2019-05-24 12:03:47 +02:00
// SPDX-License-Identifier: GPL-2.0-or-later
2005-04-16 15:20:36 -07:00
/*
* Network block device - make block devices work over TCP
*
* Note that you can not swap over this thing , yet . Seems to work but
* deadlocks sometimes - you can not swap over TCP in general .
*
2010-07-18 14:27:13 +02:00
* Copyright 1997 - 2000 , 2008 Pavel Machek < pavel @ ucw . cz >
2005-04-16 15:20:36 -07:00
* Parts copyright 2001 Steven Whitehouse < steve @ chygwyn . com >
*
2006-06-25 05:47:42 -07:00
* ( part of code stolen from loop . c )
2005-04-16 15:20:36 -07:00
*/
# include <linux/major.h>
# include <linux/blkdev.h>
# include <linux/module.h>
# include <linux/init.h>
# include <linux/sched.h>
2017-05-08 15:59:53 -07:00
# include <linux/sched/mm.h>
2005-04-16 15:20:36 -07:00
# include <linux/fs.h>
# include <linux/bio.h>
# include <linux/stat.h>
# include <linux/errno.h>
# include <linux/file.h>
# include <linux/ioctl.h>
2010-06-02 14:28:52 +02:00
# include <linux/mutex.h>
2006-01-06 00:09:47 -08:00
# include <linux/compiler.h>
2019-09-17 17:26:06 +05:30
# include <linux/completion.h>
2006-01-06 00:09:47 -08:00
# include <linux/err.h>
# include <linux/kernel.h>
include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h
percpu.h is included by sched.h and module.h and thus ends up being
included when building most .c files. percpu.h includes slab.h which
in turn includes gfp.h making everything defined by the two files
universally available and complicating inclusion dependencies.
percpu.h -> slab.h dependency is about to be removed. Prepare for
this change by updating users of gfp and slab facilities include those
headers directly instead of assuming availability. As this conversion
needs to touch large number of source files, the following script is
used as the basis of conversion.
http://userweb.kernel.org/~tj/misc/slabh-sweep.py
The script does the followings.
* Scan files for gfp and slab usages and update includes such that
only the necessary includes are there. ie. if only gfp is used,
gfp.h, if slab is used, slab.h.
* When the script inserts a new include, it looks at the include
blocks and try to put the new include such that its order conforms
to its surrounding. It's put in the include block which contains
core kernel includes, in the same order that the rest are ordered -
alphabetical, Christmas tree, rev-Xmas-tree or at the end if there
doesn't seem to be any matching order.
* If the script can't find a place to put a new include (mostly
because the file doesn't have fitting include block), it prints out
an error message indicating which .h file needs to be added to the
file.
The conversion was done in the following steps.
1. The initial automatic conversion of all .c files updated slightly
over 4000 files, deleting around 700 includes and adding ~480 gfp.h
and ~3000 slab.h inclusions. The script emitted errors for ~400
files.
2. Each error was manually checked. Some didn't need the inclusion,
some needed manual addition while adding it to implementation .h or
embedding .c file was more appropriate for others. This step added
inclusions to around 150 files.
3. The script was run again and the output was compared to the edits
from #2 to make sure no file was left behind.
4. Several build tests were done and a couple of problems were fixed.
e.g. lib/decompress_*.c used malloc/free() wrappers around slab
APIs requiring slab.h to be added manually.
5. The script was run on all .h files but without automatically
editing them as sprinkling gfp.h and slab.h inclusions around .h
files could easily lead to inclusion dependency hell. Most gfp.h
inclusion directives were ignored as stuff from gfp.h was usually
wildly available and often used in preprocessor macros. Each
slab.h inclusion directive was examined and added manually as
necessary.
6. percpu.h was updated not to include slab.h.
7. Build test were done on the following configurations and failures
were fixed. CONFIG_GCOV_KERNEL was turned off for all tests (as my
distributed build env didn't work with gcov compiles) and a few
more options had to be turned off depending on archs to make things
build (like ipr on powerpc/64 which failed due to missing writeq).
* x86 and x86_64 UP and SMP allmodconfig and a custom test config.
* powerpc and powerpc64 SMP allmodconfig
* sparc and sparc64 SMP allmodconfig
* ia64 SMP allmodconfig
* s390 SMP allmodconfig
* alpha SMP allmodconfig
* um on x86_64 SMP allmodconfig
8. percpu.h modifications were reverted so that it could be applied as
a separate patch and serve as bisection point.
Given the fact that I had only a couple of failures from tests on step
6, I'm fairly confident about the coverage of this conversion patch.
If there is a breakage, it's likely to be something in one of the arch
headers which should be easily discoverable easily on most builds of
the specific arch.
Signed-off-by: Tejun Heo <tj@kernel.org>
Guess-its-ok-by: Christoph Lameter <cl@linux-foundation.org>
Cc: Ingo Molnar <mingo@redhat.com>
Cc: Lee Schermerhorn <Lee.Schermerhorn@hp.com>
2010-03-24 17:04:11 +09:00
# include <linux/slab.h>
2005-04-16 15:20:36 -07:00
# include <net/sock.h>
2007-11-12 18:10:39 -08:00
# include <linux/net.h>
2008-04-29 01:02:46 -07:00
# include <linux/kthread.h>
2015-04-02 10:11:37 +02:00
# include <linux/types.h>
2015-08-17 08:20:06 +02:00
# include <linux/debugfs.h>
2016-09-08 12:33:37 -07:00
# include <linux/blk-mq.h>
2005-04-16 15:20:36 -07:00
2016-12-24 11:46:01 -08:00
# include <linux/uaccess.h>
2005-04-16 15:20:36 -07:00
# include <asm/types.h>
# include <linux/nbd.h>
2017-04-06 17:02:00 -04:00
# include <linux/nbd-netlink.h>
# include <net/genetlink.h>
2005-04-16 15:20:36 -07:00
2019-04-26 11:49:48 -07:00
# define CREATE_TRACE_POINTS
# include <trace/events/nbd.h>
2017-02-01 16:11:40 -05:00
static DEFINE_IDR ( nbd_index_idr ) ;
static DEFINE_MUTEX ( nbd_index_mutex ) ;
nbd: do del_gendisk() asynchronously for NBD_DESTROY_ON_DISCONNECT
Now open_mutex is used to synchronize partition operations (e.g,
blk_drop_partitions() and blkdev_reread_part()), however it makes
nbd driver broken, because nbd may call del_gendisk() in nbd_release()
or nbd_genl_disconnect() if NBD_CFLAG_DESTROY_ON_DISCONNECT is enabled,
and deadlock occurs, as shown below:
// AB-BA dead-lock
nbd_genl_disconnect blkdev_open
nbd_disconnect_and_put
lock bd_mutex
// last ref
nbd_put
lock nbd_index_mutex
del_gendisk
nbd_open
try lock nbd_index_mutex
try lock bd_mutex
or
// AA dead-lock
nbd_release
lock bd_mutex
nbd_put
try lock bd_mutex
Instead of fixing block layer (e.g, introduce another lock), fixing
the nbd driver to call del_gendisk() in a kworker when
NBD_DESTROY_ON_DISCONNECT is enabled. When NBD_DESTROY_ON_DISCONNECT
is disabled, nbd device will always be destroy through module removal,
and there is no risky of deadlock.
To ensure the reuse of nbd index succeeds, moving the calling of
idr_remove() after del_gendisk(), so if the reused index is not found
in nbd_index_idr, the old disk must have been deleted. And reusing
the existing destroy_complete mechanism to ensure nbd_genl_connect()
will wait for the completion of del_gendisk().
Also adding a new workqueue for nbd removal, so nbd_cleanup()
can ensure all removals complete before exits.
Reported-by: syzbot+0fe7752e52337864d29b@syzkaller.appspotmail.com
Fixes: c76f48eb5c08 ("block: take bd_mutex around delete_partitions in del_gendisk")
Signed-off-by: Hou Tao <houtao1@huawei.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Link: https://lore.kernel.org/r/20210811124428.2368491-2-hch@lst.de
Reviewed-by: Josef Bacik <josef@toxicpanda.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2021-08-11 14:44:23 +02:00
static struct workqueue_struct * nbd_del_wq ;
2017-04-06 17:02:05 -04:00
static int nbd_total_devices = 0 ;
2017-02-01 16:11:40 -05:00
2016-11-22 14:04:40 -05:00
struct nbd_sock {
struct socket * sock ;
struct mutex tx_lock ;
2017-03-24 14:08:26 -04:00
struct request * pending ;
int sent ;
2017-04-06 17:01:57 -04:00
bool dead ;
int fallback_index ;
2017-04-06 17:02:02 -04:00
int cookie ;
2016-11-22 14:04:40 -05:00
} ;
2017-04-06 17:01:58 -04:00
struct recv_thread_args {
struct work_struct work ;
struct nbd_device * nbd ;
int index ;
} ;
2017-04-06 17:02:02 -04:00
struct link_dead_args {
struct work_struct work ;
int index ;
} ;
2019-09-17 17:26:05 +05:30
# define NBD_RT_TIMEDOUT 0
# define NBD_RT_DISCONNECT_REQUESTED 1
# define NBD_RT_DISCONNECTED 2
# define NBD_RT_HAS_PID_FILE 3
# define NBD_RT_HAS_CONFIG_REF 4
# define NBD_RT_BOUND 5
2021-02-22 15:09:53 -05:00
# define NBD_RT_DISCONNECT_ON_CLOSE 6
nbd: provide a way for userspace processes to identify device backends
Problem:
On reconfigure of device, there is no way to defend if the backend
storage is matching with the initial backend storage.
Say, if an initial connect request for backend "pool1/image1" got
mapped to /dev/nbd0 and the userspace process is terminated. A next
reconfigure request within NBD_ATTR_DEAD_CONN_TIMEOUT is allowed to
use /dev/nbd0 for a different backend "pool1/image2"
For example, an operation like below could be dangerous:
$ sudo rbd-nbd map --try-netlink rbd-pool/ext4-image
/dev/nbd0
$ sudo blkid /dev/nbd0
/dev/nbd0: UUID="bfc444b4-64b1-418f-8b36-6e0d170cfc04" TYPE="ext4"
$ sudo pkill -9 rbd-nbd
$ sudo rbd-nbd attach --try-netlink --device /dev/nbd0 rbd-pool/xfs-image
/dev/nbd0
$ sudo blkid /dev/nbd0
/dev/nbd0: UUID="d29bf343-6570-4069-a9ea-2fa156ced908" TYPE="xfs"
Solution:
Provide a way for userspace processes to keep some metadata to identify
between the device and the backend, so that when a reconfigure request is
made, we can compare and avoid such dangerous operations.
With this solution, as part of the initial connect request, backend
path can be stored in the sysfs per device config, so that on a reconfigure
request it's easy to check if the backend path matches with the initial
connect backend path.
Please note, ioctl interface to nbd will not have these changes, as there
won't be any reconfigure.
Signed-off-by: Prasanna Kumar Kalever <prasanna.kalever@redhat.com>
Reviewed-by: Xiubo Li <xiubli@redhat.com>
Reviewed-by: Ming Lei <ming.lei@redhat.com>
Link: https://lore.kernel.org/r/20210429102828.31248-1-prasanna.kalever@redhat.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2021-04-29 15:58:28 +05:30
# define NBD_RT_HAS_BACKEND_FILE 7
2016-09-08 12:33:39 -07:00
2019-09-17 17:26:06 +05:30
# define NBD_DESTROY_ON_DISCONNECT 0
# define NBD_DISCONNECT_REQUESTED 1
2017-04-06 17:01:58 -04:00
struct nbd_config {
2015-08-17 08:20:09 +02:00
u32 flags ;
2016-09-08 12:33:39 -07:00
unsigned long runtime_flags ;
2017-04-06 17:02:04 -04:00
u64 dead_conn_timeout ;
2015-04-02 10:11:35 +02:00
2017-04-06 17:01:58 -04:00
struct nbd_sock * * socks ;
2016-11-22 14:04:40 -05:00
int num_connections ;
2017-04-06 17:02:04 -04:00
atomic_t live_connections ;
wait_queue_head_t conn_wait ;
2017-04-06 17:01:58 -04:00
2016-11-22 14:04:40 -05:00
atomic_t recv_threads ;
wait_queue_head_t recv_wq ;
2016-12-02 16:19:12 -05:00
loff_t blksize ;
2015-04-02 10:11:37 +02:00
loff_t bytesize ;
2015-08-17 08:20:06 +02:00
# if IS_ENABLED(CONFIG_DEBUG_FS)
struct dentry * dbg_dir ;
# endif
2015-04-02 10:11:35 +02:00
} ;
2017-04-06 17:01:58 -04:00
struct nbd_device {
struct blk_mq_tag_set tag_set ;
2017-04-06 17:02:00 -04:00
int index ;
2017-04-06 17:01:58 -04:00
refcount_t config_refs ;
2017-04-06 17:02:06 -04:00
refcount_t refs ;
2017-04-06 17:01:58 -04:00
struct nbd_config * config ;
struct mutex config_lock ;
struct gendisk * disk ;
2019-08-04 14:10:06 -05:00
struct workqueue_struct * recv_workq ;
nbd: do del_gendisk() asynchronously for NBD_DESTROY_ON_DISCONNECT
Now open_mutex is used to synchronize partition operations (e.g,
blk_drop_partitions() and blkdev_reread_part()), however it makes
nbd driver broken, because nbd may call del_gendisk() in nbd_release()
or nbd_genl_disconnect() if NBD_CFLAG_DESTROY_ON_DISCONNECT is enabled,
and deadlock occurs, as shown below:
// AB-BA dead-lock
nbd_genl_disconnect blkdev_open
nbd_disconnect_and_put
lock bd_mutex
// last ref
nbd_put
lock nbd_index_mutex
del_gendisk
nbd_open
try lock nbd_index_mutex
try lock bd_mutex
or
// AA dead-lock
nbd_release
lock bd_mutex
nbd_put
try lock bd_mutex
Instead of fixing block layer (e.g, introduce another lock), fixing
the nbd driver to call del_gendisk() in a kworker when
NBD_DESTROY_ON_DISCONNECT is enabled. When NBD_DESTROY_ON_DISCONNECT
is disabled, nbd device will always be destroy through module removal,
and there is no risky of deadlock.
To ensure the reuse of nbd index succeeds, moving the calling of
idr_remove() after del_gendisk(), so if the reused index is not found
in nbd_index_idr, the old disk must have been deleted. And reusing
the existing destroy_complete mechanism to ensure nbd_genl_connect()
will wait for the completion of del_gendisk().
Also adding a new workqueue for nbd removal, so nbd_cleanup()
can ensure all removals complete before exits.
Reported-by: syzbot+0fe7752e52337864d29b@syzkaller.appspotmail.com
Fixes: c76f48eb5c08 ("block: take bd_mutex around delete_partitions in del_gendisk")
Signed-off-by: Hou Tao <houtao1@huawei.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Link: https://lore.kernel.org/r/20210811124428.2368491-2-hch@lst.de
Reviewed-by: Josef Bacik <josef@toxicpanda.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2021-08-11 14:44:23 +02:00
struct work_struct remove_work ;
2017-04-06 17:01:58 -04:00
2017-04-06 17:02:06 -04:00
struct list_head list ;
2017-04-06 17:01:58 -04:00
struct task_struct * task_recv ;
struct task_struct * task_setup ;
2019-09-17 17:26:06 +05:30
unsigned long flags ;
nbd: provide a way for userspace processes to identify device backends
Problem:
On reconfigure of device, there is no way to defend if the backend
storage is matching with the initial backend storage.
Say, if an initial connect request for backend "pool1/image1" got
mapped to /dev/nbd0 and the userspace process is terminated. A next
reconfigure request within NBD_ATTR_DEAD_CONN_TIMEOUT is allowed to
use /dev/nbd0 for a different backend "pool1/image2"
For example, an operation like below could be dangerous:
$ sudo rbd-nbd map --try-netlink rbd-pool/ext4-image
/dev/nbd0
$ sudo blkid /dev/nbd0
/dev/nbd0: UUID="bfc444b4-64b1-418f-8b36-6e0d170cfc04" TYPE="ext4"
$ sudo pkill -9 rbd-nbd
$ sudo rbd-nbd attach --try-netlink --device /dev/nbd0 rbd-pool/xfs-image
/dev/nbd0
$ sudo blkid /dev/nbd0
/dev/nbd0: UUID="d29bf343-6570-4069-a9ea-2fa156ced908" TYPE="xfs"
Solution:
Provide a way for userspace processes to keep some metadata to identify
between the device and the backend, so that when a reconfigure request is
made, we can compare and avoid such dangerous operations.
With this solution, as part of the initial connect request, backend
path can be stored in the sysfs per device config, so that on a reconfigure
request it's easy to check if the backend path matches with the initial
connect backend path.
Please note, ioctl interface to nbd will not have these changes, as there
won't be any reconfigure.
