On Wed, 16 Sep 2020 16:52:45 +0200 Danny Milosavljevic <dan...@scratchpost.org> wrote:
> commit 692d0626557451c4b557397f20b7394b612d0289
> Author: Christoph Hellwig <h...@lst.de>
> Date: Tue Sep 1 11:59:41 2020 +0200
>
> block: fix locking in bdev_del_partition
>
> [ Upstream commit 08fc1ab6d748ab1a690fd483f41e2938984ce353 ]
>
> We need to hold the whole device bd_mutex to protect against
> other thread concurrently deleting out partition before we get
> to it, and thus causing a use after free.
>
> Fixes: cddae808aeb7 ("block: pass a hd_struct to delete_partition")
> Reported-by: syzbot+6448f3c229bc52b82...@syzkaller.appspotmail.com
> Signed-off-by: Christoph Hellwig <h...@lst.de>
> Signed-off-by: Jens Axboe <ax...@kernel.dk>
> Signed-off-by: Sasha Levin <sas...@kernel.org>
>
int bdev_del_partition(struct block_device *bdev, int partno)
{
struct block_device *bdevp;
struct hd_struct *part = NULL;
int ret;
bdevp = bdget_disk(bdev->bd_disk, partno);
if (!bdevp)
return -ENOMEM; <--------------
...
}
struct block_device *bdget_disk(struct gendisk *disk, int partno)
{
struct hd_struct *part;
struct block_device *bdev = NULL;
part = disk_get_part(disk, partno);
if (part)
bdev = bdget(part_devt(part));
disk_put_part(part);
return bdev;
}
struct block_device *bdget(dev_t dev)
{
struct block_device *bdev;
struct inode *inode;
inode = iget5_locked(blockdev_superblock, hash(dev),
bdev_test, bdev_set, &dev);
if (!inode)
return NULL; <--------------------
[...]
}
pgp2dJ7uUWHk3.pgp
Description: OpenPGP digital signature
