> On 16 Sep 2017, at 20.39, Rakesh Pandit <rak...@tuxera.com> wrote:
>
> nvm_tgt_types list was protected by wrong lock for NVM_INFO ioctl call
> and can race with addition or removal of target types. Also
> unregistering target type was not protected correctly.
>
> Fixes: 5cd907853 ("lightnvm: remove nested lock conflict with mm")
> Signed-off-by: Rakesh Pandit <rak...@tuxera.com>
> ---
>
> V2: also add correct lock while unregistering and fix "Fixes" tag at
> end. Note I found these while investigating another issue and
> skimming the core code but worth fixing.
>
> drivers/lightnvm/core.c | 8 ++++----
> 1 file changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/drivers/lightnvm/core.c b/drivers/lightnvm/core.c
> index 9f9a137..1b8338d 100644
> --- a/drivers/lightnvm/core.c
> +++ b/drivers/lightnvm/core.c
> @@ -589,9 +589,9 @@ void nvm_unregister_tgt_type(struct nvm_tgt_type *tt)
> if (!tt)
> return;
>
> - down_write(&nvm_lock);
> + down_write(&nvm_tgtt_lock);
> list_del(&tt->list);
> - up_write(&nvm_lock);
> + up_write(&nvm_tgtt_lock);
> }
> EXPORT_SYMBOL(nvm_unregister_tgt_type);
>
> @@ -1190,7 +1190,7 @@ static long nvm_ioctl_info(struct file *file, void
> __user *arg)
> info->version[1] = NVM_VERSION_MINOR;
> info->version[2] = NVM_VERSION_PATCH;
>
> - down_write(&nvm_lock);
> + down_write(&nvm_tgtt_lock);
> list_for_each_entry(tt, &nvm_tgt_types, list) {
> struct nvm_ioctl_info_tgt *tgt = &info->tgts[tgt_iter];
>
> @@ -1203,7 +1203,7 @@ static long nvm_ioctl_info(struct file *file, void
> __user *arg)
> }
>
> info->tgtsize = tgt_iter;
> - up_write(&nvm_lock);
> + up_write(&nvm_tgtt_lock);
>
> if (copy_to_user(arg, info, sizeof(struct nvm_ioctl_info))) {
> kfree(info);
> --
> 2.7.4LGTM. Reviewed-by: Javier González <jav...@cnexlabs.com>
signature.asc
Description: Message signed with OpenPGP
