[S390] dasd: fix race between open and offline

The dasd_open function uses the private_data pointer of the gendisk to find the dasd_block structure that matches the gendisk. When a DASD device is set offline, we set the private_data pointer of the gendisk to NULL and later remove the dasd_block structure, but there is still a small race window, in which dasd_open could first read a pointer from the private_data field and then try to use it, after the structure has already been freed. To close this race window, we will store a pointer to the dasd_devmap structure of the base device in the private_data field. The devmap entries are not deleted, and we already have proper locking and reference counting in place, so that we can safely get from a devmap pointer to the dasd_device and dasd_block structures of the device. Signed-off-by: Stefan Weinhuber <wein@de.ibm.com> Signed-off-by: Martin Schwidefsky <schwidefsky@de.ibm.com>
author: Stefan Weinhuber <wein@de.ibm.com> 2011-04-20 04:15:30 -0400
committer: Martin Schwidefsky <sky@mschwide.boeblingen.de.ibm.com> 2011-04-20 04:15:43 -0400
commit: 65f8da475995f667af5298c644707dbd9d646ca6 (patch)
tree: bca8597443060e79f09a8843903bbc55b2dece52 /drivers/s390/block/dasd.c
parent: 2f666bcf757cb72549f360ef6da02f03620a48b6 (diff)
1 files changed, 22 insertions, 18 deletions
diff --git a/drivers/s390/block/dasd.c b/drivers/s390/block/dasd.c
index 4d2df2f76ea0..475e603fc584 100644
--- a/drivers/s390/block/dasd.c
+++ b/drivers/s390/block/dasd.c
@@ -2314,15 +2314,14 @@ static void dasd_flush_request_queue(struct dasd_block *block)
 static int dasd_open(struct block_device *bdev, fmode_t mode)
 {
-        struct dasd_block *block = bdev->bd_disk->private_data;
        struct dasd_device *base;
        int rc;
-        if (!block)
+        base = dasd_device_from_gendisk(bdev->bd_disk);
+        if (!base)
                return -ENODEV;
-        base = block->base;
+        atomic_inc(&base->block->open_count);
-        atomic_inc(&block->open_count);
        if (test_bit(DASD_FLAG_OFFLINE, &base->flags)) {
                rc = -ENODEV;
                goto unlock;
@@ -2355,21 +2354,28 @@ static int dasd_open(struct block_device *bdev, fmode_t mode)
                goto out;
        }
+        dasd_put_device(base);
        return 0;
 out:
        module_put(base->discipline->owner);
 unlock:
-        atomic_dec(&block->open_count);
+        atomic_dec(&base->block->open_count);
+        dasd_put_device(base);
        return rc;
 }
 static int dasd_release(struct gendisk *disk, fmode_t mode)
 {
-        struct dasd_block *block = disk->private_data;
+        struct dasd_device *base;
-        atomic_dec(&block->open_count);
+        base = dasd_device_from_gendisk(disk);
-        module_put(block->base->discipline->owner);
+        if (!base)
+                return -ENODEV;
+        atomic_dec(&base->block->open_count);
+        module_put(base->discipline->owner);
+        dasd_put_device(base);
        return 0;
 }
@@ -2378,20 +2384,20 @@ static int dasd_release(struct gendisk *disk, fmode_t mode)
 */
 static int dasd_getgeo(struct block_device *bdev, struct hd_geometry *geo)
 {
-        struct dasd_block *block;
        struct dasd_device *base;
-        block = bdev->bd_disk->private_data;
+        base = dasd_device_from_gendisk(bdev->bd_disk);
-        if (!block)
+        if (!base)
                return -ENODEV;
-        base = block->base;
        if (!base->discipline ||
-            !base->discipline->fill_geometry)
+            !base->discipline->fill_geometry) {
+                dasd_put_device(base);
                return -EINVAL;
+        }
-        base->discipline->fill_geometry(block, geo);
+        base->discipline->fill_geometry(base->block, geo);
-        geo->start = get_start_sect(bdev) >> block->s2b_shift;
+        geo->start = get_start_sect(bdev) >> base->block->s2b_shift;
+        dasd_put_device(base);
        return 0;
 }
@@ -2528,7 +2534,6 @@ void dasd_generic_remove(struct ccw_device *cdev)
        dasd_set_target_state(device, DASD_STATE_NEW);
        /* dasd_delete_device destroys the device reference. */
        block = device->block;
-        device->block = NULL;
        dasd_delete_device(device);
        /*
         * life cycle of block is bound to device, so delete it after
@@ -2650,7 +2655,6 @@ int dasd_generic_set_offline(struct ccw_device *cdev)
        dasd_set_target_state(device, DASD_STATE_NEW);
        /* dasd_delete_device destroys the device reference. */
        block = device->block;
-        device->block = NULL;
        dasd_delete_device(device);
        /*
         * life cycle of block is bound to device, so delete it after
