From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Zhang Xingcai <zhangxingcai@huawei.com>,
Giuseppe Cantavenera <giuseppe.cantavenera.ext@nokia.com>,
Alexander Sverdlin <alexander.sverdlin@nokia.com>,
Brian Norris <computersforpeace@gmail.com>
Subject: [PATCH 3.14 021/125] mtd: fix: avoid race condition when accessing mtd->usecount
Date: Fri, 31 Jul 2015 12:40:21 -0700 [thread overview]
Message-ID: <20150731194027.817633515@linuxfoundation.org> (raw)
In-Reply-To: <20150731194027.037807932@linuxfoundation.org>
3.14-stable review patch. If anyone has any objections, please let me know.
------------------
From: Brian Norris <computersforpeace@gmail.com>
commit 073db4a51ee43ccb827f54a4261c0583b028d5ab upstream.
On A MIPS 32-cores machine a BUG_ON was triggered because some acesses to
mtd->usecount were done without taking mtd_table_mutex.
kernel: Call Trace:
kernel: [<ffffffff80401818>] __put_mtd_device+0x20/0x50
kernel: [<ffffffff804086f4>] blktrans_release+0x8c/0xd8
kernel: [<ffffffff802577e0>] __blkdev_put+0x1a8/0x200
kernel: [<ffffffff802579a4>] blkdev_close+0x1c/0x30
kernel: [<ffffffff8022006c>] __fput+0xac/0x250
kernel: [<ffffffff80171208>] task_work_run+0xd8/0x120
kernel: [<ffffffff8012c23c>] work_notifysig+0x10/0x18
kernel:
kernel:
Code: 2442ffff ac8202d8 000217fe <00020336> dc820128 10400003
00000000 0040f809 00000000
kernel: ---[ end trace 080fbb4579b47a73 ]---
Fixed by taking the mutex in blktrans_open and blktrans_release.
Note that this locking is already suggested in
include/linux/mtd/blktrans.h:
struct mtd_blktrans_ops {
...
/* Called with mtd_table_mutex held; no race with add/remove */
int (*open)(struct mtd_blktrans_dev *dev);
void (*release)(struct mtd_blktrans_dev *dev);
...
};
But we weren't following it.
Originally reported by (and patched by) Zhang and Giuseppe,
independently. Improved and rewritten.
Reported-by: Zhang Xingcai <zhangxingcai@huawei.com>
Reported-by: Giuseppe Cantavenera <giuseppe.cantavenera.ext@nokia.com>
Tested-by: Giuseppe Cantavenera <giuseppe.cantavenera.ext@nokia.com>
Acked-by: Alexander Sverdlin <alexander.sverdlin@nokia.com>
Signed-off-by: Brian Norris <computersforpeace@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/mtd/mtd_blkdevs.c | 5 +++++
1 file changed, 5 insertions(+)
--- a/drivers/mtd/mtd_blkdevs.c
+++ b/drivers/mtd/mtd_blkdevs.c
@@ -199,6 +199,7 @@ static int blktrans_open(struct block_de
return -ERESTARTSYS; /* FIXME: busy loop! -arnd*/
mutex_lock(&dev->lock);
+ mutex_lock(&mtd_table_mutex);
if (dev->open)
goto unlock;
@@ -222,6 +223,7 @@ static int blktrans_open(struct block_de
unlock:
dev->open++;
+ mutex_unlock(&mtd_table_mutex);
mutex_unlock(&dev->lock);
blktrans_dev_put(dev);
return ret;
@@ -232,6 +234,7 @@ error_release:
error_put:
module_put(dev->tr->owner);
kref_put(&dev->ref, blktrans_dev_release);
+ mutex_unlock(&mtd_table_mutex);
mutex_unlock(&dev->lock);
blktrans_dev_put(dev);
return ret;
@@ -245,6 +248,7 @@ static void blktrans_release(struct gend
return;
mutex_lock(&dev->lock);
+ mutex_lock(&mtd_table_mutex);
if (--dev->open)
goto unlock;
@@ -258,6 +262,7 @@ static void blktrans_release(struct gend
__put_mtd_device(dev->mtd);
}
unlock:
+ mutex_unlock(&mtd_table_mutex);
mutex_unlock(&dev->lock);
blktrans_dev_put(dev);
}
next prev parent reply other threads:[~2015-07-31 20:08 UTC|newest]
Thread overview: 123+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-07-31 19:40 [PATCH 3.14 000/125] 3.14.49-stable review Greg Kroah-Hartman
