mirror of
https://github.com/edk2-porting/linux-next.git
synced 2025-01-07 13:13:57 +08:00
153fcd5f6d
brd_free() may be called in failure path on one brd instance which disk isn't added yet, so release handler of gendisk may free the associated request_queue early and causes the following use-after-free[1]. This patch fixes this issue by associating gendisk with request_queue just before adding disk. [1] KASAN: use-after-free Read in del_timer_syncNon-volatile memory driver v1.3 Linux agpgart interface v0.103 [drm] Initialized vgem 1.0.0 20120112 for virtual device on minor 0 usbcore: registered new interface driver udl ================================================================== BUG: KASAN: use-after-free in __lock_acquire+0x36d9/0x4c20 kernel/locking/lockdep.c:3218 Read of size 8 at addr ffff8801d1b6b540 by task swapper/0/1 CPU: 0 PID: 1 Comm: swapper/0 Not tainted 4.19.0+ #88 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x244/0x39d lib/dump_stack.c:113 print_address_description.cold.7+0x9/0x1ff mm/kasan/report.c:256 kasan_report_error mm/kasan/report.c:354 [inline] kasan_report.cold.8+0x242/0x309 mm/kasan/report.c:412 __asan_report_load8_noabort+0x14/0x20 mm/kasan/report.c:433 __lock_acquire+0x36d9/0x4c20 kernel/locking/lockdep.c:3218 lock_acquire+0x1ed/0x520 kernel/locking/lockdep.c:3844 del_timer_sync+0xb7/0x270 kernel/time/timer.c:1283 blk_cleanup_queue+0x413/0x710 block/blk-core.c:809 brd_free+0x5d/0x71 drivers/block/brd.c:422 brd_init+0x2eb/0x393 drivers/block/brd.c:518 do_one_initcall+0x145/0x957 init/main.c:890 do_initcall_level init/main.c:958 [inline] do_initcalls init/main.c:966 [inline] do_basic_setup init/main.c:984 [inline] kernel_init_freeable+0x5c6/0x6b9 init/main.c:1148 kernel_init+0x11/0x1ae init/main.c:1068 ret_from_fork+0x3a/0x50 arch/x86/entry/entry_64.S:350 Reported-by: syzbot+3701447012fe951dabb2@syzkaller.appspotmail.com Signed-off-by: Ming Lei <ming.lei@redhat.com> Signed-off-by: Jens Axboe <axboe@kernel.dk>
548 lines
13 KiB
C
548 lines
13 KiB
C
/*
|
|
* Ram backed block device driver.
|
|
*
|
|
* Copyright (C) 2007 Nick Piggin
|
|
* Copyright (C) 2007 Novell Inc.
|
|
*
|
|
* Parts derived from drivers/block/rd.c, and drivers/block/loop.c, copyright
|
|
* of their respective owners.
|
|
*/
|
|
|
|
#include <linux/init.h>
|
|
#include <linux/initrd.h>
|
|
#include <linux/module.h>
|
|
#include <linux/moduleparam.h>
|
|
#include <linux/major.h>
|
|
#include <linux/blkdev.h>
|
|
#include <linux/bio.h>
|
|
#include <linux/highmem.h>
|
|
#include <linux/mutex.h>
|
|
#include <linux/radix-tree.h>
|
|
#include <linux/fs.h>
|
|
#include <linux/slab.h>
|
|
#include <linux/backing-dev.h>
|
|
|
|
#include <linux/uaccess.h>
|
|
|
|
#define PAGE_SECTORS_SHIFT (PAGE_SHIFT - SECTOR_SHIFT)
|
|
#define PAGE_SECTORS (1 << PAGE_SECTORS_SHIFT)
|
|
|
|
/*
|
|
* Each block ramdisk device has a radix_tree brd_pages of pages that stores
|
|
* the pages containing the block device's contents. A brd page's ->index is
|
|
* its offset in PAGE_SIZE units. This is similar to, but in no way connected
|
|
* with, the kernel's pagecache or buffer cache (which sit above our block
|
|
* device).