author	Stefan Weinhuber <wein@de.ibm.com>	2011-04-20 04:15:30 -0400
committer	Martin Schwidefsky <sky@mschwide.boeblingen.de.ibm.com>	2011-04-20 04:15:43 -0400
commit	65f8da475995f667af5298c644707dbd9d646ca6 (patch)
tree	bca8597443060e79f09a8843903bbc55b2dece52 /drivers/s390/block/dasd.c
parent	2f666bcf757cb72549f360ef6da02f03620a48b6 (diff)

diff --git a/drivers/s390/block/dasd.c b/drivers/s390/block/dasd.c index 4d2df2f76ea0..475e603fc584 100644 --- a/drivers/s390/block/dasd.c +++ b/drivers/s390/block/dasd.c
@@ -2314,15 +2314,14 @@ static void dasd_flush_request_queue(struct dasd_block *block)
2314		2314
2315	static int dasd_open(struct block_device *bdev, fmode_t mode)	2315	static int dasd_open(struct block_device *bdev, fmode_t mode)
2316	{	2316	{
2317	struct dasd_block *block = bdev->bd_disk->private_data;
2318	struct dasd_device *base;	2317	struct dasd_device *base;
2319	int rc;	2318	int rc;
2320		2319
2321	if (!block)	2320	base = dasd_device_from_gendisk(bdev->bd_disk);
		2321	if (!base)
2322	return -ENODEV;	2322	return -ENODEV;
2323		2323
2324	base = block->base;	2324	atomic_inc(&base->block->open_count);
2325	atomic_inc(&block->open_count);
2326	if (test_bit(DASD_FLAG_OFFLINE, &base->flags)) {	2325	if (test_bit(DASD_FLAG_OFFLINE, &base->flags)) {
2327	rc = -ENODEV;	2326	rc = -ENODEV;
2328	goto unlock;	2327	goto unlock;
@@ -2355,21 +2354,28 @@ static int dasd_open(struct block_device *bdev, fmode_t mode)
2355	goto out;	2354	goto out;
2356	}	2355	}
2357		2356
		2357	dasd_put_device(base);
2358	return 0;	2358	return 0;
2359		2359
2360	out:	2360	out:
2361	module_put(base->discipline->owner);	2361	module_put(base->discipline->owner);
2362	unlock:	2362	unlock:
2363	atomic_dec(&block->open_count);	2363	atomic_dec(&base->block->open_count);
		2364	dasd_put_device(base);
2364	return rc;	2365	return rc;
2365	}	2366	}
2366		2367
2367	static int dasd_release(struct gendisk *disk, fmode_t mode)	2368	static int dasd_release(struct gendisk *disk, fmode_t mode)
2368	{	2369	{
2369	struct dasd_block *block = disk->private_data;	2370	struct dasd_device *base;
2370		2371
2371	atomic_dec(&block->open_count);	2372	base = dasd_device_from_gendisk(disk);
2372	module_put(block->base->discipline->owner);	2373	if (!base)
		2374	return -ENODEV;
		2375
		2376	atomic_dec(&base->block->open_count);
		2377	module_put(base->discipline->owner);
		2378	dasd_put_device(base);
2373	return 0;	2379	return 0;
2374	}	2380	}
2375		2381
@@ -2378,20 +2384,20 @@ static int dasd_release(struct gendisk *disk, fmode_t mode)
2378	*/	2384	*/
2379	static int dasd_getgeo(struct block_device bdev, struct hd_geometry geo)	2385	static int dasd_getgeo(struct block_device bdev, struct hd_geometry geo)
2380	{	2386	{
2381	struct dasd_block *block;
2382	struct dasd_device *base;	2387	struct dasd_device *base;
2383		2388
2384	block = bdev->bd_disk->private_data;	2389	base = dasd_device_from_gendisk(bdev->bd_disk);
2385	if (!block)	2390	if (!base)
2386	return -ENODEV;	2391	return -ENODEV;
2387	base = block->base;
2388		2392
2389	if (!base->discipline \|\|	2393	if (!base->discipline \|\|
2390	!base->discipline->fill_geometry)	2394	!base->discipline->fill_geometry) {
		2395	dasd_put_device(base);
2391	return -EINVAL;	2396	return -EINVAL;
2392		2397	}
2393	base->discipline->fill_geometry(block, geo);	2398	base->discipline->fill_geometry(base->block, geo);
2394	geo->start = get_start_sect(bdev) >> block->s2b_shift;	2399	geo->start = get_start_sect(bdev) >> base->block->s2b_shift;
		2400	dasd_put_device(base);
2395	return 0;	2401	return 0;
2396	}	2402	}
2397		2403
@@ -2528,7 +2534,6 @@ void dasd_generic_remove(struct ccw_device *cdev)
2528	dasd_set_target_state(device, DASD_STATE_NEW);	2534	dasd_set_target_state(device, DASD_STATE_NEW);
2529	/* dasd_delete_device destroys the device reference. */	2535	/* dasd_delete_device destroys the device reference. */
2530	block = device->block;	2536	block = device->block;
2531	device->block = NULL;
2532	dasd_delete_device(device);	2537	dasd_delete_device(device);
2533	/*	2538	/*
2534	* life cycle of block is bound to device, so delete it after	2539	* life cycle of block is bound to device, so delete it after
@@ -2650,7 +2655,6 @@ int dasd_generic_set_offline(struct ccw_device *cdev)
2650	dasd_set_target_state(device, DASD_STATE_NEW);	2655	dasd_set_target_state(device, DASD_STATE_NEW);
2651	/* dasd_delete_device destroys the device reference. */	2656	/* dasd_delete_device destroys the device reference. */
2652	block = device->block;	2657	block = device->block;
2653	device->block = NULL;
2654	dasd_delete_device(device);	2658	dasd_delete_device(device);
2655	/*	2659	/*
2656	* life cycle of block is bound to device, so delete it after	2660	* life cycle of block is bound to device, so delete it after