From nobody Sun Feb 8 13:09:13 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 5D366C77B75 for ; Tue, 23 May 2023 13:12:37 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236819AbjEWNMg (ORCPT ); Tue, 23 May 2023 09:12:36 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47208 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236720AbjEWNMa (ORCPT ); Tue, 23 May 2023 09:12:30 -0400 Received: from smtp1.axis.com (smtp1.axis.com [195.60.68.17]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5FE94118 for ; Tue, 23 May 2023 06:12:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=axis.com; q=dns/txt; s=axis-central1; t=1684847548; x=1716383548; h=from:date:subject:mime-version:content-transfer-encoding: message-id:references:in-reply-to:to:cc; bh=RUsNkf5+Wyu4/3oi86PLsyVVhLWM8zFhO0TpoHKYz90=; b=m61cYwm3cRTHn9zXZso2dbTGIxJsArciwxaatZiBNrMT/Np4brtkI4Vn ijF2CUqHU7JxFj8LL9PTD9p//6hT7yhEsy2RK/1K1kb6tgvKBdV77U5Wn 1t/E8ZDN2fCJT2EDH+2nwyw9GHu1IWhUb8+nMGqItK0xluBsE3vL8mGad ZG9iJDuP1DBq8oTWpLT7+wzagEPJjg6xQlJ8y8/Jz5++qjaR7oT3Sw4mY bYiyMXA95RMnPY5y3fGmQ3XMZp9aAVEacy75OvChXltK6yLKRheN+2yos iWBR08QrnDyDO1sc2dYy86/q+cgzfPTd/G1wJdYutwYE5awxDOahmRjSG A==; From: Vincent Whitchurch Date: Tue, 23 May 2023 15:12:16 +0200 Subject: [PATCH 1/2] ubi: block: Fix use-after-free of gendisk MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-ID: <20230523-ubiblock-remove-v1-1-240bed75849b@axis.com> References: <20230523-ubiblock-remove-v1-0-240bed75849b@axis.com> In-Reply-To: <20230523-ubiblock-remove-v1-0-240bed75849b@axis.com> To: Richard Weinberger , Miquel Raynal , Vignesh Raghavendra CC: , , , Vincent Whitchurch X-Mailer: b4 0.12.2 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Do not touch the gendisk after put_disk() to fix this use-after-free: =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D BUG: KASAN: slab-use-after-free in ubiblock_remove Read of size 4 by task ubiblock/361 Call Trace: ubiblock_remove (drivers/mtd/ubi/block.c:459 drivers/mtd/ubi/block.c:483) vol_cdev_ioctl ... Allocated by task 358: __alloc_disk_node (block/genhd.c:1377) __blk_mq_alloc_disk (block/blk-mq.c:4093) ubiblock_create (drivers/mtd/ubi/block.c:397) vol_cdev_ioctl ... Freed by task 0: bdev_free_inode (block/bdev.c:337) i_callback rcu_core __do_softirq ... Signed-off-by: Vincent Whitchurch --- drivers/mtd/ubi/block.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/drivers/mtd/ubi/block.c b/drivers/mtd/ubi/block.c index 3711d7f74600..70caec4606cd 100644 --- a/drivers/mtd/ubi/block.c +++ b/drivers/mtd/ubi/block.c @@ -448,13 +448,15 @@ int ubiblock_create(struct ubi_volume_info *vi) =20 static void ubiblock_cleanup(struct ubiblock *dev) { + int first_minor =3D dev->gd->first_minor; + /* Stop new requests to arrive */ del_gendisk(dev->gd); /* Finally destroy the blk queue */ dev_info(disk_to_dev(dev->gd), "released"); put_disk(dev->gd); blk_mq_free_tag_set(&dev->tag_set); - idr_remove(&ubiblock_minor_idr, dev->gd->first_minor); + idr_remove(&ubiblock_minor_idr, first_minor); } =20 int ubiblock_remove(struct ubi_volume_info *vi) --=20 2.34.1 From nobody Sun Feb 8 13:09:13 2026 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by smtp.lore.kernel.org (Postfix) with ESMTP id 12B37C77B75 for ; Tue, 23 May 2023 13:12:34 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236770AbjEWNMc (ORCPT ); Tue, 23 May 2023 09:12:32 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47196 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236653AbjEWNM2 (ORCPT ); Tue, 23 May 2023 09:12:28 -0400 Received: from smtp1.axis.com (smtp1.axis.com [195.60.68.17]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 14755FF for ; Tue, 23 May 2023 06:12:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=axis.com; q=dns/txt; s=axis-central1; t=1684847547; x=1716383547; h=from:date:subject:mime-version:content-transfer-encoding: message-id:references:in-reply-to:to:cc; bh=OfLmz9ckLWnjOPs/nZyBCIbifQUUmP+cRC2xReLIuEM=; b=HnvR3M2pwIN8lCbcEFO/Yo98u0GEbKYw6Lbl3SZ6gjnLDi998l/61eJ0 SXicqnA20wlhMombtJ+gZDjrhRtBRVYDo9LandZktrxvYjOYLAY9KhfZ7 OB1eV7s5WeRwa6pi+eiW6XKTgHenJnP2V8N8M/0u2UdIVrIhRkGtw7LbS VoD9ZR1XRW5y02vyldTuApKWPVp6koTHfwApym02DlWBr6TVyLBcQ9RwC E9anOjhhbib3oATRCBsQZuifF8b+RB6BpJb+fmwkq2FrMaeTSZjrHftRs fOqdXf3Wf04mU4ENIxcJBFS8RcU/9m24RZyI7LBhWH8rL1S5Mie576nXw A==; From: Vincent Whitchurch Date: Tue, 23 May 2023 15:12:17 +0200 Subject: [PATCH 2/2] ubi: block: Fix deadlock on remove MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Message-ID: <20230523-ubiblock-remove-v1-2-240bed75849b@axis.com> References: <20230523-ubiblock-remove-v1-0-240bed75849b@axis.com> In-Reply-To: <20230523-ubiblock-remove-v1-0-240bed75849b@axis.com> To: Richard Weinberger , Miquel Raynal , Vignesh Raghavendra CC: , , , Vincent Whitchurch X-Mailer: b4 0.12.2 Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Lockdep warns about possible circular locking when the following commands are run: ubiblock --create /dev/ubi0_0 head -c1 /dev/ubiblock0_0 > /dev/null ubiblock --remove /dev/ubi0_0 =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D WARNING: possible circular locking dependency detected ubiblock/364 is trying to acquire lock: (&disk->open_mutex){+.+.}-{3:3}, at: del_gendisk (block/genhd.c:616) but task is already holding lock: (&dev->dev_mutex){+.+.}-{3:3}, at: ubiblock_remove (drivers/mtd/ubi/block.= c:476) which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (&dev->dev_mutex){+.+.}-{3:3}: ubiblock_open (drivers/mtd/ubi/block.c:236) blkdev_get_whole (block/bdev.c:607) blkdev_get_by_dev (block/bdev.c:756) blkdev_open (block/fops.c:493) ... do_sys_openat2 (fs/open.c:1356) -> #0 (&disk->open_mutex){+.+.}-{3:3}: del_gendisk (block/genhd.c:616) ubiblock_remove (drivers/mtd/ubi/block.c:456 drivers/mtd/ubi/block.c:483) vol_cdev_ioctl ... other info that might help us debug this: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&dev->dev_mutex); lock(&disk->open_mutex); lock(&dev->dev_mutex); lock(&disk->open_mutex); *** DEADLOCK *** Call Trace: del_gendisk (block/genhd.c:616) ubiblock_remove (drivers/mtd/ubi/block.c:456 drivers/mtd/ubi/block.c:483) vol_cdev_ioctl ... The actual deadlock is also easily reproducible by running the above commands in parallel in a loop. Fix this by marking the device as going away and releasing the dev mutex before del_gendisk(). This is similar to other drivers such as drivers/block/zram/zram_drv.c. Signed-off-by: Vincent Whitchurch --- drivers/mtd/ubi/block.c | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) diff --git a/drivers/mtd/ubi/block.c b/drivers/mtd/ubi/block.c index 70caec4606cd..fcfea7cfdb6b 100644 --- a/drivers/mtd/ubi/block.c +++ b/drivers/mtd/ubi/block.c @@ -83,6 +83,8 @@ struct ubiblock { struct mutex dev_mutex; struct list_head list; struct blk_mq_tag_set tag_set; + + bool removing; }; =20 /* Linked list of all ubiblock instances */ @@ -233,6 +235,11 @@ static int ubiblock_open(struct block_device *bdev, fm= ode_t mode) int ret; =20 mutex_lock(&dev->dev_mutex); + if (dev->removing) { + ret =3D -ENODEV; + goto out_unlock; + } + if (dev->refcnt > 0) { /* * The volume is already open, just increase the reference @@ -480,8 +487,15 @@ int ubiblock_remove(struct ubi_volume_info *vi) =20 /* Remove from device list */ list_del(&dev->list); - ubiblock_cleanup(dev); + + /* + * Prevent further opens. del_gendisk() will ensure that there are no + * parallel openers. + */ + dev->removing =3D true; mutex_unlock(&dev->dev_mutex); + + ubiblock_cleanup(dev); mutex_unlock(&devices_mutex); =20 kfree(dev); --=20 2.34.1