2015-07-31 19:40 ` [PATCH 3.14 001/125] rcu: Correctly handle non-empty Tiny RCU callback list with none ready Greg Kroah-Hartman
2015-07-31 19:40 ` [PATCH 3.14 002/125] ipr: Increase default adapter init stage change timeout Greg Kroah-Hartman
2015-07-31 19:40 ` [PATCH 3.14 003/125] Disable write buffering on Toshiba ToPIC95 Greg Kroah-Hartman
2015-07-31 19:40 ` [PATCH 3.14 004/125] ALSA: hda - Add headset support to Acer Aspire V5 Greg Kroah-Hartman
2015-07-31 19:40 ` [PATCH 3.14 005/125] ALSA: hda - Fix the dock headphone output on Fujitsu Lifebook E780 Greg Kroah-Hartman
2015-07-31 19:40 ` [PATCH 3.14 006/125] ACPI / init: Switch over platform to the ACPI mode later Greg Kroah-Hartman
2015-07-31 19:40 ` [PATCH 3.14 007/125] ARC: add compiler barrier to LLSC based cmpxchg Greg Kroah-Hartman
2015-07-31 19:40 ` [PATCH 3.14 008/125] arm64: Do not attempt to use init_mm in reset_context() Greg Kroah-Hartman
2015-07-31 19:40 ` [PATCH 3.14 009/125] arm64: mm: Fix freeing of the wrong memmap entries with !SPARSEMEM_VMEMMAP Greg Kroah-Hartman
2015-07-31 19:40 ` [PATCH 3.14 010/125] arm64: vdso: work-around broken ELF toolchains in Makefile Greg Kroah-Hartman
2015-07-31 19:40 ` [PATCH 3.14 011/125] cpuidle / menu: Return (-1) if there are no suitable states Greg Kroah-Hartman
2015-07-31 19:40 ` [PATCH 3.14 012/125] regmap: Fix regmap_bulk_read in BE mode Greg Kroah-Hartman
2015-07-31 19:40 ` [PATCH 3.14 013/125] regmap: Fix possible shift overflow in regmap_field_init() Greg Kroah-Hartman
2015-07-31 19:40 ` [PATCH 3.14 014/125] regulator: core: fix constraints output buffer Greg Kroah-Hartman
2015-07-31 19:40 ` [PATCH 3.14 016/125] spi: pl022: Specify num-cs property as required in devicetree binding Greg Kroah-Hartman
2015-07-31 19:40 ` [PATCH 3.14 017/125] scsi_transport_srp: Introduce srp_wait_for_queuecommand() Greg Kroah-Hartman
2015-07-31 19:40 ` [PATCH 3.14 018/125] scsi_transport_srp: Fix a race condition Greg Kroah-Hartman
2015-07-31 19:40 ` [PATCH 3.14 019/125] genirq: devres: Fix testing return value of request_any_context_irq() Greg Kroah-Hartman
2015-07-31 19:40 ` [PATCH 3.14 020/125] leds / PM: fix hibernation on arm when gpio-led used with CPU led trigger Greg Kroah-Hartman
2015-07-31 19:40 ` Greg Kroah-Hartman [this message]
2015-07-31 19:40 ` [PATCH 3.14 023/125] thermal: step_wise: fix: Prevent from binary overflow when trend is dropping Greg Kroah-Hartman
2015-07-31 19:40 ` [PATCH 3.14 024/125] pinctrl: mvebu: armada-370: fix spi0 pin description Greg Kroah-Hartman
2015-07-31 19:40 ` [PATCH 3.14 025/125] pinctrl: mvebu: armada-xp: remove non-existing NAND pins Greg Kroah-Hartman
2015-07-31 19:40 ` [PATCH 3.14 026/125] pinctrl: mvebu: armada-xp: remove non-existing VDD cpu_pd functions Greg Kroah-Hartman
2015-07-31 19:40 ` [PATCH 3.14 027/125] pinctrl: mvebu: armada-xp: fix functions of MPP48 Greg Kroah-Hartman
2015-07-31 19:40 ` [PATCH 3.14 029/125] mtd: nand: fix erroneous read_buf call in nand_write_page_raw_syndrome Greg Kroah-Hartman
2015-07-31 19:40 ` [PATCH 3.14 030/125] Bluetooth: btusb: Fix memory leak in Intel setup routine Greg Kroah-Hartman
2015-07-31 19:40 ` [PATCH 3.14 031/125] ath9k: fix DMA stop sequence for AR9003+ Greg Kroah-Hartman
2015-07-31 19:40 ` [PATCH 3.14 032/125] staging: rtl8712: prevent buffer overrun in recvbuf2recvframe Greg Kroah-Hartman
2015-07-31 19:40 ` [PATCH 3.14 033/125] ext4: fix race between truncate and __ext4_journalled_writepage() Greg Kroah-Hartman
2015-07-31 19:40 ` [PATCH 3.14 034/125] ext4: call sync_blockdev() before invalidate_bdev() in put_super() Greg Kroah-Hartman
