite OPEN loop in 4.0 stateid recovery Greg Kroah-Hartman
2015-07-31 19:42 ` [PATCH 3.10 80/89] nfs: increase size of EXCHANGE_ID name string buffer Greg Kroah-Hartman
2015-07-31 19:42 ` [PATCH 3.10 81/89] SUNRPC: Fix a memory leak in the backchannel code Greg Kroah-Hartman
2015-07-31 19:42 ` [PATCH 3.10 82/89] 9p: forgetting to cancel request on interrupted zero-copy RPC Greg Kroah-Hartman
2015-07-31 19:42 ` [PATCH 3.10 83/89] 9p: dont leave a half-initialized inode sitting around Greg Kroah-Hartman
2015-07-31 19:42 ` [PATCH 3.10 84/89] rbd: use GFP_NOIO in rbd_obj_request_create() Greg Kroah-Hartman
2015-07-31 19:42 ` [PATCH 3.10 85/89] agp/intel: Fix typo in needs_ilk_vtd_wa() Greg Kroah-Hartman
2015-07-31 19:42 ` [PATCH 3.10 86/89] hpfs: hpfs_error: Remove static buffer, use vsprintf extension %pV instead Greg Kroah-Hartman
2015-07-31 19:42 ` [PATCH 3.10 87/89] Fix firmware loader uevent buffer NULL pointer dereference Greg Kroah-Hartman
2015-07-31 19:42 ` [PATCH 3.10 88/89] qla2xxx: Mark port lost when we receive an RSCN for it Greg Kroah-Hartman
2015-07-31 19:42 ` [PATCH 3.10 89/89] MIPS: KVM: Do not sign extend on unsigned MMIO load Greg Kroah-Hartman
2015-08-01 2:06 ` [PATCH 3.10 00/89] 3.10.85-stable review Guenter Roeck
2015-08-01 8:27 ` Sudip Mukherjee
2015-08-03 18:26 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150731194031.015519492@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=alexander.sverdlin@nokia.com \
--cc=computersforpeace@gmail.com \
--cc=giuseppe.cantavenera.ext@nokia.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=zhangxingcai@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox