Re: [PATCH] nbd: fix potential NULL pointer fault in connect and disconnect process
From: Josef Bacik <josef@toxicpanda.com>
Date: 2020-01-17 14:18:12
Also in:
lkml
On 1/17/20 6:50 AM, Sun Ke wrote:
Connect and disconnect a nbd device repeatedly, will cause
NULL pointer fault.
It will appear by the steps:
1. Connect the nbd device and disconnect it, but now nbd device
is not disconnected totally.
2. Connect the same nbd device again immediately, it will fail
in nbd_start_device with a EBUSY return value.
3. Wait a second to make sure the last config_refs is reduced
and run nbd_config_put to disconnect the nbd device totally.
4. Start another process to open the nbd_device, config_refs
will increase and at the same time disconnect it.
To fix it, add a NBD_HAS_STARTED flag. Set it in nbd_start_device_ioctl
and nbd_genl_connect if nbd device is started successfully.
Clear it in nbd_config_put. Test it in nbd_genl_disconnect and
nbd_genl_reconfigure.I don't doubt what you are seeing, but what exactly are we NULL pointer dereferencing? I can't quite figure it out from the steps.
quoted hunk ↗ jump to hunk
Signed-off-by: Sun Ke <redacted> --- drivers/block/nbd.c | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+)diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c index b4607dd96185..ddd364e208ab 100644 --- a/drivers/block/nbd.c +++ b/drivers/block/nbd.c@@ -83,6 +83,7 @@ struct link_dead_args { #define NBD_DESTROY_ON_DISCONNECT 0 #define NBD_DISCONNECT_REQUESTED 1 +#define NBD_HAS_STARTED 2 struct nbd_config { u32 flags;@@ -1215,6 +1216,7 @@ static void nbd_config_put(struct nbd_device *nbd) nbd->disk->queue->limits.discard_alignment = 0; blk_queue_max_discard_sectors(nbd->disk->queue, UINT_MAX); blk_queue_flag_clear(QUEUE_FLAG_DISCARD, nbd->disk->queue); + clear_bit(NBD_HAS_STARTED, &nbd->flags); mutex_unlock(&nbd->config_lock); nbd_put(nbd);@@ -1290,6 +1292,8 @@ static int nbd_start_device_ioctl(struct nbd_device *nbd, struct block_device *b ret = nbd_start_device(nbd); if (ret) return ret; + else + set_bit(NBD_HAS_STARTED, &nbd->flags);
The else is superfluous here. Thanks, Josef