2015-07-31 19:40 ` [PATCH 3.14 035/125] ext4: dont retry file block mapping on bigalloc fs with non-extent file Greg Kroah-Hartman
2015-07-31 19:40 ` [PATCH 3.14 036/125] ext4: fix reservation release on invalidatepage for delalloc fs Greg Kroah-Hartman
2015-07-31 19:40 ` [PATCH 3.14 037/125] ext4: be more strict when migrating to non-extent based file Greg Kroah-Hartman
2015-07-31 19:40 ` [PATCH 3.14 038/125] ext4: correctly migrate a file with a hole at the beginning Greg Kroah-Hartman
2015-07-31 19:40 ` [PATCH 3.14 039/125] ext4: replace open coded nofail allocation in ext4_free_blocks() Greg Kroah-Hartman
2015-07-31 19:40 ` [PATCH 3.14 040/125] jbd2: use GFP_NOFS in jbd2_cleanup_journal_tail() Greg Kroah-Hartman
2015-07-31 19:40 ` [PATCH 3.14 041/125] jbd2: fix ocfs2 corrupt when updating journal superblock fails Greg Kroah-Hartman
2015-07-31 19:40 ` [PATCH 3.14 042/125] i2c: at91: fix a race condition when using the DMA controller Greg Kroah-Hartman
2015-07-31 19:40 ` [PATCH 3.14 043/125] iio: DAC: ad5624r_spi: fix bit shift of output data value Greg Kroah-Hartman
2015-07-31 19:40 ` [PATCH 3.14 044/125] iio: tmp006: Check channel info on write Greg Kroah-Hartman
2015-07-31 19:40 ` [PATCH 3.14 045/125] iio: adc: at91_adc: allow to use full range of startup time Greg Kroah-Hartman
2015-07-31 19:40 ` [PATCH 3.14 046/125] [media] cx24117: fix a buffer overflow when checking userspace params Greg Kroah-Hartman
2015-07-31 19:40 ` [PATCH 3.14 047/125] [media] af9013: Dont accept invalid bandwidth Greg Kroah-Hartman
2015-07-31 19:40 ` [PATCH 3.14 048/125] [media] s5h1420: fix a buffer overflow when checking userspace params Greg Kroah-Hartman
2015-07-31 19:40 ` [PATCH 3.14 049/125] [media] cx24116: " Greg Kroah-Hartman
2015-07-31 19:40 ` [PATCH 3.14 050/125] ASoC: arizona: Fix noise generator gain TLV Greg Kroah-Hartman
2015-07-31 19:40 ` [PATCH 3.14 051/125] ASoC: imx-wm8962: Add a missing error check Greg Kroah-Hartman
2015-07-31 19:40 ` [PATCH 3.14 053/125] ASoC: wm8955: Fix setting wrong register for WM8955_K_8_0_MASK bits Greg Kroah-Hartman
2015-07-31 19:40 ` [PATCH 3.14 055/125] ASoC: wm8960: the enum of "DAC Polarity" should be wm8960_enum[1] Greg Kroah-Hartman
2015-07-31 19:40 ` [PATCH 3.14 056/125] libata: add ATA_HORKAGE_BROKEN_FPDMA_AA quirk for HP 250GB SATA disk VB0250EAVER Greg Kroah-Hartman
2015-07-31 19:40 ` [PATCH 3.14 057/125] libata: increase the timeout when setting transfer mode Greg Kroah-Hartman
2015-07-31 19:40 ` [PATCH 3.14 058/125] usb: dwc3: gadget: return error if command sent to DGCMD register fails Greg Kroah-Hartman
2015-07-31 19:40 ` [PATCH 3.14 059/125] usb: dwc3: gadget: return error if command sent to DEPCMD " Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.14 060/125] usb: dwc3: Reset the transfer resource index on SET_INTERFACE Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.14 061/125] USB: devio: fix a condition in async_completed() Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.14 062/125] usb: musb: host: rely on port_mode to call musb_start() Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.14 063/125] USB: cp210x: add ID for Aruba Networks controllers Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.14 064/125] USB: option: add 2020:4000 ID Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.14 065/125] USB: serial: Destroy serial_minors IDR on module exit Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.14 066/125] usb: xhci: Bugfix for NULL pointer deference in