Signed-off-by: Prasanna Kumar Kalever <prasanna.kalever@redhat.com>
Reviewed-by: Xiubo Li <xiubli@redhat.com>
Reviewed-by: Ming Lei <ming.lei@redhat.com>
Link: https://lore.kernel.org/r/20210429102828.31248-1-prasanna.kalever@redhat.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2021-04-29 15:58:28 +05:30
char * backend ;
2017-04-06 17:01:58 -04:00
} ;
2018-07-16 12:11:34 -04:00
# define NBD_CMD_REQUEUED 1
2016-09-08 12:33:37 -07:00
struct nbd_cmd {
struct nbd_device * nbd ;
2018-07-16 12:11:35 -04:00
struct mutex lock ;
2017-04-06 17:01:57 -04:00
int index ;
2017-04-06 17:02:02 -04:00
int cookie ;
2019-08-13 11:39:52 -05:00
int retries ;
2017-06-03 09:38:04 +02:00
blk_status_t status ;
2018-07-16 12:11:34 -04:00
unsigned long flags ;
2018-07-16 12:11:35 -04:00
u32 cmd_cookie ;
2016-09-08 12:33:37 -07:00
} ;
2015-08-17 08:20:06 +02:00
# if IS_ENABLED(CONFIG_DEBUG_FS)
static struct dentry * nbd_dbg_dir ;
# endif
# define nbd_name(nbd) ((nbd)->disk->disk_name)
2012-03-28 14:42:51 -07:00
# define NBD_MAGIC 0x68797548
2005-04-16 15:20:36 -07:00
2019-05-29 15:16:05 -05:00
# define NBD_DEF_BLKSIZE 1024
2006-07-01 04:36:36 -07:00
static unsigned int nbds_max = 16 ;
2017-08-14 18:56:16 +00:00
static int max_part = 16 ;
2017-02-01 16:11:40 -05:00
static int part_shift ;
2005-04-16 15:20:36 -07:00
2017-02-07 17:10:22 -05:00
static int nbd_dev_dbg_init ( struct nbd_device * nbd ) ;
static void nbd_dev_dbg_close ( struct nbd_device * nbd ) ;
2017-04-06 17:01:58 -04:00
static void nbd_config_put ( struct nbd_device * nbd ) ;
2017-04-06 17:02:00 -04:00
static void nbd_connect_reply ( struct genl_info * info , int index ) ;
2017-04-06 17:02:05 -04:00
static int nbd_genl_status ( struct sk_buff * skb , struct genl_info * info ) ;
2017-04-06 17:02:02 -04:00
static void nbd_dead_link_work ( struct work_struct * work ) ;
2018-06-15 14:05:32 -07:00
static void nbd_disconnect_and_put ( struct nbd_device * nbd ) ;
2017-02-07 17:10:22 -05:00
2015-04-02 10:11:38 +02:00
static inline struct device * nbd_to_dev ( struct nbd_device * nbd )
2005-04-16 15:20:36 -07:00
{
2015-04-02 10:11:38 +02:00
return disk_to_dev ( nbd - > disk ) ;
2005-04-16 15:20:36 -07:00
}
2018-07-16 12:11:34 -04:00
static void nbd_requeue_cmd ( struct nbd_cmd * cmd )
{
struct request * req = blk_mq_rq_from_pdu ( cmd ) ;
if ( ! test_and_set_bit ( NBD_CMD_REQUEUED , & cmd - > flags ) )
blk_mq_requeue_request ( req , true ) ;
}
2018-07-16 12:11:35 -04:00
# define NBD_COOKIE_BITS 32
static u64 nbd_cmd_handle ( struct nbd_cmd * cmd )
{
struct request * req = blk_mq_rq_from_pdu ( cmd ) ;
u32 tag = blk_mq_unique_tag ( req ) ;
u64 cookie = cmd - > cmd_cookie ;
return ( cookie < < NBD_COOKIE_BITS ) | tag ;
}
static u32 nbd_handle_to_tag ( u64 handle )
{
return ( u32 ) handle ;
}
static u32 nbd_handle_to_cookie ( u64 handle )
{
return ( u32 ) ( handle > > NBD_COOKIE_BITS ) ;
}
2005-04-16 15:20:36 -07:00
static const char * nbdcmd_to_ascii ( int cmd )
{
switch ( cmd ) {
case NBD_CMD_READ : return " read " ;
case NBD_CMD_WRITE : return " write " ;
case NBD_CMD_DISC : return " disconnect " ;
nbd: support FLUSH requests
Currently, the NBD device does not accept flush requests from the Linux
block layer. If the NBD server opened the target with neither O_SYNC nor
O_DSYNC, however, the device will be effectively backed by a writeback
cache. Without issuing flushes properly, operation of the NBD device will
not be safe against power losses.
The NBD protocol has support for both a cache flush command and a FUA
command flag; the server will also pass a flag to note its support for
these features. This patch adds support for the cache flush command and
flag. In the kernel, we receive the flags via the NBD_SET_FLAGS ioctl,
and map NBD_FLAG_SEND_FLUSH to the argument of blk_queue_flush. When the
flag is active the block layer will send REQ_FLUSH requests, which we
translate to NBD_CMD_FLUSH commands.
FUA support is not included in this patch because all free software
servers implement it with a full fdatasync; thus it has no advantage over
supporting flush only. Because I [Paolo] cannot really benchmark it in a
realistic scenario, I cannot tell if it is a good idea or not. It is also
not clear if it is valid for an NBD server to support FUA but not flush.
The Linux block layer gives a warning for this combination, the NBD
protocol documentation says nothing about it.
The patch also fixes a small problem in the handling of flags: nbd->flags
must be cleared at the end of NBD_DO_IT, but the driver was not doing
that. The bug manifests itself as follows. Suppose you two different
client/server pairs to start the NBD device. Suppose also that the first
client supports NBD_SET_FLAGS, and the first server sends
NBD_FLAG_SEND_FLUSH; the second pair instead does neither of these two
things. Before this patch, the second invocation of NBD_DO_IT will use a
stale value of nbd->flags, and the second server will issue an error every
time it receives an NBD_CMD_FLUSH command.
This bug is pre-existing, but it becomes much more important after this
patch; flush failures make the device pretty much unusable, unlike
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Alex Bligh <alex@alex.org.uk>
Acked-by: Paul Clements <Paul.Clements@steeleye.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2013-02-27 17:05:23 -08:00
case NBD_CMD_FLUSH : return " flush " ;
2012-10-04 17:16:18 -07:00
case NBD_CMD_TRIM : return " trim/discard " ;
2005-04-16 15:20:36 -07:00
}
return " invalid " ;
}
2017-04-06 17:01:58 -04:00
static ssize_t pid_show ( struct device * dev ,
struct device_attribute * attr , char * buf )
{
struct gendisk * disk = dev_to_disk ( dev ) ;
struct nbd_device * nbd = ( struct nbd_device * ) disk - > private_data ;
return sprintf ( buf , " %d \n " , task_pid_nr ( nbd - > task_recv ) ) ;
}
2017-08-21 17:13:08 +05:30
static const struct device_attribute pid_attr = {
2018-05-24 13:38:59 -06:00
. attr = { . name = " pid " , . mode = 0444 } ,
2017-04-06 17:01:58 -04:00
. show = pid_show ,
} ;
nbd: provide a way for userspace processes to identify device backends
Problem:
On reconfigure of device, there is no way to defend if the backend
storage is matching with the initial backend storage.
Say, if an initial connect request for backend "pool1/image1" got
mapped to /dev/nbd0 and the userspace process is terminated. A next
reconfigure request within NBD_ATTR_DEAD_CONN_TIMEOUT is allowed to
use /dev/nbd0 for a different backend "pool1/image2"
For example, an operation like below could be dangerous:
$ sudo rbd-nbd map --try-netlink rbd-pool/ext4-image
/dev/nbd0
$ sudo blkid /dev/nbd0
/dev/nbd0: UUID="bfc444b4-64b1-418f-8b36-6e0d170cfc04" TYPE="ext4"
$ sudo pkill -9 rbd-nbd
$ sudo rbd-nbd attach --try-netlink --device /dev/nbd0 rbd-pool/xfs-image
/dev/nbd0
$ sudo blkid /dev/nbd0
/dev/nbd0: UUID="d29bf343-6570-4069-a9ea-2fa156ced908" TYPE="xfs"
Solution:
Provide a way for userspace processes to keep some metadata to identify
between the device and the backend, so that when a reconfigure request is
made, we can compare and avoid such dangerous operations.
With this solution, as part of the initial connect request, backend
path can be stored in the sysfs per device config, so that on a reconfigure
request it's easy to check if the backend path matches with the initial
connect backend path.
Please note, ioctl interface to nbd will not have these changes, as there
won't be any reconfigure.
Signed-off-by: Prasanna Kumar Kalever <prasanna.kalever@redhat.com>
Reviewed-by: Xiubo Li <xiubli@redhat.com>
Reviewed-by: Ming Lei <ming.lei@redhat.com>
Link: https://lore.kernel.org/r/20210429102828.31248-1-prasanna.kalever@redhat.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2021-04-29 15:58:28 +05:30
static ssize_t backend_show ( struct device * dev ,
struct device_attribute * attr , char * buf )
{
struct gendisk * disk = dev_to_disk ( dev ) ;
struct nbd_device * nbd = ( struct nbd_device * ) disk - > private_data ;
return sprintf ( buf , " %s \n " , nbd - > backend ? : " " ) ;
}
static const struct device_attribute backend_attr = {
. attr = { . name = " backend " , . mode = 0444 } ,
. show = backend_show ,
} ;
2017-04-06 17:02:06 -04:00
static void nbd_dev_remove ( struct nbd_device * nbd )
{
struct gendisk * disk = nbd - > disk ;
2018-05-16 14:51:17 -04:00
2021-08-11 14:44:25 +02:00
del_gendisk ( disk ) ;
blk_cleanup_disk ( disk ) ;
blk_mq_free_tag_set ( & nbd - > tag_set ) ;
2019-09-17 17:26:06 +05:30
/*
2021-08-11 14:44:24 +02:00
* Remove from idr after del_gendisk ( ) completes , so if the same ID is
* reused , the following add_disk ( ) will succeed .
2019-09-17 17:26:06 +05:30
*/
2021-08-11 14:44:24 +02:00
mutex_lock ( & nbd_index_mutex ) ;
nbd: do del_gendisk() asynchronously for NBD_DESTROY_ON_DISCONNECT
Now open_mutex is used to synchronize partition operations (e.g,
blk_drop_partitions() and blkdev_reread_part()), however it makes
nbd driver broken, because nbd may call del_gendisk() in nbd_release()
or nbd_genl_disconnect() if NBD_CFLAG_DESTROY_ON_DISCONNECT is enabled,
and deadlock occurs, as shown below:
// AB-BA dead-lock
nbd_genl_disconnect blkdev_open
nbd_disconnect_and_put
lock bd_mutex
// last ref
nbd_put
lock nbd_index_mutex
del_gendisk
nbd_open
try lock nbd_index_mutex
try lock bd_mutex
or
// AA dead-lock
nbd_release
lock bd_mutex
nbd_put
try lock bd_mutex
Instead of fixing block layer (e.g, introduce another lock), fixing
the nbd driver to call del_gendisk() in a kworker when
NBD_DESTROY_ON_DISCONNECT is enabled. When NBD_DESTROY_ON_DISCONNECT
is disabled, nbd device will always be destroy through module removal,
and there is no risky of deadlock.
To ensure the reuse of nbd index succeeds, moving the calling of
idr_remove() after del_gendisk(), so if the reused index is not found
in nbd_index_idr, the old disk must have been deleted. And reusing
the existing destroy_complete mechanism to ensure nbd_genl_connect()
will wait for the completion of del_gendisk().
Also adding a new workqueue for nbd removal, so nbd_cleanup()
can ensure all removals complete before exits.
Reported-by: syzbot+0fe7752e52337864d29b@syzkaller.appspotmail.com
Fixes: c76f48eb5c08 ("block: take bd_mutex around delete_partitions in del_gendisk")
Signed-off-by: Hou Tao <houtao1@huawei.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Link: https://lore.kernel.org/r/20210811124428.2368491-2-hch@lst.de
Reviewed-by: Josef Bacik <josef@toxicpanda.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2021-08-11 14:44:23 +02:00
idr_remove ( & nbd_index_idr , nbd - > index ) ;
mutex_unlock ( & nbd_index_mutex ) ;
2019-09-17 17:26:06 +05:30
2017-04-06 17:02:06 -04:00
kfree ( nbd ) ;
}
2021-08-11 14:44:24 +02:00
static void nbd_dev_remove_work ( struct work_struct * work )
nbd: do del_gendisk() asynchronously for NBD_DESTROY_ON_DISCONNECT
Now open_mutex is used to synchronize partition operations (e.g,
blk_drop_partitions() and blkdev_reread_part()), however it makes
nbd driver broken, because nbd may call del_gendisk() in nbd_release()
or nbd_genl_disconnect() if NBD_CFLAG_DESTROY_ON_DISCONNECT is enabled,
and deadlock occurs, as shown below:
// AB-BA dead-lock
nbd_genl_disconnect blkdev_open
nbd_disconnect_and_put
lock bd_mutex
// last ref
nbd_put
lock nbd_index_mutex
del_gendisk
nbd_open
try lock nbd_index_mutex
try lock bd_mutex
or
// AA dead-lock
nbd_release
lock bd_mutex
nbd_put
try lock bd_mutex
Instead of fixing block layer (e.g, introduce another lock), fixing
the nbd driver to call del_gendisk() in a kworker when
NBD_DESTROY_ON_DISCONNECT is enabled. When NBD_DESTROY_ON_DISCONNECT
is disabled, nbd device will always be destroy through module removal,
and there is no risky of deadlock.
To ensure the reuse of nbd index succeeds, moving the calling of
idr_remove() after del_gendisk(), so if the reused index is not found
in nbd_index_idr, the old disk must have been deleted. And reusing
the existing destroy_complete mechanism to ensure nbd_genl_connect()
will wait for the completion of del_gendisk().
Also adding a new workqueue for nbd removal, so nbd_cleanup()
can ensure all removals complete before exits.
Reported-by: syzbot+0fe7752e52337864d29b@syzkaller.appspotmail.com
Fixes: c76f48eb5c08 ("block: take bd_mutex around delete_partitions in del_gendisk")
Signed-off-by: Hou Tao <houtao1@huawei.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Link: https://lore.kernel.org/r/20210811124428.2368491-2-hch@lst.de
Reviewed-by: Josef Bacik <josef@toxicpanda.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2021-08-11 14:44:23 +02:00
{
2021-08-11 14:44:24 +02:00
nbd_dev_remove ( container_of ( work , struct nbd_device , remove_work ) ) ;
nbd: do del_gendisk() asynchronously for NBD_DESTROY_ON_DISCONNECT
Now open_mutex is used to synchronize partition operations (e.g,
blk_drop_partitions() and blkdev_reread_part()), however it makes
nbd driver broken, because nbd may call del_gendisk() in nbd_release()
or nbd_genl_disconnect() if NBD_CFLAG_DESTROY_ON_DISCONNECT is enabled,
and deadlock occurs, as shown below:
// AB-BA dead-lock
nbd_genl_disconnect blkdev_open
nbd_disconnect_and_put
lock bd_mutex
// last ref
nbd_put
lock nbd_index_mutex
del_gendisk
nbd_open
try lock nbd_index_mutex
try lock bd_mutex
or
// AA dead-lock
nbd_release
lock bd_mutex
nbd_put
try lock bd_mutex
Instead of fixing block layer (e.g, introduce another lock), fixing
the nbd driver to call del_gendisk() in a kworker when
NBD_DESTROY_ON_DISCONNECT is enabled. When NBD_DESTROY_ON_DISCONNECT
is disabled, nbd device will always be destroy through module removal,
and there is no risky of deadlock.
To ensure the reuse of nbd index succeeds, moving the calling of
idr_remove() after del_gendisk(), so if the reused index is not found
in nbd_index_idr, the old disk must have been deleted. And reusing
the existing destroy_complete mechanism to ensure nbd_genl_connect()
will wait for the completion of del_gendisk().
Also adding a new workqueue for nbd removal, so nbd_cleanup()
can ensure all removals complete before exits.