|
|
*/
|
|
struct brd_device {
|
|
int brd_number;
|
|
|
|
struct request_queue *brd_queue;
|
|
struct gendisk *brd_disk;
|
|
struct list_head brd_list;
|
|
|
|
/*
|
|
* Backing store of pages and lock to protect it. This is the contents
|
|
* of the block device.
|
|
*/
|
|
spinlock_t brd_lock;
|
|
struct radix_tree_root brd_pages;
|
|
};
|
|
|
|
/*
|
|
* Look up and return a brd's page for a given sector.
|
|
*/
|
|
static struct page *brd_lookup_page(struct brd_device *brd, sector_t sector)
|
|
{
|
|
pgoff_t idx;
|
|
struct page *page;
|
|
|
|
/*
|
|
* The page lifetime is protected by the fact that we have opened the
|
|
* device node -- brd pages will never be deleted under us, so we
|
|
* don't need any further locking or refcounting.
|
|
*
|
|
* This is strictly true for the radix-tree nodes as well (ie. we
|
|
* don't actually need the rcu_read_lock()), however that is not a
|
|
* documented feature of the radix-tree API so it is better to be
|
|
* safe here (we don't have total exclusion from radix tree updates
|
|
* here, only deletes).
|
|
*/
|
|
rcu_read_lock();
|
|
idx = sector >> PAGE_SECTORS_SHIFT; /* sector to page index */
|
|
page = radix_tree_lookup(&brd->brd_pages, idx);
|
|
rcu_read_unlock();
|
|
|
|
BUG_ON(page && page->index != idx);
|
|
|
|
return page;
|
|
}
|
|
|
|
/*
|
|
* Look up and return a brd's page for a given sector.
|
|
* If one does not exist, allocate an empty page, and insert that. Then
|
|
* return it.
|
|
*/
|
|
static struct page *brd_insert_page(struct brd_device *brd, sector_t sector)
|
|
{
|
|
pgoff_t idx;
|
|
struct page *page;
|
|
gfp_t gfp_flags;
|
|
|
|
page = brd_lookup_page(brd, sector);
|
|
if (page)
|
|
return page;
|
|
|
|
/*
|
|
* Must use NOIO because we don't want to recurse back into the
|
|
* block or filesystem layers from page reclaim.
|
|
*
|
|
* Cannot support DAX and highmem, because our ->direct_access
|
|
* routine for DAX must return memory that is always addressable.
|
|
* If DAX was reworked to use pfns and kmap throughout, this
|
|
* restriction might be able to be lifted.
|
|
*/
|
|
gfp_flags = GFP_NOIO | __GFP_ZERO;
|
|
page = alloc_page(gfp_flags);
|
|
if (!page)
|
|
return NULL;
|
|
|
|
if (radix_tree_preload(GFP_NOIO)) {
|
|
__free_page(page);
|
|
return NULL;
|
|
}
|
|
|
|
spin_lock(&brd->brd_lock);
|
|
idx = sector >> PAGE_SECTORS_SHIFT;
|
|
page->index = idx;
|
|
if (radix_tree_insert(&brd->brd_pages, idx, page)) {
|
|
__free_page(page);
|
|
page = radix_tree_lookup(&brd->brd_pages, idx);
|
|
BUG_ON(!page);
|
|
BUG_ON(page->index != idx);
|
|
}
|
|
spin_unlock(&brd->brd_lock);
|
|
|
|
radix_tree_preload_end();
|
|
|
|
return page;
|
|
}
|
|
|
|
/*
|
|
* Free all backing store pages and radix tree. This must only be called when
|
|
* there are no other users of the device.