xhci_endpoint_init() function Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.14 067/125] dm stats: fix divide by zero if number_of_areas arg is zero Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.14 068/125] dm space map metadata: fix occasional leak of a metadata block on resize Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.14 069/125] dm btree remove: fix bug in redistribute3 Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.14 070/125] dm btree: silence lockdep lock inversion in dm_btree_del() Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.14 071/125] mmc: block: Add missing mmc_blk_put() in power_ro_lock_show() Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.14 072/125] drm/qxl: Do not cause spice-server to clean our objects Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.14 073/125] drm/qxl: Do not leak memory if qxl_release_list_add fails Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.14 074/125] drm/radeon: take the mode_config mutex when dealing with hpds (v2) Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.14 078/125] drm/radeon: add a dpm quirk for Sapphire Radeon R9 270X 2GB GDDR5 Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.14 079/125] drm: add a check for x/y in drm_mode_setcrtc Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.14 080/125] xfs: fix remote symlinks on V5/CRC filesystems Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.14 081/125] vTPM: set virtual device before passing to ibmvtpm_reset_crq Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.14 082/125] KEYS: ensure we free the assoc array edit if edit is valid Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.14 083/125] ima: fix ima_show_template_data_ascii() Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.14 084/125] evm: labeling pseudo filesystems exception Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.14 085/125] libata: add ATA_HORKAGE_NOTRIM Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.14 086/125] libata: force disable trim for SuperSSpeed S238 Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.14 087/125] tracing/filter: Do not WARN on operand count going below zero Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.14 088/125] tracing/filter: Do not allow infix to exceed end of string Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.14 089/125] tracing: Have branch tracer use recursive field of task struct Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.14 090/125] dmaengine: mv_xor: bug fix for racing condition in descriptors cleanup Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.14 091/125] hwmon: (mcp3021) Fix broken output scaling Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.14 092/125] md: fix a build warning Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.14 093/125] Btrfs: use kmem_cache_free when freeing entry in inode cache Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.14 094/125] Btrfs: fix memory leak in the extent_same ioctl Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.14 095/125] fuse: initialize fc->release before calling it Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.14 096/125] crush: fix a bug in tree bucket decode Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.14 097/125] ACPICA: Tables: Fix an issue that FACS initialization is performed twice Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.14 098/125] iscsi-target: Convert iscsi_thread_set usage to kthread.h Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.14 