Reported-by: syzbot+0fe7752e52337864d29b@syzkaller.appspotmail.com
Fixes: c76f48eb5c08 ("block: take bd_mutex around delete_partitions in del_gendisk")
Signed-off-by: Hou Tao <houtao1@huawei.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Link: https://lore.kernel.org/r/20210811124428.2368491-2-hch@lst.de
Reviewed-by: Josef Bacik <josef@toxicpanda.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2021-08-11 14:44:23 +02:00
}
2017-04-06 17:02:06 -04:00
static void nbd_put ( struct nbd_device * nbd )
{
2021-08-11 14:44:24 +02:00
if ( ! refcount_dec_and_test ( & nbd - > refs ) )
return ;
/* Call del_gendisk() asynchrounously to prevent deadlock */
if ( test_bit ( NBD_DESTROY_ON_DISCONNECT , & nbd - > flags ) )
queue_work ( nbd_del_wq , & nbd - > remove_work ) ;
else
2017-04-06 17:02:06 -04:00
nbd_dev_remove ( nbd ) ;
}
2017-04-06 17:02:02 -04:00
static int nbd_disconnected ( struct nbd_config * config )
{
2019-09-17 17:26:05 +05:30
return test_bit ( NBD_RT_DISCONNECTED , & config - > runtime_flags ) | |
test_bit ( NBD_RT_DISCONNECT_REQUESTED , & config - > runtime_flags ) ;
2017-04-06 17:02:02 -04:00
}
static void nbd_mark_nsock_dead ( struct nbd_device * nbd , struct nbd_sock * nsock ,
int notify )
2017-04-06 17:01:57 -04:00
{
2017-04-06 17:02:02 -04:00
if ( ! nsock - > dead & & notify & & ! nbd_disconnected ( nbd - > config ) ) {
struct link_dead_args * args ;
args = kmalloc ( sizeof ( struct link_dead_args ) , GFP_NOIO ) ;
if ( args ) {
INIT_WORK ( & args - > work , nbd_dead_link_work ) ;
args - > index = nbd - > index ;
queue_work ( system_wq , & args - > work ) ;
}
}
2017-04-06 17:02:04 -04:00
if ( ! nsock - > dead ) {
2017-04-06 17:01:57 -04:00
kernel_sock_shutdown ( nsock - > sock , SHUT_RDWR ) ;
2018-05-30 10:45:11 -06:00
if ( atomic_dec_return ( & nbd - > config - > live_connections ) = = 0 ) {
2019-09-17 17:26:05 +05:30
if ( test_and_clear_bit ( NBD_RT_DISCONNECT_REQUESTED ,
2018-05-30 10:45:11 -06:00
& nbd - > config - > runtime_flags ) ) {
2019-09-17 17:26:05 +05:30
set_bit ( NBD_RT_DISCONNECTED ,
2018-05-30 10:45:11 -06:00
& nbd - > config - > runtime_flags ) ;
dev_info ( nbd_to_dev ( nbd ) ,
" Disconnected due to user request. \n " ) ;
}
}
2017-04-06 17:02:04 -04:00
}
2017-04-06 17:01:57 -04:00
nsock - > dead = true ;
nsock - > pending = NULL ;
nsock - > sent = 0 ;
}
2017-04-06 17:01:59 -04:00
static void nbd_size_clear ( struct nbd_device * nbd )
2015-07-27 07:36:49 +02:00
{
2017-04-06 17:01:58 -04:00
if ( nbd - > config - > bytesize ) {
set_capacity ( nbd - > disk , 0 ) ;
kobject_uevent ( & nbd_to_dev ( nbd ) - > kobj , KOBJ_CHANGE ) ;
}
2015-07-27 07:36:49 +02:00
}
2020-11-16 15:57:00 +01:00
static int nbd_set_size ( struct nbd_device * nbd , loff_t bytesize ,
2020-11-16 15:56:59 +01:00
loff_t blksize )
2015-07-27 07:36:49 +02:00
{
2020-11-16 15:57:00 +01:00
if ( ! blksize )
blksize = NBD_DEF_BLKSIZE ;
if ( blksize < 512 | | blksize > PAGE_SIZE | | ! is_power_of_2 ( blksize ) )
return - EINVAL ;
2020-11-16 15:56:59 +01:00
nbd - > config - > bytesize = bytesize ;
nbd - > config - > blksize = blksize ;
2020-11-16 15:56:58 +01:00
if ( ! nbd - > task_recv )
2020-11-16 15:57:00 +01:00
return 0 ;
2018-05-16 14:51:19 -04:00
2020-11-16 15:56:59 +01:00
if ( nbd - > config - > flags & NBD_FLAG_SEND_TRIM ) {
nbd - > disk - > queue - > limits . discard_granularity = blksize ;
nbd - > disk - > queue - > limits . discard_alignment = blksize ;
2018-05-23 13:35:59 -04:00
blk_queue_max_discard_sectors ( nbd - > disk - > queue , UINT_MAX ) ;
}
2020-11-16 15:56:59 +01:00
blk_queue_logical_block_size ( nbd - > disk - > queue , blksize ) ;
blk_queue_physical_block_size ( nbd - > disk - > queue , blksize ) ;
2020-11-16 15:56:58 +01:00
2020-12-17 00:58:47 -08:00
if ( max_part )
set_bit ( GD_NEED_PART_SCAN , & nbd - > disk - > state ) ;
2020-11-16 15:57:01 +01:00
if ( ! set_capacity_and_notify ( nbd - > disk , bytesize > > 9 ) )
kobject_uevent ( & nbd_to_dev ( nbd ) - > kobj , KOBJ_CHANGE ) ;
2020-11-16 15:57:00 +01:00
return 0 ;
2015-07-27 07:36:49 +02:00
}
2017-04-20 16:03:06 +02:00
static void nbd_complete_rq ( struct request * req )
2005-04-16 15:20:36 -07:00
{
2017-04-20 16:03:06 +02:00
struct nbd_cmd * cmd = blk_mq_rq_to_pdu ( req ) ;
2005-04-16 15:20:36 -07:00
2018-06-04 10:40:12 -06:00
dev_dbg ( nbd_to_dev ( cmd - > nbd ) , " request %p: %s \n " , req ,
2017-04-20 16:03:06 +02:00
cmd - > status ? " failed " : " done " ) ;
2005-04-16 15:20:36 -07:00
2017-04-20 16:03:06 +02:00
blk_mq_end_request ( req , cmd - > status ) ;
2005-04-16 15:20:36 -07:00
}
2015-04-02 10:11:39 +02:00
/*
* Forcibly shutdown the socket causing all listeners to error
*/
2015-08-17 08:20:01 +02:00
static void sock_shutdown ( struct nbd_device * nbd )
2007-10-16 23:27:37 -07:00
{
2017-04-06 17:01:58 -04:00
struct nbd_config * config = nbd - > config ;
2016-11-22 14:04:40 -05:00
int i ;
2015-10-29 11:51:16 +01:00
2017-04-06 17:01:58 -04:00
if ( config - > num_connections = = 0 )
2016-11-22 14:04:40 -05:00
return ;
2019-09-17 17:26:05 +05:30
if ( test_and_set_bit ( NBD_RT_DISCONNECTED , & config - > runtime_flags ) )
2015-08-17 08:20:02 +02:00
return ;
2015-10-29 11:51:16 +01:00
2017-04-06 17:01:58 -04:00
for ( i = 0 ; i < config - > num_connections ; i + + ) {
struct nbd_sock * nsock = config - > socks [ i ] ;
2016-11-22 14:04:40 -05:00
mutex_lock ( & nsock - > tx_lock ) ;
2017-04-06 17:02:02 -04:00
nbd_mark_nsock_dead ( nbd , nsock , 0 ) ;
2016-11-22 14:04:40 -05:00
mutex_unlock ( & nsock - > tx_lock ) ;
}
dev_warn ( disk_to_dev ( nbd - > disk ) , " shutting down sockets \n " ) ;
2007-10-16 23:27:37 -07:00
}
2019-08-13 11:39:50 -05:00
static u32 req_to_nbd_cmd_type ( struct request * req )
{
switch ( req_op ( req ) ) {
case REQ_OP_DISCARD :
return NBD_CMD_TRIM ;
case REQ_OP_FLUSH :
return NBD_CMD_FLUSH ;
case REQ_OP_WRITE :
return NBD_CMD_WRITE ;
case REQ_OP_READ :
return NBD_CMD_READ ;
default :
return U32_MAX ;
}
}
2016-09-08 12:33:40 -07:00
static enum blk_eh_timer_return nbd_xmit_timeout ( struct request * req ,
bool reserved )
2007-10-16 23:27:37 -07:00
{
2016-09-08 12:33:40 -07:00
struct nbd_cmd * cmd = blk_mq_rq_to_pdu ( req ) ;
struct nbd_device * nbd = cmd - > nbd ;
2017-04-06 17:01:58 -04:00
struct nbd_config * config ;
2019-10-21 15:56:27 -04:00
if ( ! mutex_trylock ( & cmd - > lock ) )
return BLK_EH_RESET_TIMER ;
2017-04-06 17:01:58 -04:00
if ( ! refcount_inc_not_zero ( & nbd - > config_refs ) ) {
2017-06-03 09:38:04 +02:00
cmd - > status = BLK_STS_TIMEOUT ;
2019-10-21 15:56:27 -04:00
mutex_unlock ( & cmd - > lock ) ;
2018-05-29 15:52:31 +02:00
goto done ;
2017-04-06 17:01:58 -04:00
}
config = nbd - > config ;
2015-10-06 20:03:54 +02:00
2020-02-28 01:40:29 -05:00
if ( config - > num_connections > 1 | |
( config - > num_connections = = 1 & & nbd - > tag_set . timeout ) ) {
2017-04-06 17:01:57 -04:00
dev_err_ratelimited ( nbd_to_dev ( nbd ) ,
2018-05-30 10:45:11 -06:00
" Connection timed out, retrying (%d/%d alive) \n " ,
atomic_read ( & config - > live_connections ) ,
config - > num_connections ) ;
2017-04-06 17:01:57 -04:00
/*
* Hooray we have more connections , requeue this IO , the submit
2020-02-28 01:40:29 -05:00
* path will put it on a real connection . Or if only one
* connection is configured , the submit path will wait util
* a new connection is reconfigured or util dead timeout .
2017-04-06 17:01:57 -04:00
*/
2020-02-28 01:40:29 -05:00
if ( config - > socks ) {
2017-04-06 17:01:58 -04:00
if ( cmd - > index < config - > num_connections ) {
2017-04-06 17:01:57 -04:00
struct nbd_sock * nsock =
2017-04-06 17:01:58 -04:00
config - > socks [ cmd - > index ] ;
2017-04-06 17:01:57 -04:00
mutex_lock ( & nsock - > tx_lock ) ;
2017-04-06 17:02:02 -04:00
/* We can have multiple outstanding requests, so
* we don ' t want to mark the nsock dead if we ' ve
* already reconnected with a new socket , so
* only mark it dead if its the same socket we
* were sent out on .
*/
if ( cmd - > cookie = = nsock - > cookie )
nbd_mark_nsock_dead ( nbd , nsock , 1 ) ;
2017-04-06 17:01:57 -04:00
mutex_unlock ( & nsock - > tx_lock ) ;
}
2018-07-16 12:11:35 -04:00
mutex_unlock ( & cmd - > lock ) ;
2018-07-16 12:11:34 -04:00
nbd_requeue_cmd ( cmd ) ;
2017-04-06 17:01:58 -04:00
nbd_config_put ( nbd ) ;
2018-05-29 15:52:29 +02:00
return BLK_EH_DONE ;
2017-04-06 17:01:57 -04:00
}
}
2019-08-13 11:39:52 -05:00
if ( ! nbd - > tag_set . timeout ) {
/*
* Userspace sets timeout = 0 to disable socket disconnection ,
* so just warn and reset the timer .
*/
2020-02-28 01:40:30 -05:00
struct nbd_sock * nsock = config - > socks [ cmd - > index ] ;
2019-08-13 11:39:52 -05:00
cmd - > retries + + ;
dev_info ( nbd_to_dev ( nbd ) , " Possible stuck request %p: control (%s@%llu,%uB). Runtime %u seconds \n " ,
req , nbdcmd_to_ascii ( req_to_nbd_cmd_type ( req ) ) ,
( unsigned long long ) blk_rq_pos ( req ) < < 9 ,
blk_rq_bytes ( req ) , ( req - > timeout / HZ ) * cmd - > retries ) ;
2020-02-28 01:40:30 -05:00
mutex_lock ( & nsock - > tx_lock ) ;
if ( cmd - > cookie ! = nsock - > cookie ) {
nbd_requeue_cmd ( cmd ) ;
mutex_unlock ( & nsock - > tx_lock ) ;
mutex_unlock ( & cmd - > lock ) ;
nbd_config_put ( nbd ) ;
return BLK_EH_DONE ;
}
mutex_unlock ( & nsock - > tx_lock ) ;
2019-08-13 11:39:52 -05:00
mutex_unlock ( & cmd - > lock ) ;
nbd_config_put ( nbd ) ;
return BLK_EH_RESET_TIMER ;
}
dev_err_ratelimited ( nbd_to_dev ( nbd ) , " Connection timed out \n " ) ;
2019-09-17 17:26:05 +05:30
set_bit ( NBD_RT_TIMEDOUT , & config - > runtime_flags ) ;
2017-06-03 09:38:04 +02:00
cmd - > status = BLK_STS_IOERR ;
2018-07-16 12:11:35 -04:00
mutex_unlock ( & cmd - > lock ) ;
2016-11-22 14:04:40 -05:00
sock_shutdown ( nbd ) ;
2017-04-06 17:01:58 -04:00
nbd_config_put ( nbd ) ;
2018-05-29 15:52:31 +02:00
done :
blk_mq_complete_request ( req ) ;
return BLK_EH_DONE ;
2007-10-16 23:27:37 -07:00
}
2005-04-16 15:20:36 -07:00
/*
* Send or receive packet .
*/
2015-11-12 05:09:35 -05:00
static int sock_xmit ( struct nbd_device * nbd , int index , int send ,
2017-03-24 14:08:26 -04:00
struct iov_iter * iter , int msg_flags , int * sent )
2005-04-16 15:20:36 -07:00
{
2017-04-06 17:01:58 -04:00
struct nbd_config * config = nbd - > config ;
struct socket * sock = config - > socks [ index ] - > sock ;
2005-04-16 15:20:36 -07:00
int result ;
struct msghdr msg ;
2017-05-08 15:59:53 -07:00
unsigned int noreclaim_flag ;
2005-04-16 15:20:36 -07:00
2008-04-02 13:04:47 -07:00
if ( unlikely ( ! sock ) ) {
2016-12-05 16:20:29 -05:00
dev_err_ratelimited ( disk_to_dev ( nbd - > disk ) ,
2011-08-19 14:48:22 +02:00
" Attempted %s on closed socket in sock_xmit \n " ,
( send ? " send " : " recv " ) ) ;
2008-04-02 13:04:47 -07:00
return - EINVAL ;
}
2015-11-12 05:09:35 -05:00
msg . msg_iter = * iter ;
2015-11-12 04:51:19 -05:00
2017-05-08 15:59:53 -07:00
noreclaim_flag = memalloc_noreclaim_save ( ) ;
2005-04-16 15:20:36 -07:00
do {
2012-07-31 16:44:32 -07:00
sock - > sk - > sk_allocation = GFP_NOIO | __GFP_MEMALLOC ;
2005-04-16 15:20:36 -07:00
msg . msg_name = NULL ;
msg . msg_namelen = 0 ;
msg . msg_control = NULL ;
msg . msg_controllen = 0 ;
msg . msg_flags = msg_flags | MSG_NOSIGNAL ;
2015-08-17 08:20:00 +02:00
if ( send )
2015-11-12 04:51:19 -05:00
result = sock_sendmsg ( sock , & msg ) ;
2015-08-17 08:20:00 +02:00
else
2015-11-12 04:51:19 -05:00
result = sock_recvmsg ( sock , & msg , msg . msg_flags ) ;
2005-04-16 15:20:36 -07:00
if ( result < = 0 ) {
if ( result = = 0 )
result = - EPIPE ; /* short read */
break ;
}
2017-03-24 14:08:26 -04:00
if ( sent )
* sent + = result ;
2015-11-12 04:51:19 -05:00
} while ( msg_data_left ( & msg ) ) ;
2005-04-16 15:20:36 -07:00
2017-05-08 15:59:53 -07:00
memalloc_noreclaim_restore ( noreclaim_flag ) ;
2005-04-16 15:20:36 -07:00
return result ;
}
2017-10-24 15:57:18 -04:00
/*
* Different settings for sk - > sk_sndtimeo can result in different return values
* if there is a signal pending when we enter sendmsg , because reasons ?
*/
static inline int was_interrupted ( int result )
{
return result = = - ERESTARTSYS | | result = = - EINTR ;
}
2007-10-16 23:27:37 -07:00
/* always call with the tx_lock held */
2016-11-22 14:04:40 -05:00
static int nbd_send_cmd ( struct nbd_device * nbd , struct nbd_cmd * cmd , int index )
2005-04-16 15:20:36 -07:00
{
2016-09-08 12:33:37 -07:00
struct request * req = blk_mq_rq_from_pdu ( cmd ) ;
2017-04-06 17:01:58 -04:00
struct nbd_config * config = nbd - > config ;
struct nbd_sock * nsock = config - > socks [ index ] ;
2017-01-19 16:08:49 -05:00
int result ;
2015-11-12 05:09:35 -05:00
struct nbd_request request = { . magic = htonl ( NBD_REQUEST_MAGIC ) } ;
struct kvec iov = { . iov_base = & request , . iov_len = sizeof ( request ) } ;
struct iov_iter from ;
2009-05-07 22:24:45 +09:00
unsigned long size = blk_rq_bytes ( req ) ;
2016-11-17 12:30:37 -07:00
struct bio * bio ;
2018-07-16 12:11:35 -04:00
u64 handle ;
2015-04-17 22:37:21 +02:00
u32 type ;
2017-05-25 23:55:54 -04:00
u32 nbd_cmd_flags = 0 ;
2017-03-24 14:08:26 -04:00
int sent = nsock - > sent , skip = 0 ;
2015-04-17 22:37:21 +02:00
2018-10-20 00:57:56 +01:00
iov_iter_kvec ( & from , WRITE , & iov , 1 , sizeof ( request ) ) ;
2015-11-12 05:09:35 -05:00
2019-08-13 11:39:50 -05:00
type = req_to_nbd_cmd_type ( req ) ;
if ( type = = U32_MAX )
2017-01-31 16:57:31 +01:00
return - EIO ;
2005-04-16 15:20:36 -07:00
2017-01-31 16:57:28 +01:00
if ( rq_data_dir ( req ) = = WRITE & &
2017-04-06 17:01:58 -04:00
( config - > flags & NBD_FLAG_READ_ONLY ) ) {
2017-01-31 16:57:28 +01:00
dev_err_ratelimited ( disk_to_dev ( nbd - > disk ) ,
" Write on read-only \n " ) ;
return - EIO ;
}
2017-05-25 23:55:54 -04:00
if ( req - > cmd_flags & REQ_FUA )
nbd_cmd_flags | = NBD_CMD_FLAG_FUA ;
2017-03-24 14:08:26 -04:00
/* We did a partial send previously, and we at least sent the whole
* request struct , so just go and send the rest of the pages in the
* request .
*/
if ( sent ) {
if ( sent > = sizeof ( request ) ) {
skip = sent - sizeof ( request ) ;
2019-04-26 11:49:49 -07:00
/* initialize handle for tracing purposes */
handle = nbd_cmd_handle ( cmd ) ;
2017-03-24 14:08:26 -04:00
goto send_pages ;
}
iov_iter_advance ( & from , sent ) ;
2018-07-16 12:11:35 -04:00
} else {
cmd - > cmd_cookie + + ;
2017-03-24 14:08:26 -04:00
}
2017-04-06 17:01:57 -04:00
cmd - > index = index ;
2017-04-06 17:02:02 -04:00
cmd - > cookie = nsock - > cookie ;
2019-08-13 11:39:52 -05:00
cmd - > retries = 0 ;
2017-05-25 23:55:54 -04:00
request . type = htonl ( type | nbd_cmd_flags ) ;
2016-11-22 14:04:40 -05:00
if ( type ! = NBD_CMD_FLUSH ) {
nbd: support FLUSH requests
Currently, the NBD device does not accept flush requests from the Linux
block layer. If the NBD server opened the target with neither O_SYNC nor
O_DSYNC, however, the device will be effectively backed by a writeback
cache. Without issuing flushes properly, operation of the NBD device will
not be safe against power losses.