|
|
*/
|
|
#define FREE_BATCH 16
|
|
static void brd_free_pages(struct brd_device *brd)
|
|
{
|
|
unsigned long pos = 0;
|
|
struct page *pages[FREE_BATCH];
|
|
int nr_pages;
|
|
|
|
do {
|
|
int i;
|
|
|
|
nr_pages = radix_tree_gang_lookup(&brd->brd_pages,
|
|
(void **)pages, pos, FREE_BATCH);
|
|
|
|
for (i = 0; i < nr_pages; i++) {
|
|
void *ret;
|
|
|
|
BUG_ON(pages[i]->index < pos);
|
|
pos = pages[i]->index;
|
|
ret = radix_tree_delete(&brd->brd_pages, pos);
|
|
BUG_ON(!ret || ret != pages[i]);
|
|
__free_page(pages[i]);
|
|
}
|
|
|
|
pos++;
|
|
|
|
/*
|
|
* This assumes radix_tree_gang_lookup always returns as
|
|
* many pages as possible. If the radix-tree code changes,
|
|
* so will this have to.
|
|
*/
|
|
} while (nr_pages == FREE_BATCH);
|
|
}
|
|
|
|
/*
|
|
* copy_to_brd_setup must be called before copy_to_brd. It may sleep.
|
|
*/
|
|
static int copy_to_brd_setup(struct brd_device *brd, sector_t sector, size_t n)
|
|
{
|
|
unsigned int offset = (sector & (PAGE_SECTORS-1)) << SECTOR_SHIFT;
|
|
size_t copy;
|
|
|
|
copy = min_t(size_t, n, PAGE_SIZE - offset);
|
|
if (!brd_insert_page(brd, sector))
|
|
return -ENOSPC;
|
|
if (copy < n) {
|
|
sector += copy >> SECTOR_SHIFT;
|
|
if (!brd_insert_page(brd, sector))
|
|
return -ENOSPC;
|
|
}
|
|
return 0;
|
|
}
|
|
|
|
/*
|
|
* Copy n bytes from src to the brd starting at sector. Does not sleep.
|
|
*/
|
|
static void copy_to_brd(struct brd_device *brd, const void *src,
|
|
sector_t sector, size_t n)
|
|
{
|
|
struct page *page;
|
|
void *dst;
|
|
unsigned int offset = (sector & (PAGE_SECTORS-1)) << SECTOR_SHIFT;
|
|
size_t copy;
|
|
|
|
copy = min_t(size_t, n, PAGE_SIZE - offset);
|
|
page = brd_lookup_page(brd, sector);
|
|
BUG_ON(!page);
|
|
|
|
dst = kmap_atomic(page);
|
|
memcpy(dst + offset, src, copy);
|
|
kunmap_atomic(dst);
|
|
|
|
if (copy < n) {
|
|
src += copy;
|
|
sector += copy >> SECTOR_SHIFT;
|
|
copy = n - copy;
|
|
page = brd_lookup_page(brd, sector);
|
|
BUG_ON(!page);
|
|
|
|
dst = kmap_atomic(page);
|
|
memcpy(dst, src, copy);
|
|
kunmap_atomic(dst);
|
|
}
|
|
}
|
|
|
|
/*
|
|
* Copy n bytes to dst from the brd starting at sector. Does not sleep.
|
|
*/
|
|
static void copy_from_brd(void *dst, struct brd_device *brd,
|
|
sector_t sector, size_t n)
|
|
{
|
|
struct page *page;
|
|
void *src;
|
|
unsigned int offset = (sector & (PAGE_SECTORS-1)) << SECTOR_SHIFT;
|
|
size_t copy;
|
|
|
|
copy = min_t(size_t, n, PAGE_SIZE - offset);
|
|
page = brd_lookup_page(brd, sector);
|
|
if (page) {
|
|
src = kmap_atomic(page);
|
|
memcpy(dst, src + offset, copy);
|
|
kunmap_atomic(src);
|
|
} else
|
|
memset(dst, 0, copy);
|
|
|
|
if (copy < n) {
|
|
dst += copy;
|
|
sector += copy >> SECTOR_SHIFT;
|
|
copy = n - copy;
|
|
page = brd_lookup_page(brd, sector);
|
|
if (page) {
|
|
src = kmap_atomic(page);
|
|
memcpy(dst, src, copy);
|
|
kunmap_atomic(src);
|
|
} else
|
|
memset(dst, 0, copy);
|
|
}
|
|
}
|
|
|
|
/*
|
|
* Process a single bvec of a bio.