099/125] iser-target: Fix possible deadlock in RDMA_CM connection error Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.14 100/125] iser-target: release stale iser connections Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.14 101/125] mmc: card: Fixup request missing in mmc_blk_issue_rw_rq Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.14 102/125] PM / sleep: Increase default DPM watchdog timeout to 60 Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.14 103/125] __bitmap_parselist: fix bug in empty string handling Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.14 104/125] security_syslog() should be called once only Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.14 105/125] mac80211: prevent possible crypto tx tailroom corruption Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.14 106/125] clocksource: exynos_mct: Avoid blocking calls in the cpu hotplug notifier Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.14 107/125] ideapad: fix software rfkill setting Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.14 109/125] USB: usbfs: allow URBs to be reaped after disconnection Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.14 110/125] block: Do a full clone when splitting discard bios Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.14 111/125] of: return NUMA_NO_NODE from fallback of_node_to_nid() Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.14 113/125] NFS: Fix size of NFSACL SETACL operations Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.14 114/125] fixing infinite OPEN loop in 4.0 stateid recovery Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.14 115/125] nfs: increase size of EXCHANGE_ID name string buffer Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.14 116/125] SUNRPC: Fix a memory leak in the backchannel code Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.14 117/125] 9p: forgetting to cancel request on interrupted zero-copy RPC Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.14 118/125] 9p: dont leave a half-initialized inode sitting around Greg Kroah-Hartman
2015-07-31 19:41 ` [PATCH 3.14 119/125] rbd: use GFP_NOIO in rbd_obj_request_create() Greg Kroah-Hartman
2015-07-31 19:42 ` [PATCH 3.14 120/125] agp/intel: Fix typo in needs_ilk_vtd_wa() Greg Kroah-Hartman
2015-07-31 19:42 ` [PATCH 3.14 121/125] arm64: Dont report clear pmds and puds as huge Greg Kroah-Hartman
2015-07-31 19:42 ` [PATCH 3.14 122/125] hpfs: hpfs_error: Remove static buffer, use vsprintf extension %pV instead Greg Kroah-Hartman
2015-07-31 19:42 ` [PATCH 3.14 123/125] Fix firmware loader uevent buffer NULL pointer dereference Greg Kroah-Hartman
2015-07-31 19:42 ` [PATCH 3.14 124/125] qla2xxx: Mark port lost when we receive an RSCN for it Greg Kroah-Hartman
2015-07-31 19:42 ` [PATCH 3.14 125/125] MIPS: KVM: Do not sign extend on unsigned MMIO load Greg Kroah-Hartman
2015-08-01 2:07 ` [PATCH 3.14 000/125] 3.14.49-stable review Guenter Roeck
2015-08-01 7:09 ` Sudip Mukherjee
2015-08-01 7:12 ` Sudip Mukherjee
2015-08-03 16:17 ` Greg Kroah-Hartman
2015-08-03 19:03 ` Shuah Khan
2015-08-03 21:11 ` Greg Kroah-Hartman
2015-08-03 18:27 ` Shuah Khan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150731194027.817633515@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=alexander.sverdlin@nokia.com \
--cc=computersforpeace@gmail.com \
--cc=giuseppe.cantavenera.ext@nokia.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=zhangxingcai@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).