The NBD protocol has support for both a cache flush command and a FUA
command flag; the server will also pass a flag to note its support for
these features. This patch adds support for the cache flush command and
flag. In the kernel, we receive the flags via the NBD_SET_FLAGS ioctl,
and map NBD_FLAG_SEND_FLUSH to the argument of blk_queue_flush. When the
flag is active the block layer will send REQ_FLUSH requests, which we
translate to NBD_CMD_FLUSH commands.
FUA support is not included in this patch because all free software
servers implement it with a full fdatasync; thus it has no advantage over
supporting flush only. Because I [Paolo] cannot really benchmark it in a
realistic scenario, I cannot tell if it is a good idea or not. It is also
not clear if it is valid for an NBD server to support FUA but not flush.
The Linux block layer gives a warning for this combination, the NBD
protocol documentation says nothing about it.
The patch also fixes a small problem in the handling of flags: nbd->flags
must be cleared at the end of NBD_DO_IT, but the driver was not doing
that. The bug manifests itself as follows. Suppose you two different
client/server pairs to start the NBD device. Suppose also that the first
client supports NBD_SET_FLAGS, and the first server sends
NBD_FLAG_SEND_FLUSH; the second pair instead does neither of these two
things. Before this patch, the second invocation of NBD_DO_IT will use a
stale value of nbd->flags, and the second server will issue an error every
time it receives an NBD_CMD_FLUSH command.
This bug is pre-existing, but it becomes much more important after this
patch; flush failures make the device pretty much unusable, unlike
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
Signed-off-by: Alex Bligh <alex@alex.org.uk>
Acked-by: Paul Clements <Paul.Clements@steeleye.com>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2013-02-27 17:05:23 -08:00
request . from = cpu_to_be64 ( ( u64 ) blk_rq_pos ( req ) < < 9 ) ;
request . len = htonl ( size ) ;
}
2018-07-16 12:11:35 -04:00
handle = nbd_cmd_handle ( cmd ) ;
memcpy ( request . handle , & handle , sizeof ( handle ) ) ;
2005-04-16 15:20:36 -07:00
2019-04-26 11:49:48 -07:00
trace_nbd_send_request ( & request , nbd - > index , blk_mq_rq_from_pdu ( cmd ) ) ;
2015-04-02 10:11:38 +02:00
dev_dbg ( nbd_to_dev ( nbd ) , " request %p: sending control (%s@%llu,%uB) \n " ,
2018-06-04 10:40:12 -06:00
req , nbdcmd_to_ascii ( type ) ,
2015-04-02 10:11:38 +02:00
( unsigned long long ) blk_rq_pos ( req ) < < 9 , blk_rq_bytes ( req ) ) ;
2015-11-12 05:09:35 -05:00
result = sock_xmit ( nbd , index , 1 , & from ,
2017-03-24 14:08:26 -04:00
( type = = NBD_CMD_WRITE ) ? MSG_MORE : 0 , & sent ) ;
2019-04-26 11:49:49 -07:00
trace_nbd_header_sent ( req , handle ) ;
2005-04-16 15:20:36 -07:00
if ( result < = 0 ) {
2017-10-24 15:57:18 -04:00
if ( was_interrupted ( result ) ) {
2017-03-24 14:08:26 -04:00
/* If we havne't sent anything we can just return BUSY,
* however if we have sent something we need to make
* sure we only allow this req to be sent until we are
* completely done .
*/
if ( sent ) {
nsock - > pending = req ;
nsock - > sent = sent ;
}
2018-07-16 12:11:34 -04:00
set_bit ( NBD_CMD_REQUEUED , & cmd - > flags ) ;
2017-06-03 09:38:05 +02:00
return BLK_STS_RESOURCE ;
2017-03-24 14:08:26 -04:00
}
2016-12-05 16:20:29 -05:00
dev_err_ratelimited ( disk_to_dev ( nbd - > disk ) ,
2011-08-19 14:48:22 +02:00
" Send control failed (result %d) \n " , result ) ;
2017-04-06 17:01:57 -04:00
return - EAGAIN ;
2005-04-16 15:20:36 -07:00
}
2017-03-24 14:08:26 -04:00
send_pages :
2016-11-17 12:30:37 -07:00
if ( type ! = NBD_CMD_WRITE )
2017-03-24 14:08:26 -04:00
goto out ;
2016-11-17 12:30:37 -07:00
bio = req - > bio ;
while ( bio ) {
struct bio * next = bio - > bi_next ;
struct bvec_iter iter ;
2013-11-23 17:19:00 -08:00
struct bio_vec bvec ;
2016-11-17 12:30:37 -07:00
bio_for_each_segment ( bvec , bio , iter ) {
bool is_last = ! next & & bio_iter_last ( bvec , iter ) ;
2017-01-19 16:08:49 -05:00
int flags = is_last ? 0 : MSG_MORE ;
2016-11-17 12:30:37 -07:00
2015-04-02 10:11:38 +02:00
dev_dbg ( nbd_to_dev ( nbd ) , " request %p: sending %d bytes data \n " ,
2018-06-04 10:40:12 -06:00
req , bvec . bv_len ) ;
2018-10-20 00:57:56 +01:00
iov_iter_bvec ( & from , WRITE , & bvec , 1 , bvec . bv_len ) ;
2017-03-24 14:08:26 -04:00
if ( skip ) {
if ( skip > = iov_iter_count ( & from ) ) {
skip - = iov_iter_count ( & from ) ;
continue ;
}
iov_iter_advance ( & from , skip ) ;
skip = 0 ;
}
result = sock_xmit ( nbd , index , 1 , & from , flags , & sent ) ;
2007-08-16 13:43:12 +02:00
if ( result < = 0 ) {
2017-10-24 15:57:18 -04:00
if ( was_interrupted ( result ) ) {
2017-03-24 14:08:26 -04:00
/* We've already sent the header, we
* have no choice but to set pending and
* return BUSY .
*/
nsock - > pending = req ;
nsock - > sent = sent ;
2018-07-16 12:11:34 -04:00
set_bit ( NBD_CMD_REQUEUED , & cmd - > flags ) ;
2017-06-03 09:38:05 +02:00
return BLK_STS_RESOURCE ;
2017-03-24 14:08:26 -04:00
}
2012-03-28 14:42:51 -07:00
dev_err ( disk_to_dev ( nbd - > disk ) ,
2011-08-19 14:48:22 +02:00
" Send data failed (result %d) \n " ,
result ) ;
2017-04-06 17:01:57 -04:00
return - EAGAIN ;
2007-08-16 13:43:12 +02:00
}
2016-11-17 12:30:37 -07:00
/*
* The completion might already have come in ,
* so break for the last one instead of letting
* the iterator do it . This prevents use - after - free
* of the bio .
*/
if ( is_last )
break ;
2005-04-16 15:20:36 -07:00
}
2016-11-17 12:30:37 -07:00
bio = next ;
2005-04-16 15:20:36 -07:00
}
2017-03-24 14:08:26 -04:00
out :
2019-04-26 11:49:49 -07:00
trace_nbd_payload_sent ( req , handle ) ;
2017-03-24 14:08:26 -04:00
nsock - > pending = NULL ;
nsock - > sent = 0 ;
2005-04-16 15:20:36 -07:00
return 0 ;
}
/* NULL returned = something went wrong, inform userspace */
2016-11-22 14:04:40 -05:00
static struct nbd_cmd * nbd_read_stat ( struct nbd_device * nbd , int index )
2005-04-16 15:20:36 -07:00
{
2017-04-06 17:01:58 -04:00
struct nbd_config * config = nbd - > config ;
2005-04-16 15:20:36 -07:00
int result ;
struct nbd_reply reply ;
2016-09-08 12:33:37 -07:00
struct nbd_cmd * cmd ;
struct request * req = NULL ;
2018-07-16 12:11:35 -04:00
u64 handle ;
2016-09-08 12:33:37 -07:00
u16 hwq ;
2016-11-22 14:04:40 -05:00
u32 tag ;
2015-11-12 05:09:35 -05:00
struct kvec iov = { . iov_base = & reply , . iov_len = sizeof ( reply ) } ;
struct iov_iter to ;
2018-07-16 12:11:35 -04:00
int ret = 0 ;
2005-04-16 15:20:36 -07:00
reply . magic = 0 ;
2018-10-20 00:57:56 +01:00
iov_iter_kvec ( & to , READ , & iov , 1 , sizeof ( reply ) ) ;
2017-03-24 14:08:26 -04:00
result = sock_xmit ( nbd , index , 0 , & to , MSG_WAITALL , NULL ) ;
2005-04-16 15:20:36 -07:00
if ( result < = 0 ) {
2017-04-06 17:01:58 -04:00
if ( ! nbd_disconnected ( config ) )
2016-11-22 14:04:40 -05:00
dev_err ( disk_to_dev ( nbd - > disk ) ,
" Receive control failed (result %d) \n " , result ) ;
2015-08-17 08:20:03 +02:00
return ERR_PTR ( result ) ;
2005-04-16 15:20:36 -07:00
}
2006-07-30 03:03:31 -07:00
if ( ntohl ( reply . magic ) ! = NBD_REPLY_MAGIC ) {
2012-03-28 14:42:51 -07:00
dev_err ( disk_to_dev ( nbd - > disk ) , " Wrong magic (0x%lx) \n " ,
2006-07-30 03:03:31 -07:00
( unsigned long ) ntohl ( reply . magic ) ) ;
2015-08-17 08:20:03 +02:00
return ERR_PTR ( - EPROTO ) ;
2006-07-30 03:03:31 -07:00
}
2018-07-16 12:11:35 -04:00
memcpy ( & handle , reply . handle , sizeof ( handle ) ) ;
tag = nbd_handle_to_tag ( handle ) ;
2016-09-08 12:33:37 -07:00
hwq = blk_mq_unique_tag_to_hwq ( tag ) ;
if ( hwq < nbd - > tag_set . nr_hw_queues )
req = blk_mq_tag_to_rq ( nbd - > tag_set . tags [ hwq ] ,
blk_mq_unique_tag_to_tag ( tag ) ) ;
if ( ! req | | ! blk_mq_request_started ( req ) ) {
dev_err ( disk_to_dev ( nbd - > disk ) , " Unexpected reply (%d) %p \n " ,
tag , req ) ;
return ERR_PTR ( - ENOENT ) ;
2005-04-16 15:20:36 -07:00
}
2019-04-26 11:49:49 -07:00
trace_nbd_header_received ( req , handle ) ;
2016-09-08 12:33:37 -07:00
cmd = blk_mq_rq_to_pdu ( req ) ;
2018-07-16 12:11:35 -04:00
mutex_lock ( & cmd - > lock ) ;
if ( cmd - > cmd_cookie ! = nbd_handle_to_cookie ( handle ) ) {
dev_err ( disk_to_dev ( nbd - > disk ) , " Double reply on req %p, cmd_cookie %u, handle cookie %u \n " ,
req , cmd - > cmd_cookie , nbd_handle_to_cookie ( handle ) ) ;
ret = - ENOENT ;
goto out ;
}
2019-10-21 15:56:28 -04:00
if ( cmd - > status ! = BLK_STS_OK ) {
dev_err ( disk_to_dev ( nbd - > disk ) , " Command already handled %p \n " ,
req ) ;
ret = - ENOENT ;
goto out ;
}
2018-07-16 12:11:35 -04:00
if ( test_bit ( NBD_CMD_REQUEUED , & cmd - > flags ) ) {
dev_err ( disk_to_dev ( nbd - > disk ) , " Raced with timeout on req %p \n " ,
req ) ;
ret = - ENOENT ;
goto out ;
}
2005-04-16 15:20:36 -07:00
if ( ntohl ( reply . error ) ) {
2012-03-28 14:42:51 -07:00
dev_err ( disk_to_dev ( nbd - > disk ) , " Other side returned error (%d) \n " ,
2011-08-19 14:48:22 +02:00
ntohl ( reply . error ) ) ;
2017-06-03 09:38:04 +02:00
cmd - > status = BLK_STS_IOERR ;
2018-07-16 12:11:35 -04:00
goto out ;
2005-04-16 15:20:36 -07:00
}
2018-06-04 10:40:12 -06:00
dev_dbg ( nbd_to_dev ( nbd ) , " request %p: got reply \n " , req ) ;
2015-04-17 22:37:21 +02:00
if ( rq_data_dir ( req ) ! = WRITE ) {
2007-09-25 12:35:59 +02:00
struct req_iterator iter ;
2013-11-23 17:19:00 -08:00
struct bio_vec bvec ;
2007-09-25 12:35:59 +02:00
rq_for_each_segment ( bvec , req , iter ) {
2018-10-20 00:57:56 +01:00
iov_iter_bvec ( & to , READ , & bvec , 1 , bvec . bv_len ) ;
2017-03-24 14:08:26 -04:00
result = sock_xmit ( nbd , index , 0 , & to , MSG_WAITALL , NULL ) ;
2007-08-16 13:43:12 +02:00
if ( result < = 0 ) {
2012-03-28 14:42:51 -07:00
dev_err ( disk_to_dev ( nbd - > disk ) , " Receive data failed (result %d) \n " ,
2011-08-19 14:48:22 +02:00
result ) ;
2017-04-06 17:01:57 -04:00
/*
2020-02-28 01:40:29 -05:00
* If we ' ve disconnected , we need to make sure we
2017-04-06 17:01:57 -04:00
* complete this request , otherwise error out
* and let the timeout stuff handle resubmitting
* this request onto another connection .
