Commit e39bfb59 authored by Linus Torvalds's avatar Linus Torvalds
Browse files

Merge tag 'for-6.6/dm-fixes' of... 

Merge tag 'for-6.6/dm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm

Pull device mapper fixes from Mike Snitzer:

 - Fix DM core retrieve_deps() UAF race due to missing locking of a DM
   table's list of devices that is managed using dm_{get,put}_device.

 - Revert DM core's half-baked RCU optimization if IO submitter has set
   REQ_NOWAIT. Can be revisited, and properly justified, after
   comprehensively auditing all of DM to also pass GFP_NOWAIT for any
   allocations if REQ_NOWAIT used.

* tag 'for-6.6/dm-fixes' of git://git.kernel.org/pub/scm/linux/kernel/git/device-mapper/linux-dm:
  dm: don't attempt to queue IO under RCU protection
  dm: fix a race condition in retrieve_deps
parents 5bc357b2 a9ce3853

drivers/md/dm-core.h

+1 −0
Original line number Diff line number Diff line
@@ -214,6 +214,7 @@ struct dm_table { 


	/* a list of devices used by this table */

	struct list_head devices;

	struct rw_semaphore devices_lock;



	/* events get handed up using this callback */

	void (*event_fn)(void *data);

drivers/md/dm-ioctl.c

+6 −1
Original line number Diff line number Diff line
@@ -1630,6 +1630,8 @@ static void retrieve_deps(struct dm_table *table, 
	struct dm_dev_internal *dd;

	struct dm_target_deps *deps;



	down_read(&table->devices_lock);



	deps = get_result_buffer(param, param_size, &len);



	/*
@@ -1644,7 +1646,7 @@ static void retrieve_deps(struct dm_table *table, 
	needed = struct_size(deps, dev, count);

	if (len < needed) {

		param->flags |= DM_BUFFER_FULL_FLAG;

		return;

		goto out;

	}



	/*
@@ -1656,6 +1658,9 @@ static void retrieve_deps(struct dm_table *table, 
		deps->dev[count++] = huge_encode_dev(dd->dm_dev->bdev->bd_dev);



	param->data_size = param->data_start + needed;



out:

	up_read(&table->devices_lock);

}



static int table_deps(struct file *filp, struct dm_ioctl *param, size_t param_size)

drivers/md/dm-table.c

+24 −8
Original line number Diff line number Diff line
@@ -135,6 +135,7 @@ int dm_table_create(struct dm_table **result, blk_mode_t mode, 
		return -ENOMEM;



	INIT_LIST_HEAD(&t->devices);

	init_rwsem(&t->devices_lock);



	if (!num_targets)

		num_targets = KEYS_PER_NODE;
@@ -359,16 +360,20 @@ int __ref dm_get_device(struct dm_target *ti, const char *path, blk_mode_t mode, 
	if (dev == disk_devt(t->md->disk))

		return -EINVAL;



	down_write(&t->devices_lock);



	dd = find_device(&t->devices, dev);

	if (!dd) {

		dd = kmalloc(sizeof(*dd), GFP_KERNEL);

		if (!dd)

			return -ENOMEM;

		if (!dd) {

			r = -ENOMEM;

			goto unlock_ret_r;

		}



		r = dm_get_table_device(t->md, dev, mode, &dd->dm_dev);

		if (r) {

			kfree(dd);

			return r;

			goto unlock_ret_r;

		}



		refcount_set(&dd->count, 1);
@@ -378,12 +383,17 @@ int __ref dm_get_device(struct dm_target *ti, const char *path, blk_mode_t mode, 
	} else if (dd->dm_dev->mode != (mode | dd->dm_dev->mode)) {

		r = upgrade_mode(dd, mode, t->md);

		if (r)

			return r;

			goto unlock_ret_r;

	}

	refcount_inc(&dd->count);

out:

	up_write(&t->devices_lock);

	*result = dd->dm_dev;

	return 0;



unlock_ret_r:

	up_write(&t->devices_lock);

	return r;

}

EXPORT_SYMBOL(dm_get_device);
@@ -419,9 +429,12 @@ static int dm_set_device_limits(struct dm_target *ti, struct dm_dev *dev, 
void dm_put_device(struct dm_target *ti, struct dm_dev *d)

{

	int found = 0;

	struct list_head *devices = &ti->table->devices;

	struct dm_table *t = ti->table;

	struct list_head *devices = &t->devices;

	struct dm_dev_internal *dd;



	down_write(&t->devices_lock);



	list_for_each_entry(dd, devices, list) {

		if (dd->dm_dev == d) {

			found = 1;
@@ -430,14 +443,17 @@ void dm_put_device(struct dm_target *ti, struct dm_dev *d) 
	}

	if (!found) {

		DMERR("%s: device %s not in table devices list",

		      dm_device_name(ti->table->md), d->name);

		return;

		      dm_device_name(t->md), d->name);

		goto unlock_ret;

	}

	if (refcount_dec_and_test(&dd->count)) {

		dm_put_table_device(ti->table->md, d);

		dm_put_table_device(t->md, d);

		list_del(&dd->list);

		kfree(dd);

	}



unlock_ret:

	up_write(&t->devices_lock);

}

EXPORT_SYMBOL(dm_put_device);

drivers/md/dm.c

+2 −21
Original line number Diff line number Diff line
@@ -715,24 +715,6 @@ static void dm_put_live_table_fast(struct mapped_device *md) __releases(RCU) 
	rcu_read_unlock();

}



static inline struct dm_table *dm_get_live_table_bio(struct mapped_device *md,

					int *srcu_idx, blk_opf_t bio_opf)

{

	if (bio_opf & REQ_NOWAIT)

		return dm_get_live_table_fast(md);

	else

		return dm_get_live_table(md, srcu_idx);

}



static inline void dm_put_live_table_bio(struct mapped_device *md, int srcu_idx,

					 blk_opf_t bio_opf)

{

	if (bio_opf & REQ_NOWAIT)

		dm_put_live_table_fast(md);

	else

		dm_put_live_table(md, srcu_idx);

}



static char *_dm_claim_ptr = "I belong to device-mapper";



/*
@@ -1833,9 +1815,8 @@ static void dm_submit_bio(struct bio *bio) 
	struct mapped_device *md = bio->bi_bdev->bd_disk->private_data;

	int srcu_idx;

	struct dm_table *map;

	blk_opf_t bio_opf = bio->bi_opf;



	map = dm_get_live_table_bio(md, &srcu_idx, bio_opf);

	map = dm_get_live_table(md, &srcu_idx);



	/* If suspended, or map not yet available, queue this IO for later */

	if (unlikely(test_bit(DMF_BLOCK_IO_FOR_SUSPEND, &md->flags)) ||
@@ -1851,7 +1832,7 @@ static void dm_submit_bio(struct bio *bio) 


	dm_split_and_process_bio(md, map, bio);

out:

	dm_put_live_table_bio(md, srcu_idx, bio_opf);

	dm_put_live_table(md, srcu_idx);

}



static bool dm_poll_dm_io(struct dm_io *io, struct io_comp_batch *iob,