|
|
*/
|
|
static int brd_do_bvec(struct brd_device *brd, struct page *page,
|
|
unsigned int len, unsigned int off, unsigned int op,
|
|
sector_t sector)
|
|
{
|
|
void *mem;
|
|
int err = 0;
|
|
|
|
if (op_is_write(op)) {
|
|
err = copy_to_brd_setup(brd, sector, len);
|
|
if (err)
|
|
goto out;
|
|
}
|
|
|
|
mem = kmap_atomic(page);
|
|
if (!op_is_write(op)) {
|
|
copy_from_brd(mem + off, brd, sector, len);
|
|
flush_dcache_page(page);
|
|
} else {
|
|
flush_dcache_page(page);
|
|
copy_to_brd(brd, mem + off, sector, len);
|
|
}
|
|
kunmap_atomic(mem);
|
|
|
|
out:
|
|
return err;
|
|
}
|
|
|
|
static blk_qc_t brd_make_request(struct request_queue *q, struct bio *bio)
|
|
{
|
|
struct brd_device *brd = bio->bi_disk->private_data;
|
|
struct bio_vec bvec;
|
|
sector_t sector;
|
|
struct bvec_iter iter;
|
|
|
|
sector = bio->bi_iter.bi_sector;
|
|
if (bio_end_sector(bio) > get_capacity(bio->bi_disk))
|
|
goto io_error;
|
|
|
|
bio_for_each_segment(bvec, bio, iter) {
|
|
unsigned int len = bvec.bv_len;
|
|
int err;
|
|
|
|
err = brd_do_bvec(brd, bvec.bv_page, len, bvec.bv_offset,
|
|
bio_op(bio), sector);
|
|
if (err)
|
|
goto io_error;
|
|
sector += len >> SECTOR_SHIFT;
|
|
}
|
|
|
|
bio_endio(bio);
|
|
return BLK_QC_T_NONE;
|
|
io_error:
|
|
bio_io_error(bio);
|
|
return BLK_QC_T_NONE;
|
|
}
|
|
|
|
static int brd_rw_page(struct block_device *bdev, sector_t sector,
|
|
struct page *page, unsigned int op)
|
|
{
|
|
struct brd_device *brd = bdev->bd_disk->private_data;
|
|
int err;
|
|
|
|
if (PageTransHuge(page))
|
|
return -ENOTSUPP;
|
|
err = brd_do_bvec(brd, page, PAGE_SIZE, 0, op, sector);
|
|
page_endio(page, op_is_write(op), err);
|
|
return err;
|
|
}
|
|
|
|
static const struct block_device_operations brd_fops = {
|
|
.owner = THIS_MODULE,
|
|
.rw_page = brd_rw_page,
|
|
};
|
|
|
|
/*
|
|
* And now the modules code and kernel interface.
|
|
*/
|
|
static int rd_nr = CONFIG_BLK_DEV_RAM_COUNT;
|
|
module_param(rd_nr, int, 0444);
|
|
MODULE_PARM_DESC(rd_nr, "Maximum number of brd devices");
|
|
|
|
unsigned long rd_size = CONFIG_BLK_DEV_RAM_SIZE;
|
|
module_param(rd_size, ulong, 0444);
|
|
MODULE_PARM_DESC(rd_size, "Size of each RAM disk in kbytes.");
|
|
|
|
static int max_part = 1;
|
|
module_param(max_part, int, 0444);
|
|
MODULE_PARM_DESC(max_part, "Num Minors to reserve between devices");
|
|
|
|
MODULE_LICENSE("GPL");
|
|
MODULE_ALIAS_BLOCKDEV_MAJOR(RAMDISK_MAJOR);
|
|
MODULE_ALIAS("rd");
|
|
|
|
#ifndef MODULE
|
|
/* Legacy boot options - nonmodular */
|
|
static int __init ramdisk_size(char *str)
|
|
{
|
|
rd_size = simple_strtol(str, NULL, 0);
|
|
return 1;
|
|
}
|
|
__setup("ramdisk_size=", ramdisk_size);
|
|
#endif
|
|
|
|
/*
|
|
* The device scheme is derived from loop.c. Keep them in synch where possible
|
|
* (should share code eventually).