*/
2020-02-28 01:40:29 -05:00
if ( nbd_disconnected ( config ) ) {
2017-06-03 09:38:04 +02:00
cmd - > status = BLK_STS_IOERR ;
2018-07-16 12:11:35 -04:00
goto out ;
2017-04-06 17:01:57 -04:00
}
2018-07-16 12:11:35 -04:00
ret = - EIO ;
goto out ;
2007-08-16 13:43:12 +02:00
}
2015-04-02 10:11:38 +02:00
dev_dbg ( nbd_to_dev ( nbd ) , " request %p: got %d bytes data \n " ,
2018-06-04 10:40:12 -06:00
req , bvec . bv_len ) ;
2005-04-16 15:20:36 -07:00
}
}
2018-07-16 12:11:35 -04:00
out :
2019-04-26 11:49:49 -07:00
trace_nbd_payload_received ( req , handle ) ;
2018-07-16 12:11:35 -04:00
mutex_unlock ( & cmd - > lock ) ;
return ret ? ERR_PTR ( ret ) : cmd ;
2005-04-16 15:20:36 -07:00
}
2016-11-22 14:04:40 -05:00
static void recv_work ( struct work_struct * work )
2005-04-16 15:20:36 -07:00
{
2016-11-22 14:04:40 -05:00
struct recv_thread_args * args = container_of ( work ,
struct recv_thread_args ,
work ) ;
struct nbd_device * nbd = args - > nbd ;
2017-04-06 17:01:58 -04:00
struct nbd_config * config = nbd - > config ;
2016-09-08 12:33:37 -07:00
struct nbd_cmd * cmd ;
2020-06-11 08:44:47 +02:00
struct request * rq ;
2005-04-16 15:20:36 -07:00
2015-08-17 08:20:03 +02:00
while ( 1 ) {
2016-11-22 14:04:40 -05:00
cmd = nbd_read_stat ( nbd , args - > index ) ;
2016-09-08 12:33:37 -07:00
if ( IS_ERR ( cmd ) ) {
2017-04-06 17:01:58 -04:00
struct nbd_sock * nsock = config - > socks [ args - > index ] ;
2017-04-06 17:01:57 -04:00
mutex_lock ( & nsock - > tx_lock ) ;
2017-04-06 17:02:02 -04:00
nbd_mark_nsock_dead ( nbd , nsock , 1 ) ;
2017-04-06 17:01:57 -04:00
mutex_unlock ( & nsock - > tx_lock ) ;
2015-08-17 08:20:03 +02:00
break ;
}
2020-06-11 08:44:47 +02:00
rq = blk_mq_rq_from_pdu ( cmd ) ;
if ( likely ( ! blk_should_fake_timeout ( rq - > q ) ) )
blk_mq_complete_request ( rq ) ;
2015-08-17 08:20:03 +02:00
}
2020-10-13 22:45:14 -04:00
nbd_config_put ( nbd ) ;
2017-04-06 17:01:58 -04:00
atomic_dec ( & config - > recv_threads ) ;
wake_up ( & config - > recv_wq ) ;
kfree ( args ) ;
2005-04-16 15:20:36 -07:00
}
2018-11-08 10:24:07 -07:00
static bool nbd_clear_req ( struct request * req , void * data , bool reserved )
2005-04-16 15:20:36 -07:00
{
2018-05-30 18:51:00 +02:00
struct nbd_cmd * cmd = blk_mq_rq_to_pdu ( req ) ;
2005-04-16 15:20:36 -07:00
2021-08-13 23:13:30 +08:00
/* don't abort one completed request */
if ( blk_mq_request_completed ( req ) )
return true ;
2019-10-21 15:56:27 -04:00
mutex_lock ( & cmd - > lock ) ;
2017-06-03 09:38:04 +02:00
cmd - > status = BLK_STS_IOERR ;
2019-10-21 15:56:27 -04:00
mutex_unlock ( & cmd - > lock ) ;
2017-04-20 16:03:09 +02:00
blk_mq_complete_request ( req ) ;
2018-11-08 10:24:07 -07:00
return true ;
2016-09-08 12:33:37 -07:00
}
static void nbd_clear_que ( struct nbd_device * nbd )
{
2017-07-04 09:57:09 +03:00
blk_mq_quiesce_queue ( nbd - > disk - > queue ) ;
2016-09-08 12:33:37 -07:00
blk_mq_tagset_busy_iter ( & nbd - > tag_set , nbd_clear_req , NULL ) ;
2017-07-04 09:57:09 +03:00
blk_mq_unquiesce_queue ( nbd - > disk - > queue ) ;
2015-08-17 08:20:04 +02:00
dev_dbg ( disk_to_dev ( nbd - > disk ) , " queue cleared \n " ) ;
2005-04-16 15:20:36 -07:00
}
2017-04-06 17:01:57 -04:00
static int find_fallback ( struct nbd_device * nbd , int index )
{
2017-04-06 17:01:58 -04:00
struct nbd_config * config = nbd - > config ;
2017-04-06 17:01:57 -04:00
int new_index = - 1 ;
2017-04-06 17:01:58 -04:00
struct nbd_sock * nsock = config - > socks [ index ] ;
2017-04-06 17:01:57 -04:00
int fallback = nsock - > fallback_index ;
2019-09-17 17:26:05 +05:30
if ( test_bit ( NBD_RT_DISCONNECTED , & config - > runtime_flags ) )
2017-04-06 17:01:57 -04:00
return new_index ;
2017-04-06 17:01:58 -04:00
if ( config - > num_connections < = 1 ) {
2017-04-06 17:01:57 -04:00
dev_err_ratelimited ( disk_to_dev ( nbd - > disk ) ,
2020-02-28 01:40:29 -05:00
" Dead connection, failed to find a fallback \n " ) ;
2017-04-06 17:01:57 -04:00
return new_index ;
}
2017-04-06 17:01:58 -04:00
if ( fallback > = 0 & & fallback < config - > num_connections & &
! config - > socks [ fallback ] - > dead )
2017-04-06 17:01:57 -04:00
return fallback ;
if ( nsock - > fallback_index < 0 | |
2017-04-06 17:01:58 -04:00
nsock - > fallback_index > = config - > num_connections | |
config - > socks [ nsock - > fallback_index ] - > dead ) {
2017-04-06 17:01:57 -04:00
int i ;
2017-04-06 17:01:58 -04:00
for ( i = 0 ; i < config - > num_connections ; i + + ) {
2017-04-06 17:01:57 -04:00
if ( i = = index )
continue ;
2017-04-06 17:01:58 -04:00
if ( ! config - > socks [ i ] - > dead ) {
2017-04-06 17:01:57 -04:00
new_index = i ;
break ;
}
}
nsock - > fallback_index = new_index ;
if ( new_index < 0 ) {
dev_err_ratelimited ( disk_to_dev ( nbd - > disk ) ,
" Dead connection, failed to find a fallback \n " ) ;
return new_index ;
}
}
new_index = nsock - > fallback_index ;
return new_index ;
}
2007-10-16 23:27:37 -07:00
2017-04-06 17:02:04 -04:00
static int wait_for_reconnect ( struct nbd_device * nbd )
{
struct nbd_config * config = nbd - > config ;
if ( ! config - > dead_conn_timeout )
return 0 ;
2019-09-17 17:26:05 +05:30
if ( test_bit ( NBD_RT_DISCONNECTED , & config - > runtime_flags ) )
2017-04-06 17:02:04 -04:00
return 0 ;
2018-05-30 10:45:11 -06:00
return wait_event_timeout ( config - > conn_wait ,
atomic_read ( & config - > live_connections ) > 0 ,
config - > dead_conn_timeout ) > 0 ;
2017-04-06 17:02:04 -04:00
}
2017-03-24 14:08:26 -04:00
static int nbd_handle_cmd ( struct nbd_cmd * cmd , int index )
2008-04-29 01:02:46 -07:00
{
2016-09-08 12:33:37 -07:00
struct request * req = blk_mq_rq_from_pdu ( cmd ) ;
struct nbd_device * nbd = cmd - > nbd ;
2017-04-06 17:01:58 -04:00
struct nbd_config * config ;
2016-11-22 14:04:40 -05:00
struct nbd_sock * nsock ;
2017-03-24 14:08:26 -04:00
int ret ;
2016-09-08 12:33:37 -07:00
2017-04-06 17:01:58 -04:00
if ( ! refcount_inc_not_zero ( & nbd - > config_refs ) ) {
dev_err_ratelimited ( disk_to_dev ( nbd - > disk ) ,
" Socks array is empty \n " ) ;
2017-11-06 16:11:58 -05:00
blk_mq_start_request ( req ) ;
2017-04-06 17:01:58 -04:00
return - EINVAL ;
}
config = nbd - > config ;
if ( index > = config - > num_connections ) {
2016-12-05 16:20:29 -05:00
dev_err_ratelimited ( disk_to_dev ( nbd - > disk ) ,
" Attempted send on invalid socket \n " ) ;
2017-04-06 17:01:58 -04:00
nbd_config_put ( nbd ) ;
2017-11-06 16:11:58 -05:00
blk_mq_start_request ( req ) ;
2017-03-24 14:08:26 -04:00
return - EINVAL ;
2016-11-22 14:04:40 -05:00
}
2017-06-03 09:38:04 +02:00
cmd - > status = BLK_STS_OK ;
2017-04-06 17:01:57 -04:00
again :
2017-04-06 17:01:58 -04:00
nsock = config - > socks [ index ] ;
2016-11-22 14:04:40 -05:00
mutex_lock ( & nsock - > tx_lock ) ;
2017-04-06 17:01:57 -04:00
if ( nsock - > dead ) {
2017-04-06 17:02:04 -04:00
int old_index = index ;
2017-04-06 17:01:57 -04:00
index = find_fallback ( nbd , index ) ;
2017-04-06 17:02:04 -04:00
mutex_unlock ( & nsock - > tx_lock ) ;
2017-04-06 17:01:58 -04:00
if ( index < 0 ) {
2017-04-06 17:02:04 -04:00
if ( wait_for_reconnect ( nbd ) ) {
index = old_index ;
goto again ;
}
/* All the sockets should already be down at this point,
* we just want to make sure that DISCONNECTED is set so
* any requests that come in that were queue ' ed waiting
* for the reconnect timer don ' t trigger the timer again
* and instead just error out .
*/
sock_shutdown ( nbd ) ;
nbd_config_put ( nbd ) ;
2017-11-06 16:11:58 -05:00
blk_mq_start_request ( req ) ;
2017-04-06 17:02:04 -04:00
return - EIO ;
2017-04-06 17:01:58 -04:00
}
2017-04-06 17:01:57 -04:00
goto again ;
2008-04-29 01:02:46 -07:00
}
2017-03-24 14:08:26 -04:00
/* Handle the case that we have a pending request that was partially
* transmitted that _has_ to be serviced first . We need to call requeue
* here so that it gets put _after_ the request that is already on the
* dispatch list .
*/
2017-11-06 16:11:58 -05:00
blk_mq_start_request ( req ) ;
2017-03-24 14:08:26 -04:00
if ( unlikely ( nsock - > pending & & nsock - > pending ! = req ) ) {
2018-07-16 12:11:34 -04:00
nbd_requeue_cmd ( cmd ) ;
2017-03-24 14:08:26 -04:00
ret = 0 ;
goto out ;
2008-04-29 01:02:46 -07:00
}
2017-04-06 17:01:57 -04:00
/*
* Some failures are related to the link going down , so anything that
* returns EAGAIN can be retried on a different socket .
*/
2017-03-24 14:08:26 -04:00
ret = nbd_send_cmd ( nbd , cmd , index ) ;
2017-04-06 17:01:57 -04:00
if ( ret = = - EAGAIN ) {
dev_err_ratelimited ( disk_to_dev ( nbd - > disk ) ,
2017-11-06 16:11:58 -05:00
" Request send failed, requeueing \n " ) ;
2017-04-06 17:02:02 -04:00
nbd_mark_nsock_dead ( nbd , nsock , 1 ) ;
2018-07-16 12:11:34 -04:00
nbd_requeue_cmd ( cmd ) ;
2017-11-06 16:11:58 -05:00
ret = 0 ;
2017-04-06 17:01:57 -04:00
}
2017-03-24 14:08:26 -04:00
out :
2016-11-22 14:04:40 -05:00
mutex_unlock ( & nsock - > tx_lock ) ;
2017-04-06 17:01:58 -04:00
nbd_config_put ( nbd ) ;
2017-03-24 14:08:26 -04:00
return ret ;
2008-04-29 01:02:46 -07:00
}
2017-06-03 09:38:05 +02:00
static blk_status_t nbd_queue_rq ( struct blk_mq_hw_ctx * hctx ,
2016-09-08 12:33:37 -07:00
const struct blk_mq_queue_data * bd )
2005-04-16 15:20:36 -07:00
{
2016-09-08 12:33:37 -07:00
struct nbd_cmd * cmd = blk_mq_rq_to_pdu ( bd - > rq ) ;
2017-03-24 14:08:26 -04:00
int ret ;
2005-04-16 15:20:36 -07:00
2016-11-22 14:04:40 -05:00
/*
* Since we look at the bio ' s to send the request over the network we
* need to make sure the completion work doesn ' t mark this request done
* before we are done doing our send . This keeps us from dereferencing
* freed data if we have particularly fast completions ( ie we get the
* completion before we exit sock_xmit on the last bvec ) or in the case
* that the server is misbehaving ( or there was an error ) before we ' re
* done sending everything over the wire .
*/
2018-07-16 12:11:35 -04:00
mutex_lock ( & cmd - > lock ) ;
2018-07-16 12:11:34 -04:00
clear_bit ( NBD_CMD_REQUEUED , & cmd - > flags ) ;
2017-03-24 14:08:26 -04:00
/* We can be called directly from the user space process, which means we
* could possibly have signals pending so our sendmsg will fail . In
* this case we need to return that we are busy , otherwise error out as
* appropriate .
*/
ret = nbd_handle_cmd ( cmd , hctx - > queue_num ) ;
2017-10-02 16:22:08 -04:00
if ( ret < 0 )
ret = BLK_STS_IOERR ;
else if ( ! ret )
ret = BLK_STS_OK ;
2018-07-16 12:11:35 -04:00
mutex_unlock ( & cmd - > lock ) ;
2016-11-22 14:04:40 -05:00
2017-10-02 16:22:08 -04:00
return ret ;
2005-04-16 15:20:36 -07:00
}
2019-10-17 16:27:34 -05:00
static struct socket * nbd_get_socket ( struct nbd_device * nbd , unsigned long fd ,
int * err )
{
struct socket * sock ;
* err = 0 ;
sock = sockfd_lookup ( fd , err ) ;
if ( ! sock )
return NULL ;
if ( sock - > ops - > shutdown = = sock_no_shutdown ) {
dev_err ( disk_to_dev ( nbd - > disk ) , " Unsupported socket: shutdown callout must be supported. \n " ) ;
* err = - EINVAL ;
2019-11-19 14:09:11 +08:00
sockfd_put ( sock ) ;
2019-10-17 16:27:34 -05:00
return NULL ;
}
return sock ;
}
2017-04-06 17:02:00 -04:00
static int nbd_add_socket ( struct nbd_device * nbd , unsigned long arg ,
bool netlink )
2015-10-29 11:51:16 +01:00
{
2017-04-06 17:01:58 -04:00
struct nbd_config * config = nbd - > config ;
2017-02-07 17:10:22 -05:00
struct socket * sock ;
2016-11-22 14:04:40 -05:00
struct nbd_sock * * socks ;
struct nbd_sock * nsock ;
2017-02-07 17:10:22 -05:00
int err ;
2019-10-17 16:27:34 -05:00
sock = nbd_get_socket ( nbd , arg , & err ) ;
2017-02-07 17:10:22 -05:00
if ( ! sock )
return err ;
2015-10-29 11:51:16 +01:00
2021-01-25 12:21:02 -05:00
/*
* We need to make sure we don ' t get any errant requests while we ' re
* reallocating the - > socks array .
*/
blk_mq_freeze_queue ( nbd - > disk - > queue ) ;
2017-04-06 17:02:00 -04:00
if ( ! netlink & & ! nbd - > task_setup & &
2019-09-17 17:26:05 +05:30
! test_bit ( NBD_RT_BOUND , & config - > runtime_flags ) )
2016-11-22 14:04:40 -05:00
nbd - > task_setup = current ;
2017-04-06 17:02:00 -04:00
if ( ! netlink & &
( nbd - > task_setup ! = current | |
2019-09-17 17:26:05 +05:30
test_bit ( NBD_RT_BOUND , & config - > runtime_flags ) ) ) {
2016-11-22 14:04:40 -05:00
dev_err ( disk_to_dev ( nbd - > disk ) ,
" Device being setup by another task " ) ;
2020-06-29 09:23:49 +08:00
err = - EBUSY ;
goto put_socket ;
}
nsock = kzalloc ( sizeof ( * nsock ) , GFP_KERNEL ) ;
if ( ! nsock ) {
err = - ENOMEM ;
goto put_socket ;
2015-10-29 11:51:16 +01:00
}
2017-04-06 17:01:58 -04:00
socks = krealloc ( config - > socks , ( config - > num_connections + 1 ) *
2016-11-22 14:04:40 -05:00
sizeof ( struct nbd_sock * ) , GFP_KERNEL ) ;
2017-04-06 17:01:56 -04:00
if ( ! socks ) {
2020-06-29 09:23:49 +08:00
kfree ( nsock ) ;
err = - ENOMEM ;
goto put_socket ;
2017-04-06 17:01:56 -04:00
}
2019-09-23 15:09:58 -05:00
config - > socks = socks ;
2017-04-06 17:01:57 -04:00
nsock - > fallback_index = - 1 ;
nsock - > dead = false ;
2016-11-22 14:04:40 -05:00
mutex_init ( & nsock - > tx_lock ) ;
nsock - > sock = sock ;
2017-03-24 14:08:26 -04:00
nsock - > pending = NULL ;
nsock - > sent = 0 ;
2017-04-06 17:02:02 -04:00
nsock - > cookie = 0 ;
2017-04-06 17:01:58 -04:00
socks [ config - > num_connections + + ] = nsock ;
2017-04-06 17:02:04 -04:00
atomic_inc ( & config - > live_connections ) ;
2021-01-25 12:21:02 -05:00
blk_mq_unfreeze_queue ( nbd - > disk - > queue ) ;
2015-10-29 11:51:16 +01:00
2016-11-22 14:04:40 -05:00
return 0 ;
2020-06-29 09:23:49 +08:00
put_socket :
2021-01-25 12:21:02 -05:00
blk_mq_unfreeze_queue ( nbd - > disk - > queue ) ;
2020-06-29 09:23:49 +08:00
sockfd_put ( sock ) ;
return err ;
2015-10-29 11:51:16 +01:00
}
2017-04-06 17:02:01 -04:00
static int nbd_reconnect_socket ( struct nbd_device * nbd , unsigned long arg )
{
struct nbd_config * config = nbd - > config ;
struct socket * sock , * old ;
struct recv_thread_args * args ;
int i ;
int err ;
2019-10-17 16:27:34 -05:00
sock = nbd_get_socket ( nbd , arg , & err ) ;
2017-04-06 17:02:01 -04:00
if ( ! sock )
return err ;
args = kzalloc ( sizeof ( * args ) , GFP_KERNEL ) ;
if ( ! args ) {
sockfd_put ( sock ) ;
return - ENOMEM ;
}
for ( i = 0 ; i < config - > num_connections ; i + + ) {
struct nbd_sock * nsock = config - > socks [ i ] ;
if ( ! nsock - > dead )
continue ;
mutex_lock ( & nsock - > tx_lock ) ;
if ( ! nsock - > dead ) {
mutex_unlock ( & nsock - > tx_lock ) ;
continue ;
}
sk_set_memalloc ( sock - > sk ) ;
2017-07-21 10:48:15 -04:00
if ( nbd - > tag_set . timeout )
sock - > sk - > sk_sndtimeo = nbd - > tag_set . timeout ;
2017-04-06 17:02:01 -04:00
atomic_inc ( & config - > recv_threads ) ;
refcount_inc ( & nbd - > config_refs ) ;
old = nsock - > sock ;
nsock - > fallback_index = - 1 ;
nsock - > sock = sock ;
nsock - > dead = false ;
INIT_WORK ( & args - > work , recv_work ) ;
args - > index = i ;
args - > nbd = nbd ;
2017-04-06 17:02:02 -04:00
nsock - > cookie + + ;
2017-04-06 17:02:01 -04:00
mutex_unlock ( & nsock - > tx_lock ) ;
sockfd_put ( old ) ;
2019-09-17 17:26:05 +05:30
clear_bit ( NBD_RT_DISCONNECTED , & config - > runtime_flags ) ;
2017-07-25 13:31:19 -04:00
2017-04-06 17:02:01 -04:00
/* We take the tx_mutex in an error path in the recv_work, so we
* need to queue_work outside of the tx_mutex .
*/
2019-08-04 14:10:06 -05:00
queue_work ( nbd - > recv_workq , & args - > work ) ;
2017-04-06 17:02:04 -04:00
atomic_inc ( & config - > live_connections ) ;
wake_up ( & config - > conn_wait ) ;
2017-04-06 17:02:01 -04:00
return 0 ;
}
sockfd_put ( sock ) ;
kfree ( args ) ;
return - ENOSPC ;
}
2015-10-29 12:04:51 +01:00
static void nbd_bdev_reset ( struct block_device * bdev )
{
2017-03-24 14:08:29 -04:00
if ( bdev - > bd_openers > 1 )
return ;
2020-11-26 18:43:37 +01:00
set_capacity ( bdev - > bd_disk , 0 ) ;
2015-10-29 12:04:51 +01:00
}
2017-04-06 17:01:59 -04:00
static void nbd_parse_flags ( struct nbd_device * nbd )
2015-10-29 12:06:15 +01:00
{
2017-04-06 17:01:58 -04:00
struct nbd_config * config = nbd - > config ;
if ( config - > flags & NBD_FLAG_READ_ONLY )
2017-04-06 17:01:59 -04:00
set_disk_ro ( nbd - > disk , true ) ;
else
set_disk_ro ( nbd - > disk , false ) ;
2017-04-06 17:01:58 -04:00
if ( config - > flags & NBD_FLAG_SEND_TRIM )
2018-03-07 17:10:10 -08:00
blk_queue_flag_set ( QUEUE_FLAG_DISCARD , nbd - > disk - > queue ) ;
2017-05-25 23:55:54 -04:00
if ( config - > flags & NBD_FLAG_SEND_FLUSH ) {
if ( config - > flags & NBD_FLAG_SEND_FUA )
blk_queue_write_cache ( nbd - > disk - > queue , true , true ) ;
else
blk_queue_write_cache ( nbd - > disk - > queue , true , false ) ;
}
2015-10-29 12:06:15 +01:00
else
2016-03-30 10:10:53 -06:00
blk_queue_write_cache ( nbd - > disk - > queue , false , false ) ;
2015-10-29 12:06:15 +01:00
}
2016-11-22 14:04:40 -05:00
static void send_disconnects ( struct nbd_device * nbd )
{
2017-04-06 17:01:58 -04:00
struct nbd_config * config = nbd - > config ;
2015-11-12 05:09:35 -05:00
struct nbd_request request = {
. magic = htonl ( NBD_REQUEST_MAGIC ) ,
. type = htonl ( NBD_CMD_DISC ) ,
} ;
struct kvec iov = { . iov_base = & request , . iov_len = sizeof ( request ) } ;
struct iov_iter from ;
2016-11-22 14:04:40 -05:00
int i , ret ;
2017-04-06 17:01:58 -04:00
for ( i = 0 ; i < config - > num_connections ; i + + ) {
2017-07-21 10:48:14 -04:00
struct nbd_sock * nsock = config - > socks [ i ] ;
2018-10-20 00:57:56 +01:00
iov_iter_kvec ( & from , WRITE , & iov , 1 , sizeof ( request ) ) ;
2017-07-21 10:48:14 -04:00
mutex_lock ( & nsock - > tx_lock ) ;
2017-03-24 14:08:26 -04:00
ret = sock_xmit ( nbd , i , 1 , & from , 0 , NULL ) ;
2016-11-22 14:04:40 -05:00
if ( ret < = 0 )
dev_err ( disk_to_dev ( nbd - > disk ) ,
" Send disconnect failed %d \n " , ret ) ;
2017-07-21 10:48:14 -04:00
mutex_unlock ( & nsock - > tx_lock ) ;
2016-11-22 14:04:40 -05:00
}
}
2017-04-06 17:01:59 -04:00
static int nbd_disconnect ( struct nbd_device * nbd )
2017-02-07 17:10:22 -05:00
{
2017-04-06 17:01:58 -04:00
struct nbd_config * config = nbd - > config ;
2015-08-17 08:20:06 +02:00
2017-04-06 17:01:58 -04:00
dev_info ( disk_to_dev ( nbd - > disk ) , " NBD_DISCONNECT \n " ) ;
2019-09-17 17:26:05 +05:30
set_bit ( NBD_RT_DISCONNECT_REQUESTED , & config - > runtime_flags ) ;
2019-09-17 17:26:06 +05:30
set_bit ( NBD_DISCONNECT_REQUESTED , & nbd - > flags ) ;
2017-07-21 10:48:13 -04:00
send_disconnects ( nbd ) ;
2017-02-07 17:10:22 -05:00
return 0 ;
}
2017-04-06 17:01:59 -04:00
static void nbd_clear_sock ( struct nbd_device * nbd )
2009-04-02 16:58:41 -07:00
{
2017-02-07 17:10:22 -05:00
sock_shutdown ( nbd ) ;
nbd_clear_que ( nbd ) ;
2017-04-06 17:01:58 -04:00
nbd - > task_setup = NULL ;
}
static void nbd_config_put ( struct nbd_device * nbd )
{
if ( refcount_dec_and_mutex_lock ( & nbd - > config_refs ,
& nbd - > config_lock ) ) {
struct nbd_config * config = nbd - > config ;
nbd_dev_dbg_close ( nbd ) ;
2017-04-06 17:01:59 -04:00
nbd_size_clear ( nbd ) ;
2019-09-17 17:26:05 +05:30
if ( test_and_clear_bit ( NBD_RT_HAS_PID_FILE ,
2017-04-06 17:01:58 -04:00
& config - > runtime_flags ) )
device_remove_file ( disk_to_dev ( nbd - > disk ) , & pid_attr ) ;
nbd - > task_recv = NULL ;
nbd: provide a way for userspace processes to identify device backends
Problem:
On reconfigure of device, there is no way to defend if the backend
storage is matching with the initial backend storage.
Say, if an initial connect request for backend "pool1/image1" got
mapped to /dev/nbd0 and the userspace process is terminated. A next
reconfigure request within NBD_ATTR_DEAD_CONN_TIMEOUT is allowed to
use /dev/nbd0 for a different backend "pool1/image2"
For example, an operation like below could be dangerous:
$ sudo rbd-nbd map --try-netlink rbd-pool/ext4-image
/dev/nbd0
$ sudo blkid /dev/nbd0
/dev/nbd0: UUID="bfc444b4-64b1-418f-8b36-6e0d170cfc04" TYPE="ext4"
$ sudo pkill -9 rbd-nbd
$ sudo rbd-nbd attach --try-netlink --device /dev/nbd0 rbd-pool/xfs-image
/dev/nbd0
$ sudo blkid /dev/nbd0
/dev/nbd0: UUID="d29bf343-6570-4069-a9ea-2fa156ced908" TYPE="xfs"
Solution:
Provide a way for userspace processes to keep some metadata to identify
between the device and the backend, so that when a reconfigure request is
made, we can compare and avoid such dangerous operations.
With this solution, as part of the initial connect request, backend
path can be stored in the sysfs per device config, so that on a reconfigure
request it's easy to check if the backend path matches with the initial
connect backend path.
Please note, ioctl interface to nbd will not have these changes, as there
won't be any reconfigure.
Signed-off-by: Prasanna Kumar Kalever <prasanna.kalever@redhat.com>
Reviewed-by: Xiubo Li <xiubli@redhat.com>
Reviewed-by: Ming Lei <ming.lei@redhat.com>
Link: https://lore.kernel.org/r/20210429102828.31248-1-prasanna.kalever@redhat.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2021-04-29 15:58:28 +05:30
if ( test_and_clear_bit ( NBD_RT_HAS_BACKEND_FILE ,
& config - > runtime_flags ) ) {
device_remove_file ( disk_to_dev ( nbd - > disk ) , & backend_attr ) ;
kfree ( nbd - > backend ) ;
nbd - > backend = NULL ;
}
2017-04-06 17:01:59 -04:00
nbd_clear_sock ( nbd ) ;
2017-04-06 17:01:58 -04:00
if ( config - > num_connections ) {
int i ;
for ( i = 0 ; i < config - > num_connections ; i + + ) {
sockfd_put ( config - > socks [ i ] - > sock ) ;
kfree ( config - > socks [ i ] ) ;
}
kfree ( config - > socks ) ;
}
2017-05-23 17:49:55 +02:00
kfree ( nbd - > config ) ;
2017-05-23 17:49:54 +02:00
nbd - > config = NULL ;
2019-08-04 14:10:06 -05:00
if ( nbd - > recv_workq )
destroy_workqueue ( nbd - > recv_workq ) ;
nbd - > recv_workq = NULL ;
2017-05-23 17:49:54 +02:00
nbd - > tag_set . timeout = 0 ;
2018-05-23 13:35:59 -04:00
nbd - > disk - > queue - > limits . discard_granularity = 0 ;
2018-06-05 11:41:23 -04:00
nbd - > disk - > queue - > limits . discard_alignment = 0 ;
2018-05-23 13:35:59 -04:00
blk_queue_max_discard_sectors ( nbd - > disk - > queue , UINT_MAX ) ;
2018-03-07 17:10:10 -08:00
blk_queue_flag_clear ( QUEUE_FLAG_DISCARD , nbd - > disk - > queue ) ;
2017-04-06 17:02:07 -04:00
2017-04-06 17:01:58 -04:00
mutex_unlock ( & nbd - > config_lock ) ;
2017-04-06 17:02:06 -04:00
nbd_put ( nbd ) ;
2017-04-06 17:01:58 -04:00
module_put ( THIS_MODULE ) ;
}
2017-02-07 17:10:22 -05:00
}
2017-04-06 17:02:00 -04:00
static int nbd_start_device ( struct nbd_device * nbd )
2017-02-07 17:10:22 -05:00
{
2017-04-06 17:01:58 -04:00
struct nbd_config * config = nbd - > config ;
int num_connections = config - > num_connections ;
2017-02-07 17:10:22 -05:00
int error = 0 , i ;
2009-04-02 16:58:41 -07:00
2017-02-07 17:10:22 -05:00
if ( nbd - > task_recv )
return - EBUSY ;
2017-04-06 17:01:58 -04:00
if ( ! config - > socks )
2017-02-07 17:10:22 -05:00
return - EINVAL ;
if ( num_connections > 1 & &
2017-04-06 17:01:58 -04:00
! ( config - > flags & NBD_FLAG_CAN_MULTI_CONN ) ) {
2017-02-07 17:10:22 -05:00
dev_err ( disk_to_dev ( nbd - > disk ) , " server does not support multiple connections per device. \n " ) ;
2017-04-06 17:01:58 -04:00
return - EINVAL ;
2017-02-07 17:10:22 -05:00
}
2015-10-29 11:51:16 +01:00
2019-08-04 14:10:06 -05:00
nbd - > recv_workq = alloc_workqueue ( " knbd%d-recv " ,
WQ_MEM_RECLAIM | WQ_HIGHPRI |
WQ_UNBOUND , 0 , nbd - > index ) ;
if ( ! nbd - > recv_workq ) {
dev_err ( disk_to_dev ( nbd - > disk ) , " Could not allocate knbd recv work queue. \n " ) ;
return - ENOMEM ;
}
2017-04-06 17:01:58 -04:00
blk_mq_update_nr_hw_queues ( & nbd - > tag_set , config - > num_connections ) ;
2017-02-07 17:10:22 -05:00
nbd - > task_recv = current ;
2015-10-29 11:51:16 +01:00
2017-04-06 17:01:59 -04:00
nbd_parse_flags ( nbd ) ;
2015-10-29 11:51:16 +01:00
2017-02-07 17:10:22 -05:00
error = device_create_file ( disk_to_dev ( nbd - > disk ) , & pid_attr ) ;
if ( error ) {
nbd: provide a way for userspace processes to identify device backends
Problem:
On reconfigure of device, there is no way to defend if the backend
storage is matching with the initial backend storage.
Say, if an initial connect request for backend "pool1/image1" got
mapped to /dev/nbd0 and the userspace process is terminated. A next
reconfigure request within NBD_ATTR_DEAD_CONN_TIMEOUT is allowed to
use /dev/nbd0 for a different backend "pool1/image2"
For example, an operation like below could be dangerous:
$ sudo rbd-nbd map --try-netlink rbd-pool/ext4-image
/dev/nbd0
$ sudo blkid /dev/nbd0
/dev/nbd0: UUID="bfc444b4-64b1-418f-8b36-6e0d170cfc04" TYPE="ext4"
$ sudo pkill -9 rbd-nbd
$ sudo rbd-nbd attach --try-netlink --device /dev/nbd0 rbd-pool/xfs-image
/dev/nbd0
$ sudo blkid /dev/nbd0
/dev/nbd0: UUID="d29bf343-6570-4069-a9ea-2fa156ced908" TYPE="xfs"
Solution:
Provide a way for userspace processes to keep some metadata to identify
between the device and the backend, so that when a reconfigure request is
made, we can compare and avoid such dangerous operations.
With this solution, as part of the initial connect request, backend
path can be stored in the sysfs per device config, so that on a reconfigure
request it's easy to check if the backend path matches with the initial
connect backend path.
Please note, ioctl interface to nbd will not have these changes, as there
won't be any reconfigure.
Signed-off-by: Prasanna Kumar Kalever <prasanna.kalever@redhat.com>
Reviewed-by: Xiubo Li <xiubli@redhat.com>
Reviewed-by: Ming Lei <ming.lei@redhat.com>
Link: https://lore.kernel.org/r/20210429102828.31248-1-prasanna.kalever@redhat.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2021-04-29 15:58:28 +05:30
dev_err ( disk_to_dev ( nbd - > disk ) , " device_create_file failed for pid! \n " ) ;
2017-04-06 17:01:58 -04:00
return error ;
2009-04-02 16:58:41 -07:00
}
2019-09-17 17:26:05 +05:30
set_bit ( NBD_RT_HAS_PID_FILE , & config - > runtime_flags ) ;
2015-07-27 07:36:49 +02:00
2017-02-07 17:10:22 -05:00
nbd_dev_dbg_init ( nbd ) ;
for ( i = 0 ; i < num_connections ; i + + ) {
2017-04-06 17:01:58 -04:00
struct recv_thread_args * args ;
args = kzalloc ( sizeof ( * args ) , GFP_KERNEL ) ;
if ( ! args ) {
sock_shutdown ( nbd ) ;
2020-01-22 11:18:57 +08:00
/*
* If num_connections is m ( 2 < m ) ,
* and NO .1 ~ NO . n ( 1 < n < m ) kzallocs are successful .
* But NO . ( n + 1 ) failed . We still have n recv threads .
* So , add flush_workqueue here to prevent recv threads
* dropping the last config_refs and trying to destroy
* the workqueue from inside the workqueue .
*/
if ( i )
flush_workqueue ( nbd - > recv_workq ) ;
2017-04-06 17:01:58 -04:00
return - ENOMEM ;
}
sk_set_memalloc ( config - > socks [ i ] - > sock - > sk ) ;
2017-07-21 10:48:15 -04:00
if ( nbd - > tag_set . timeout )
config - > socks [ i ] - > sock - > sk - > sk_sndtimeo =
nbd - > tag_set . timeout ;
2017-04-06 17:01:58 -04:00
atomic_inc ( & config - > recv_threads ) ;
refcount_inc ( & nbd - > config_refs ) ;
INIT_WORK ( & args - > work , recv_work ) ;
args - > nbd = nbd ;
args - > index = i ;
2019-08-04 14:10:06 -05:00
queue_work ( nbd - > recv_workq , & args - > work ) ;
2015-07-27 07:36:49 +02:00
}
2020-11-16 15:57:00 +01:00
return nbd_set_size ( nbd , config - > bytesize , config - > blksize ) ;
2017-04-06 17:02:00 -04:00
}
static int nbd_start_device_ioctl ( struct nbd_device * nbd , struct block_device * bdev )
{
struct nbd_config * config = nbd - > config ;
int ret ;
ret = nbd_start_device ( nbd ) ;
if ( ret )
return ret ;
if ( max_part )
2020-09-21 09:19:45 +02:00
set_bit ( GD_NEED_PART_SCAN , & nbd - > disk - > state ) ;
2017-04-06 17:02:00 -04:00
mutex_unlock ( & nbd - > config_lock ) ;
ret = wait_event_interruptible ( config - > recv_wq ,
2017-04-06 17:01:58 -04:00
atomic_read ( & config - > recv_threads ) = = 0 ) ;
2019-12-08 16:51:50 -06:00
if ( ret )
2017-04-06 17:01:58 -04:00
sock_shutdown ( nbd ) ;
2019-12-08 16:51:50 -06:00
flush_workqueue ( nbd - > recv_workq ) ;
2017-02-07 17:10:22 -05:00
mutex_lock ( & nbd - > config_lock ) ;
2018-05-16 14:51:22 -04:00
nbd_bdev_reset ( bdev ) ;
2017-02-07 17:10:22 -05:00
/* user requested, ignore socket errors */
2019-09-17 17:26:05 +05:30
if ( test_bit ( NBD_RT_DISCONNECT_REQUESTED , & config - > runtime_flags ) )
2017-04-06 17:02:00 -04:00
ret = 0 ;
2019-09-17 17:26:05 +05:30
if ( test_bit ( NBD_RT_TIMEDOUT , & config - > runtime_flags ) )
2017-04-06 17:02:00 -04:00
ret = - ETIMEDOUT ;
return ret ;
2017-02-07 17:10:22 -05:00
}
2017-04-06 17:01:59 -04:00
static void nbd_clear_sock_ioctl ( struct nbd_device * nbd ,
struct block_device * bdev )
{
2017-04-06 17:02:03 -04:00
sock_shutdown ( nbd ) ;
2019-07-31 20:13:10 +08:00
__invalidate_device ( bdev , true ) ;
2017-04-06 17:01:59 -04:00
nbd_bdev_reset ( bdev ) ;
2019-09-17 17:26:05 +05:30
if ( test_and_clear_bit ( NBD_RT_HAS_CONFIG_REF ,
2017-04-06 17:02:00 -04:00
& nbd - > config - > runtime_flags ) )
nbd_config_put ( nbd ) ;
2017-04-06 17:01:59 -04:00
}
2019-08-13 11:39:49 -05:00
static void nbd_set_cmd_timeout ( struct nbd_device * nbd , u64 timeout )
{
nbd - > tag_set . timeout = timeout * HZ ;
2019-08-13 11:39:52 -05:00
if ( timeout )
blk_queue_rq_timeout ( nbd - > disk - > queue , timeout * HZ ) ;
2020-08-10 08:00:44 -04:00
else
blk_queue_rq_timeout ( nbd - > disk - > queue , 30 * HZ ) ;
2019-08-13 11:39:49 -05:00
}
2017-02-07 17:10:22 -05:00
/* Must be called with config_lock held */
static int __nbd_ioctl ( struct block_device * bdev , struct nbd_device * nbd ,
unsigned int cmd , unsigned long arg )
{
2017-04-06 17:01:58 -04:00
struct nbd_config * config = nbd - > config ;
2021-08-04 10:12:12 +08:00
loff_t bytesize ;
2017-04-06 17:01:58 -04:00
2017-02-07 17:10:22 -05:00
switch ( cmd ) {
case NBD_DISCONNECT :
2017-04-06 17:01:59 -04:00
return nbd_disconnect ( nbd ) ;
2017-02-07 17:10:22 -05:00
case NBD_CLEAR_SOCK :
2017-04-06 17:01:59 -04:00
nbd_clear_sock_ioctl ( nbd , bdev ) ;
return 0 ;
2017-02-07 17:10:22 -05:00
case NBD_SET_SOCK :
2017-04-06 17:02:00 -04:00
return nbd_add_socket ( nbd , arg , false ) ;
2017-02-07 17:10:22 -05:00
case NBD_SET_BLKSIZE :
2020-11-16 15:57:00 +01:00
return nbd_set_size ( nbd , config - > bytesize , arg ) ;
2005-04-16 15:20:36 -07:00
case NBD_SET_SIZE :
2020-11-16 15:57:00 +01:00
return nbd_set_size ( nbd , arg , config - > blksize ) ;
2015-07-27 07:36:49 +02:00
case NBD_SET_SIZE_BLOCKS :
2021-08-04 10:12:12 +08:00
if ( check_mul_overflow ( ( loff_t ) arg , config - > blksize , & bytesize ) )
return - EINVAL ;
return nbd_set_size ( nbd , bytesize , config - > blksize ) ;
2007-10-16 23:27:37 -07:00
case NBD_SET_TIMEOUT :
2019-08-13 11:39:52 -05:00
nbd_set_cmd_timeout ( nbd , arg ) ;
2007-10-16 23:27:37 -07:00
return 0 ;
2009-04-02 16:58:41 -07:00
2012-10-04 17:16:15 -07:00
case NBD_SET_FLAGS :
2017-04-06 17:01:58 -04:00
config - > flags = arg ;
2012-10-04 17:16:15 -07:00
return 0 ;
2017-02-07 17:10:22 -05:00
case NBD_DO_IT :
2017-04-06 17:02:00 -04:00
return nbd_start_device_ioctl ( nbd , bdev ) ;
2005-04-16 15:20:36 -07:00
case NBD_CLEAR_QUE :
2006-01-06 00:09:47 -08:00
/*
* This is for compatibility only . The queue is always cleared
* by NBD_DO_IT or NBD_CLEAR_SOCK .