|
|
*/
|
|
static LIST_HEAD(brd_devices);
|
|
static DEFINE_MUTEX(brd_devices_mutex);
|
|
|
|
static struct brd_device *brd_alloc(int i)
|
|
{
|
|
struct brd_device *brd;
|
|
struct gendisk *disk;
|
|
|
|
brd = kzalloc(sizeof(*brd), GFP_KERNEL);
|
|
if (!brd)
|
|
goto out;
|
|
brd->brd_number = i;
|
|
spin_lock_init(&brd->brd_lock);
|
|
INIT_RADIX_TREE(&brd->brd_pages, GFP_ATOMIC);
|
|
|
|
brd->brd_queue = blk_alloc_queue(GFP_KERNEL);
|
|
if (!brd->brd_queue)
|
|
goto out_free_dev;
|
|
|
|
blk_queue_make_request(brd->brd_queue, brd_make_request);
|
|
blk_queue_max_hw_sectors(brd->brd_queue, 1024);
|
|
|
|
/* This is so fdisk will align partitions on 4k, because of
|
|
* direct_access API needing 4k alignment, returning a PFN
|
|
* (This is only a problem on very small devices <= 4M,
|
|
* otherwise fdisk will align on 1M. Regardless this call
|
|
* is harmless)
|
|
*/
|
|
blk_queue_physical_block_size(brd->brd_queue, PAGE_SIZE);
|
|
disk = brd->brd_disk = alloc_disk(max_part);
|
|
if (!disk)
|
|
goto out_free_queue;
|
|
disk->major = RAMDISK_MAJOR;
|
|
disk->first_minor = i * max_part;
|
|
disk->fops = &brd_fops;
|
|
disk->private_data = brd;
|
|
disk->flags = GENHD_FL_EXT_DEVT;
|
|
sprintf(disk->disk_name, "ram%d", i);
|
|
set_capacity(disk, rd_size * 2);
|
|
brd->brd_queue->backing_dev_info->capabilities |= BDI_CAP_SYNCHRONOUS_IO;
|
|
|
|
/* Tell the block layer that this is not a rotational device */
|
|
blk_queue_flag_set(QUEUE_FLAG_NONROT, brd->brd_queue);
|
|
blk_queue_flag_clear(QUEUE_FLAG_ADD_RANDOM, brd->brd_queue);
|
|
|
|
return brd;
|
|
|
|
out_free_queue:
|
|
blk_cleanup_queue(brd->brd_queue);
|
|
out_free_dev:
|
|
kfree(brd);
|
|
out:
|
|
return NULL;
|
|
}
|
|
|
|
static void brd_free(struct brd_device *brd)
|
|
{
|
|
put_disk(brd->brd_disk);
|
|
blk_cleanup_queue(brd->brd_queue);
|
|
brd_free_pages(brd);
|
|
kfree(brd);
|
|
}
|
|
|
|
static struct brd_device *brd_init_one(int i, bool *new)
|
|
{
|
|
struct brd_device *brd;
|
|
|
|
*new = false;
|
|
list_for_each_entry(brd, &brd_devices, brd_list) {
|
|
if (brd->brd_number == i)
|
|
goto out;
|
|
}
|
|
|
|
brd = brd_alloc(i);
|
|
if (brd) {
|
|
brd->brd_disk->queue = brd->brd_queue;
|
|
add_disk(brd->brd_disk);
|
|
list_add_tail(&brd->brd_list, &brd_devices);
|
|
}
|
|
*new = true;
|
|
out:
|
|
return brd;
|
|
}
|
|
|
|
static void brd_del_one(struct brd_device *brd)
|
|
{
|
|
list_del(&brd->brd_list);
|
|
del_gendisk(brd->brd_disk);
|
|
brd_free(brd);
|
|
}
|
|
|
|