*/
2005-04-16 15:20:36 -07:00
return 0 ;
case NBD_PRINT_DEBUG :
2016-09-08 12:33:37 -07:00
/*
* For compatibility only , we no longer keep a list of
* outstanding requests .
*/
2005-04-16 15:20:36 -07:00
return 0 ;
}
2009-04-02 16:58:41 -07:00
return - ENOTTY ;
}
static int nbd_ioctl ( struct block_device * bdev , fmode_t mode ,
unsigned int cmd , unsigned long arg )
{
2012-03-28 14:42:51 -07:00
struct nbd_device * nbd = bdev - > bd_disk - > private_data ;
2017-04-06 17:02:00 -04:00
struct nbd_config * config = nbd - > config ;
int error = - EINVAL ;
2009-04-02 16:58:41 -07:00
if ( ! capable ( CAP_SYS_ADMIN ) )
return - EPERM ;
2017-05-05 22:25:18 -04:00
/* The block layer will pass back some non-nbd ioctls in case we have
* special handling for them , but we don ' t so just return an error .
*/
if ( _IOC_TYPE ( cmd ) ! = 0xab )
return - EINVAL ;
2016-11-22 14:04:40 -05:00
mutex_lock ( & nbd - > config_lock ) ;
2017-04-06 17:02:00 -04:00
/* Don't allow ioctl operations on a nbd device that was created with
* netlink , unless it ' s DISCONNECT or CLEAR_SOCK , which are fine .
*/
2019-09-17 17:26:05 +05:30
if ( ! test_bit ( NBD_RT_BOUND , & config - > runtime_flags ) | |
2017-04-06 17:02:00 -04:00
( cmd = = NBD_DISCONNECT | | cmd = = NBD_CLEAR_SOCK ) )
error = __nbd_ioctl ( bdev , nbd , cmd , arg ) ;
else
dev_err ( nbd_to_dev ( nbd ) , " Cannot use ioctl interface on a netlink controlled device. \n " ) ;
2016-11-22 14:04:40 -05:00
mutex_unlock ( & nbd - > config_lock ) ;
2009-04-02 16:58:41 -07:00
return error ;
2005-04-16 15:20:36 -07:00
}
2017-04-06 17:01:58 -04:00
static struct nbd_config * nbd_alloc_config ( void )
{
struct nbd_config * config ;
config = kzalloc ( sizeof ( struct nbd_config ) , GFP_NOFS ) ;
if ( ! config )
return NULL ;
atomic_set ( & config - > recv_threads , 0 ) ;
init_waitqueue_head ( & config - > recv_wq ) ;
2017-04-06 17:02:04 -04:00
init_waitqueue_head ( & config - > conn_wait ) ;
2019-05-29 15:16:05 -05:00
config - > blksize = NBD_DEF_BLKSIZE ;
2017-04-06 17:02:04 -04:00
atomic_set ( & config - > live_connections , 0 ) ;
2017-04-06 17:01:58 -04:00
try_module_get ( THIS_MODULE ) ;
return config ;
}
static int nbd_open ( struct block_device * bdev , fmode_t mode )
{
struct nbd_device * nbd ;
int ret = 0 ;
mutex_lock ( & nbd_index_mutex ) ;
nbd = bdev - > bd_disk - > private_data ;
if ( ! nbd ) {
ret = - ENXIO ;
goto out ;
}
2017-04-06 17:02:06 -04:00
if ( ! refcount_inc_not_zero ( & nbd - > refs ) ) {
ret = - ENXIO ;
goto out ;
}
2017-04-06 17:01:58 -04:00
if ( ! refcount_inc_not_zero ( & nbd - > config_refs ) ) {
struct nbd_config * config ;
mutex_lock ( & nbd - > config_lock ) ;
if ( refcount_inc_not_zero ( & nbd - > config_refs ) ) {
mutex_unlock ( & nbd - > config_lock ) ;
goto out ;
}
config = nbd - > config = nbd_alloc_config ( ) ;
if ( ! config ) {
ret = - ENOMEM ;
mutex_unlock ( & nbd - > config_lock ) ;
goto out ;
}
refcount_set ( & nbd - > config_refs , 1 ) ;
2017-04-06 17:02:06 -04:00
refcount_inc ( & nbd - > refs ) ;
2017-04-06 17:01:58 -04:00
mutex_unlock ( & nbd - > config_lock ) ;
2020-12-17 00:58:47 -08:00
if ( max_part )
set_bit ( GD_NEED_PART_SCAN , & bdev - > bd_disk - > state ) ;
2018-05-16 14:51:21 -04:00
} else if ( nbd_disconnected ( nbd - > config ) ) {
2020-12-17 00:58:47 -08:00
if ( max_part )
set_bit ( GD_NEED_PART_SCAN , & bdev - > bd_disk - > state ) ;
2017-04-06 17:01:58 -04:00
}
out :
mutex_unlock ( & nbd_index_mutex ) ;
return ret ;
}
static void nbd_release ( struct gendisk * disk , fmode_t mode )
{
struct nbd_device * nbd = disk - > private_data ;
2018-06-15 14:05:32 -07:00
2019-09-17 17:26:05 +05:30
if ( test_bit ( NBD_RT_DISCONNECT_ON_CLOSE , & nbd - > config - > runtime_flags ) & &
2020-11-26 10:41:07 +01:00
disk - > part0 - > bd_openers = = 0 )
2018-06-15 14:05:32 -07:00
nbd_disconnect_and_put ( nbd ) ;
2017-04-06 17:01:58 -04:00
nbd_config_put ( nbd ) ;
2017-04-06 17:02:06 -04:00
nbd_put ( nbd ) ;
2017-04-06 17:01:58 -04:00
}
2009-09-21 17:01:13 -07:00
static const struct block_device_operations nbd_fops =
2005-04-16 15:20:36 -07:00
{
. owner = THIS_MODULE ,
2017-04-06 17:01:58 -04:00
. open = nbd_open ,
. release = nbd_release ,
2010-07-08 10:18:46 +02:00
. ioctl = nbd_ioctl ,
2016-01-07 10:04:37 -05:00
. compat_ioctl = nbd_ioctl ,
2005-04-16 15:20:36 -07:00
} ;
2015-08-17 08:20:06 +02:00
# if IS_ENABLED(CONFIG_DEBUG_FS)
static int nbd_dbg_tasks_show ( struct seq_file * s , void * unused )
{
struct nbd_device * nbd = s - > private ;
if ( nbd - > task_recv )
seq_printf ( s , " recv: %d \n " , task_pid_nr ( nbd - > task_recv ) ) ;
return 0 ;
}
2021-02-06 15:10:55 +08:00
DEFINE_SHOW_ATTRIBUTE ( nbd_dbg_tasks ) ;
2015-08-17 08:20:06 +02:00
static int nbd_dbg_flags_show ( struct seq_file * s , void * unused )
{
struct nbd_device * nbd = s - > private ;
2017-04-06 17:01:58 -04:00
u32 flags = nbd - > config - > flags ;
2015-08-17 08:20:06 +02:00
seq_printf ( s , " Hex: 0x%08x \n \n " , flags ) ;
seq_puts ( s , " Known flags: \n " ) ;
if ( flags & NBD_FLAG_HAS_FLAGS )
seq_puts ( s , " NBD_FLAG_HAS_FLAGS \n " ) ;
if ( flags & NBD_FLAG_READ_ONLY )
seq_puts ( s , " NBD_FLAG_READ_ONLY \n " ) ;
if ( flags & NBD_FLAG_SEND_FLUSH )
seq_puts ( s , " NBD_FLAG_SEND_FLUSH \n " ) ;
2017-05-25 23:55:54 -04:00
if ( flags & NBD_FLAG_SEND_FUA )
seq_puts ( s , " NBD_FLAG_SEND_FUA \n " ) ;
2015-08-17 08:20:06 +02:00
if ( flags & NBD_FLAG_SEND_TRIM )
seq_puts ( s , " NBD_FLAG_SEND_TRIM \n " ) ;
return 0 ;
}
2021-02-06 15:10:55 +08:00
DEFINE_SHOW_ATTRIBUTE ( nbd_dbg_flags ) ;
2015-08-17 08:20:06 +02:00
static int nbd_dev_dbg_init ( struct nbd_device * nbd )
{
struct dentry * dir ;
2017-04-06 17:01:58 -04:00
struct nbd_config * config = nbd - > config ;
2015-10-24 21:15:34 +02:00
if ( ! nbd_dbg_dir )
return - EIO ;
2015-08-17 08:20:06 +02:00
dir = debugfs_create_dir ( nbd_name ( nbd ) , nbd_dbg_dir ) ;
2015-10-24 21:15:34 +02:00
if ( ! dir ) {
dev_err ( nbd_to_dev ( nbd ) , " Failed to create debugfs dir for '%s' \n " ,
nbd_name ( nbd ) ) ;
return - EIO ;
2015-08-17 08:20:06 +02:00
}
2017-04-06 17:01:58 -04:00
config - > dbg_dir = dir ;
2015-08-17 08:20:06 +02:00
2021-02-06 15:10:55 +08:00
debugfs_create_file ( " tasks " , 0444 , dir , nbd , & nbd_dbg_tasks_fops ) ;
2017-04-06 17:01:58 -04:00
debugfs_create_u64 ( " size_bytes " , 0444 , dir , & config - > bytesize ) ;
2016-09-08 12:33:40 -07:00
debugfs_create_u32 ( " timeout " , 0444 , dir , & nbd - > tag_set . timeout ) ;
2017-04-06 17:01:58 -04:00
debugfs_create_u64 ( " blocksize " , 0444 , dir , & config - > blksize ) ;
2021-02-06 15:10:55 +08:00
debugfs_create_file ( " flags " , 0444 , dir , nbd , & nbd_dbg_flags_fops ) ;
2015-08-17 08:20:06 +02:00
return 0 ;
}
static void nbd_dev_dbg_close ( struct nbd_device * nbd )
{
2017-04-06 17:01:58 -04:00
debugfs_remove_recursive ( nbd - > config - > dbg_dir ) ;
2015-08-17 08:20:06 +02:00
}
static int nbd_dbg_init ( void )
{
struct dentry * dbg_dir ;
dbg_dir = debugfs_create_dir ( " nbd " , NULL ) ;
2015-10-24 21:15:34 +02:00
if ( ! dbg_dir )
return - EIO ;
2015-08-17 08:20:06 +02:00
nbd_dbg_dir = dbg_dir ;
return 0 ;
}
static void nbd_dbg_close ( void )
{
debugfs_remove_recursive ( nbd_dbg_dir ) ;
}
# else /* IS_ENABLED(CONFIG_DEBUG_FS) */
static int nbd_dev_dbg_init ( struct nbd_device * nbd )
{
return 0 ;
}
static void nbd_dev_dbg_close ( struct nbd_device * nbd )
{
}
static int nbd_dbg_init ( void )
{
return 0 ;
}
static void nbd_dbg_close ( void )
{
}
# endif
2017-05-01 10:19:08 -06:00
static int nbd_init_request ( struct blk_mq_tag_set * set , struct request * rq ,
unsigned int hctx_idx , unsigned int numa_node )
2016-09-08 12:33:37 -07:00
{
struct nbd_cmd * cmd = blk_mq_rq_to_pdu ( rq ) ;
2017-05-01 10:19:08 -06:00
cmd - > nbd = set - > driver_data ;
2018-07-16 12:11:34 -04:00
cmd - > flags = 0 ;
2018-07-16 12:11:35 -04:00
mutex_init ( & cmd - > lock ) ;
2016-09-08 12:33:37 -07:00
return 0 ;
}
2017-03-30 13:39:16 -07:00
static const struct blk_mq_ops nbd_mq_ops = {
2016-09-08 12:33:37 -07:00
. queue_rq = nbd_queue_rq ,
2017-04-20 16:03:06 +02:00
. complete = nbd_complete_rq ,
2016-09-08 12:33:37 -07:00
. init_request = nbd_init_request ,
2016-09-08 12:33:40 -07:00
. timeout = nbd_xmit_timeout ,
2016-09-08 12:33:37 -07:00
} ;
2021-08-11 14:44:28 +02:00
static struct nbd_device * nbd_dev_add ( int index , unsigned int refs )
2017-02-01 16:11:40 -05:00
{
struct nbd_device * nbd ;
struct gendisk * disk ;
int err = - ENOMEM ;
nbd = kzalloc ( sizeof ( struct nbd_device ) , GFP_KERNEL ) ;
if ( ! nbd )
goto out ;
2021-06-02 09:53:34 +03:00
nbd - > tag_set . ops = & nbd_mq_ops ;
nbd - > tag_set . nr_hw_queues = 1 ;
nbd - > tag_set . queue_depth = 128 ;
nbd - > tag_set . numa_node = NUMA_NO_NODE ;
nbd - > tag_set . cmd_size = sizeof ( struct nbd_cmd ) ;
nbd - > tag_set . flags = BLK_MQ_F_SHOULD_MERGE |
BLK_MQ_F_BLOCKING ;
nbd - > tag_set . driver_data = nbd ;
nbd: do del_gendisk() asynchronously for NBD_DESTROY_ON_DISCONNECT
Now open_mutex is used to synchronize partition operations (e.g,
blk_drop_partitions() and blkdev_reread_part()), however it makes
nbd driver broken, because nbd may call del_gendisk() in nbd_release()
or nbd_genl_disconnect() if NBD_CFLAG_DESTROY_ON_DISCONNECT is enabled,
and deadlock occurs, as shown below:
// AB-BA dead-lock
nbd_genl_disconnect blkdev_open
nbd_disconnect_and_put
lock bd_mutex
// last ref
nbd_put
lock nbd_index_mutex
del_gendisk
nbd_open
try lock nbd_index_mutex
try lock bd_mutex
or
// AA dead-lock
nbd_release
lock bd_mutex
nbd_put
try lock bd_mutex
Instead of fixing block layer (e.g, introduce another lock), fixing
the nbd driver to call del_gendisk() in a kworker when
NBD_DESTROY_ON_DISCONNECT is enabled. When NBD_DESTROY_ON_DISCONNECT
is disabled, nbd device will always be destroy through module removal,
and there is no risky of deadlock.
To ensure the reuse of nbd index succeeds, moving the calling of
idr_remove() after del_gendisk(), so if the reused index is not found
in nbd_index_idr, the old disk must have been deleted. And reusing
the existing destroy_complete mechanism to ensure nbd_genl_connect()
will wait for the completion of del_gendisk().
Also adding a new workqueue for nbd removal, so nbd_cleanup()
can ensure all removals complete before exits.
Reported-by: syzbot+0fe7752e52337864d29b@syzkaller.appspotmail.com
Fixes: c76f48eb5c08 ("block: take bd_mutex around delete_partitions in del_gendisk")
Signed-off-by: Hou Tao <houtao1@huawei.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Link: https://lore.kernel.org/r/20210811124428.2368491-2-hch@lst.de
Reviewed-by: Josef Bacik <josef@toxicpanda.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2021-08-11 14:44:23 +02:00
INIT_WORK ( & nbd - > remove_work , nbd_dev_remove_work ) ;
nbd: provide a way for userspace processes to identify device backends
Problem:
On reconfigure of device, there is no way to defend if the backend
storage is matching with the initial backend storage.