static struct kobject *brd_probe(dev_t dev, int *part, void *data)
|
|
{
|
|
struct brd_device *brd;
|
|
struct kobject *kobj;
|
|
bool new;
|
|
|
|
mutex_lock(&brd_devices_mutex);
|
|
brd = brd_init_one(MINOR(dev) / max_part, &new);
|
|
kobj = brd ? get_disk_and_module(brd->brd_disk) : NULL;
|
|
mutex_unlock(&brd_devices_mutex);
|
|
|
|
if (new)
|
|
*part = 0;
|
|
|
|
return kobj;
|
|
}
|
|
|
|
static int __init brd_init(void)
|
|
{
|
|
struct brd_device *brd, *next;
|
|
int i;
|
|
|
|
/*
|
|
* brd module now has a feature to instantiate underlying device
|
|
* structure on-demand, provided that there is an access dev node.
|
|
*
|
|
* (1) if rd_nr is specified, create that many upfront. else
|
|
* it defaults to CONFIG_BLK_DEV_RAM_COUNT
|
|
* (2) User can further extend brd devices by create dev node themselves
|
|
* and have kernel automatically instantiate actual device
|
|
* on-demand. Example:
|
|
* mknod /path/devnod_name b 1 X # 1 is the rd major
|
|
* fdisk -l /path/devnod_name
|
|
* If (X / max_part) was not already created it will be created
|
|
* dynamically.
|
|
*/
|
|
|
|
if (register_blkdev(RAMDISK_MAJOR, "ramdisk"))
|
|
return -EIO;
|
|
|
|
if (unlikely(!max_part))
|
|
max_part = 1;
|
|
|
|
for (i = 0; i < rd_nr; i++) {
|
|
brd = brd_alloc(i);
|
|
if (!brd)
|
|
goto out_free;
|
|
list_add_tail(&brd->brd_list, &brd_devices);
|
|
}
|
|
|
|
/* point of no return */
|
|
|
|
list_for_each_entry(brd, &brd_devices, brd_list) {
|
|
/*
|
|
* associate with queue just before adding disk for
|
|
* avoiding to mess up failure path
|
|
*/
|
|
brd->brd_disk->queue = brd->brd_queue;
|
|
add_disk(brd->brd_disk);
|
|
}
|
|
|
|
blk_register_region(MKDEV(RAMDISK_MAJOR, 0), 1UL << MINORBITS,
|
|
THIS_MODULE, brd_probe, NULL, NULL);
|
|
|
|
pr_info("brd: module loaded\n");
|
|
return 0;
|
|
|
|
out_free:
|
|
list_for_each_entry_safe(brd, next, &brd_devices, brd_list) {
|
|
list_del(&brd->brd_list);
|
|
brd_free(brd);
|
|
}
|
|
unregister_blkdev(RAMDISK_MAJOR, "ramdisk");
|
|
|
|
pr_info("brd: module NOT loaded !!!\n");
|
|
return -ENOMEM;
|
|
}
|
|
|
|
static void __exit brd_exit(void)
|
|
{
|
|
struct brd_device *brd, *next;
|
|
|
|
list_for_each_entry_safe(brd, next, &brd_devices, brd_list)
|
|
brd_del_one(brd);
|
|
|
|
blk_unregister_region(MKDEV(RAMDISK_MAJOR, 0), 1UL << MINORBITS);
|
|
unregister_blkdev(RAMDISK_MAJOR, "ramdisk");
|
|
|
|
pr_info("brd: module unloaded\n");
|
|
}
|
|
|
|
module_init(brd_init);
|
|
module_exit(brd_exit);
|
|
|