Say, if an initial connect request for backend "pool1/image1" got
mapped to /dev/nbd0 and the userspace process is terminated. A next
reconfigure request within NBD_ATTR_DEAD_CONN_TIMEOUT is allowed to
use /dev/nbd0 for a different backend "pool1/image2"
For example, an operation like below could be dangerous:
$ sudo rbd-nbd map --try-netlink rbd-pool/ext4-image
/dev/nbd0
$ sudo blkid /dev/nbd0
/dev/nbd0: UUID="bfc444b4-64b1-418f-8b36-6e0d170cfc04" TYPE="ext4"
$ sudo pkill -9 rbd-nbd
$ sudo rbd-nbd attach --try-netlink --device /dev/nbd0 rbd-pool/xfs-image
/dev/nbd0
$ sudo blkid /dev/nbd0
/dev/nbd0: UUID="d29bf343-6570-4069-a9ea-2fa156ced908" TYPE="xfs"
Solution:
Provide a way for userspace processes to keep some metadata to identify
between the device and the backend, so that when a reconfigure request is
made, we can compare and avoid such dangerous operations.
With this solution, as part of the initial connect request, backend
path can be stored in the sysfs per device config, so that on a reconfigure
request it's easy to check if the backend path matches with the initial
connect backend path.
Please note, ioctl interface to nbd will not have these changes, as there
won't be any reconfigure.
Signed-off-by: Prasanna Kumar Kalever <prasanna.kalever@redhat.com>
Reviewed-by: Xiubo Li <xiubli@redhat.com>
Reviewed-by: Ming Lei <ming.lei@redhat.com>
Link: https://lore.kernel.org/r/20210429102828.31248-1-prasanna.kalever@redhat.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2021-04-29 15:58:28 +05:30
nbd - > backend = NULL ;
2021-06-02 09:53:34 +03:00
err = blk_mq_alloc_tag_set ( & nbd - > tag_set ) ;
if ( err )
2017-02-01 16:11:40 -05:00
goto out_free_nbd ;
2021-08-11 14:44:28 +02:00
mutex_lock ( & nbd_index_mutex ) ;
2017-02-01 16:11:40 -05:00
if ( index > = 0 ) {
err = idr_alloc ( & nbd_index_idr , nbd , index , index + 1 ,
GFP_KERNEL ) ;
if ( err = = - ENOSPC )
err = - EEXIST ;
} else {
err = idr_alloc ( & nbd_index_idr , nbd , 0 , 0 , GFP_KERNEL ) ;
if ( err > = 0 )
index = err ;
}
2021-08-25 18:31:06 +02:00
nbd - > index = index ;
2021-08-11 14:44:28 +02:00
mutex_unlock ( & nbd_index_mutex ) ;
2017-02-01 16:11:40 -05:00
if ( err < 0 )
2021-06-02 09:53:34 +03:00
goto out_free_tags ;
2017-02-01 16:11:40 -05:00
2021-06-02 09:53:34 +03:00
disk = blk_mq_alloc_disk ( & nbd - > tag_set , NULL ) ;
if ( IS_ERR ( disk ) ) {
err = PTR_ERR ( disk ) ;
2017-02-01 16:11:40 -05:00
goto out_free_idr ;
}
2021-06-02 09:53:34 +03:00
nbd - > disk = disk ;
2017-02-01 16:11:40 -05:00
/*
* Tell the block layer that we are not a rotational device
*/
2018-03-07 17:10:10 -08:00
blk_queue_flag_set ( QUEUE_FLAG_NONROT , disk - > queue ) ;
blk_queue_flag_clear ( QUEUE_FLAG_ADD_RANDOM , disk - > queue ) ;
2018-05-23 13:35:59 -04:00
disk - > queue - > limits . discard_granularity = 0 ;
2018-06-05 11:41:23 -04:00
disk - > queue - > limits . discard_alignment = 0 ;
2018-05-23 13:35:59 -04:00
blk_queue_max_discard_sectors ( disk - > queue , 0 ) ;
2017-04-18 16:22:51 -04:00
blk_queue_max_segment_size ( disk - > queue , UINT_MAX ) ;
2017-04-20 15:47:01 -04:00
blk_queue_max_segments ( disk - > queue , USHRT_MAX ) ;
2017-02-01 16:11:40 -05:00
blk_queue_max_hw_sectors ( disk - > queue , 65536 ) ;
disk - > queue - > limits . max_sectors = 256 ;
mutex_init ( & nbd - > config_lock ) ;
2017-04-06 17:01:58 -04:00
refcount_set ( & nbd - > config_refs , 0 ) ;
2021-08-25 18:31:05 +02:00
/*
* Start out with a zero references to keep other threads from using
* this device until it is fully initialized .
*/
refcount_set ( & nbd - > refs , 0 ) ;
2017-04-06 17:02:06 -04:00
INIT_LIST_HEAD ( & nbd - > list ) ;
2017-02-01 16:11:40 -05:00
disk - > major = NBD_MAJOR ;
2021-08-12 12:15:01 +03:00
/* Too big first_minor can cause duplicate creation of
* sysfs files / links , since first_minor will be truncated to
* byte in __device_add_disk ( ) .
*/
2017-02-01 16:11:40 -05:00
disk - > first_minor = index < < part_shift ;
2021-08-12 12:15:01 +03:00
if ( disk - > first_minor > 0xff ) {
err = - EINVAL ;
goto out_free_idr ;
}
2021-06-02 09:53:34 +03:00
disk - > minors = 1 < < part_shift ;
2017-02-01 16:11:40 -05:00
disk - > fops = & nbd_fops ;
disk - > private_data = nbd ;
sprintf ( disk - > disk_name , " nbd%d " , index ) ;
add_disk ( disk ) ;
2021-08-25 18:31:05 +02:00
/*
* Now publish the device .
*/
refcount_set ( & nbd - > refs , refs ) ;
2017-04-06 17:02:05 -04:00
nbd_total_devices + + ;
2021-08-11 14:44:26 +02:00
return nbd ;
2017-02-01 16:11:40 -05:00
out_free_idr :
2021-08-25 18:31:03 +02:00
mutex_lock ( & nbd_index_mutex ) ;
2017-02-01 16:11:40 -05:00
idr_remove ( & nbd_index_idr , index ) ;
2021-08-25 18:31:03 +02:00
mutex_unlock ( & nbd_index_mutex ) ;
2021-06-02 09:53:34 +03:00
out_free_tags :
blk_mq_free_tag_set ( & nbd - > tag_set ) ;
2017-02-01 16:11:40 -05:00
out_free_nbd :
kfree ( nbd ) ;
out :
2021-08-11 14:44:26 +02:00
return ERR_PTR ( err ) ;
2017-02-01 16:11:40 -05:00
}
2021-08-25 18:31:07 +02:00
static struct nbd_device * nbd_find_get_unused ( void )
2017-04-06 17:02:00 -04:00
{
2021-08-25 18:31:04 +02:00
struct nbd_device * nbd ;
int id ;
2017-04-06 17:02:00 -04:00
2021-08-25 18:31:04 +02:00
lockdep_assert_held ( & nbd_index_mutex ) ;
2021-08-25 18:31:07 +02:00
idr_for_each_entry ( & nbd_index_idr , nbd , id ) {
if ( refcount_read ( & nbd - > config_refs ) | |
test_bit ( NBD_DESTROY_ON_DISCONNECT , & nbd - > flags ) )
continue ;
if ( refcount_inc_not_zero ( & nbd - > refs ) )
2021-08-25 18:31:04 +02:00
return nbd ;
2017-04-06 17:02:00 -04:00
}
2021-08-25 18:31:04 +02:00
return NULL ;
2017-04-06 17:02:00 -04:00
}
/* Netlink interface. */
2018-07-18 09:32:43 -07:00
static const struct nla_policy nbd_attr_policy [ NBD_ATTR_MAX + 1 ] = {
2017-04-06 17:02:00 -04:00
[ NBD_ATTR_INDEX ] = { . type = NLA_U32 } ,
[ NBD_ATTR_SIZE_BYTES ] = { . type = NLA_U64 } ,
[ NBD_ATTR_BLOCK_SIZE_BYTES ] = { . type = NLA_U64 } ,
[ NBD_ATTR_TIMEOUT ] = { . type = NLA_U64 } ,
[ NBD_ATTR_SERVER_FLAGS ] = { . type = NLA_U64 } ,
[ NBD_ATTR_CLIENT_FLAGS ] = { . type = NLA_U64 } ,
[ NBD_ATTR_SOCKETS ] = { . type = NLA_NESTED } ,
2017-04-06 17:02:04 -04:00
[ NBD_ATTR_DEAD_CONN_TIMEOUT ] = { . type = NLA_U64 } ,
2017-04-06 17:02:05 -04:00
[ NBD_ATTR_DEVICE_LIST ] = { . type = NLA_NESTED } ,
nbd: provide a way for userspace processes to identify device backends
Problem:
On reconfigure of device, there is no way to defend if the backend
storage is matching with the initial backend storage.
Say, if an initial connect request for backend "pool1/image1" got
mapped to /dev/nbd0 and the userspace process is terminated. A next
reconfigure request within NBD_ATTR_DEAD_CONN_TIMEOUT is allowed to
use /dev/nbd0 for a different backend "pool1/image2"
For example, an operation like below could be dangerous:
$ sudo rbd-nbd map --try-netlink rbd-pool/ext4-image
/dev/nbd0
$ sudo blkid /dev/nbd0
/dev/nbd0: UUID="bfc444b4-64b1-418f-8b36-6e0d170cfc04" TYPE="ext4"
$ sudo pkill -9 rbd-nbd
$ sudo rbd-nbd attach --try-netlink --device /dev/nbd0 rbd-pool/xfs-image
/dev/nbd0
$ sudo blkid /dev/nbd0
/dev/nbd0: UUID="d29bf343-6570-4069-a9ea-2fa156ced908" TYPE="xfs"
Solution:
Provide a way for userspace processes to keep some metadata to identify
between the device and the backend, so that when a reconfigure request is
made, we can compare and avoid such dangerous operations.
With this solution, as part of the initial connect request, backend
path can be stored in the sysfs per device config, so that on a reconfigure
request it's easy to check if the backend path matches with the initial
connect backend path.
Please note, ioctl interface to nbd will not have these changes, as there
won't be any reconfigure.
Signed-off-by: Prasanna Kumar Kalever <prasanna.kalever@redhat.com>
Reviewed-by: Xiubo Li <xiubli@redhat.com>
Reviewed-by: Ming Lei <ming.lei@redhat.com>
Link: https://lore.kernel.org/r/20210429102828.31248-1-prasanna.kalever@redhat.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2021-04-29 15:58:28 +05:30
[ NBD_ATTR_BACKEND_IDENTIFIER ] = { . type = NLA_STRING } ,
2017-04-06 17:02:00 -04:00
} ;
2018-07-18 09:32:43 -07:00
static const struct nla_policy nbd_sock_policy [ NBD_SOCK_MAX + 1 ] = {
2017-04-06 17:02:00 -04:00
[ NBD_SOCK_FD ] = { . type = NLA_U32 } ,
} ;
2017-04-06 17:02:05 -04:00
/* We don't use this right now since we don't parse the incoming list, but we
* still want it here so userspace knows what to expect .
*/
2018-07-18 09:32:43 -07:00
static const struct nla_policy __attribute__ ( ( unused ) )
2017-04-06 17:02:05 -04:00
nbd_device_policy [ NBD_DEVICE_ATTR_MAX + 1 ] = {
[ NBD_DEVICE_INDEX ] = { . type = NLA_U32 } ,
[ NBD_DEVICE_CONNECTED ] = { . type = NLA_U8 } ,
} ;
2019-05-29 15:16:06 -05:00
static int nbd_genl_size_set ( struct genl_info * info , struct nbd_device * nbd )
{
struct nbd_config * config = nbd - > config ;
u64 bsize = config - > blksize ;
u64 bytes = config - > bytesize ;
if ( info - > attrs [ NBD_ATTR_SIZE_BYTES ] )
bytes = nla_get_u64 ( info - > attrs [ NBD_ATTR_SIZE_BYTES ] ) ;
2020-11-16 15:57:00 +01:00
if ( info - > attrs [ NBD_ATTR_BLOCK_SIZE_BYTES ] )
2019-05-29 15:16:06 -05:00
bsize = nla_get_u64 ( info - > attrs [ NBD_ATTR_BLOCK_SIZE_BYTES ] ) ;
if ( bytes ! = config - > bytesize | | bsize ! = config - > blksize )
2020-11-16 15:57:00 +01:00
return nbd_set_size ( nbd , bytes , bsize ) ;
2019-05-29 15:16:06 -05:00
return 0 ;
}
2017-04-06 17:02:00 -04:00
static int nbd_genl_connect ( struct sk_buff * skb , struct genl_info * info )
{
2021-08-25 18:31:04 +02:00
struct nbd_device * nbd ;
2017-04-06 17:02:00 -04:00
struct nbd_config * config ;
int index = - 1 ;
int ret ;
2017-04-06 17:02:07 -04:00
bool put_dev = false ;
2017-04-06 17:02:00 -04:00
if ( ! netlink_capable ( skb , CAP_SYS_ADMIN ) )
return - EPERM ;
if ( info - > attrs [ NBD_ATTR_INDEX ] )
index = nla_get_u32 ( info - > attrs [ NBD_ATTR_INDEX ] ) ;
if ( ! info - > attrs [ NBD_ATTR_SOCKETS ] ) {
printk ( KERN_ERR " nbd: must specify at least one socket \n " ) ;
return - EINVAL ;
}
if ( ! info - > attrs [ NBD_ATTR_SIZE_BYTES ] ) {
printk ( KERN_ERR " nbd: must specify a size in bytes for the device \n " ) ;
return - EINVAL ;
}
again :
mutex_lock ( & nbd_index_mutex ) ;
if ( index = = - 1 ) {
2021-08-25 18:31:07 +02:00
nbd = nbd_find_get_unused ( ) ;
2017-04-06 17:02:00 -04:00
} else {
nbd = idr_find ( & nbd_index_idr , index ) ;
2021-08-25 18:31:08 +02:00
if ( nbd ) {
if ( ( test_bit ( NBD_DESTROY_ON_DISCONNECT , & nbd - > flags ) & &
test_bit ( NBD_DISCONNECT_REQUESTED , & nbd - > flags ) ) | |
! refcount_inc_not_zero ( & nbd - > refs ) ) {
2017-08-14 18:25:33 +00:00
mutex_unlock ( & nbd_index_mutex ) ;
2021-08-25 18:31:08 +02:00
pr_err ( " nbd: device at index %d is going down \n " ,
index ) ;
return - EINVAL ;
2017-08-14 18:25:33 +00:00
}
}
2017-04-06 17:02:00 -04:00
}
2021-08-25 18:31:08 +02:00
mutex_unlock ( & nbd_index_mutex ) ;
2019-09-17 17:26:06 +05:30
2021-08-25 18:31:08 +02:00
if ( ! nbd ) {
2021-08-11 14:44:28 +02:00
nbd = nbd_dev_add ( index , 2 ) ;
if ( IS_ERR ( nbd ) ) {
pr_err ( " nbd: failed to add new device \n " ) ;
return PTR_ERR ( nbd ) ;
}
2017-04-06 17:02:00 -04:00
}
mutex_lock ( & nbd - > config_lock ) ;
if ( refcount_read ( & nbd - > config_refs ) ) {
mutex_unlock ( & nbd - > config_lock ) ;
2017-04-06 17:02:06 -04:00
nbd_put ( nbd ) ;
2017-04-06 17:02:00 -04:00
if ( index = = - 1 )
goto again ;
printk ( KERN_ERR " nbd: nbd%d already in use \n " , index ) ;
return - EBUSY ;
}
if ( WARN_ON ( nbd - > config ) ) {
mutex_unlock ( & nbd - > config_lock ) ;
2017-04-06 17:02:06 -04:00
nbd_put ( nbd ) ;
2017-04-06 17:02:00 -04:00
return - EINVAL ;
}
config = nbd - > config = nbd_alloc_config ( ) ;
if ( ! nbd - > config ) {
mutex_unlock ( & nbd - > config_lock ) ;
2017-04-06 17:02:06 -04:00
nbd_put ( nbd ) ;
2017-04-06 17:02:00 -04:00
printk ( KERN_ERR " nbd: couldn't allocate config \n " ) ;
return - ENOMEM ;
}
refcount_set ( & nbd - > config_refs , 1 ) ;
2019-09-17 17:26:05 +05:30
set_bit ( NBD_RT_BOUND , & config - > runtime_flags ) ;
2017-04-06 17:02:00 -04:00
2019-05-29 15:16:06 -05:00
ret = nbd_genl_size_set ( info , nbd ) ;
if ( ret )
goto out ;
2019-08-13 11:39:49 -05:00
if ( info - > attrs [ NBD_ATTR_TIMEOUT ] )
nbd_set_cmd_timeout ( nbd ,
nla_get_u64 ( info - > attrs [ NBD_ATTR_TIMEOUT ] ) ) ;
2017-04-06 17:02:04 -04:00
if ( info - > attrs [ NBD_ATTR_DEAD_CONN_TIMEOUT ] ) {
config - > dead_conn_timeout =
nla_get_u64 ( info - > attrs [ NBD_ATTR_DEAD_CONN_TIMEOUT ] ) ;
config - > dead_conn_timeout * = HZ ;
}
2017-04-06 17:02:00 -04:00
if ( info - > attrs [ NBD_ATTR_SERVER_FLAGS ] )
config - > flags =
nla_get_u64 ( info - > attrs [ NBD_ATTR_SERVER_FLAGS ] ) ;
2017-04-06 17:02:07 -04:00
if ( info - > attrs [ NBD_ATTR_CLIENT_FLAGS ] ) {
u64 flags = nla_get_u64 ( info - > attrs [ NBD_ATTR_CLIENT_FLAGS ] ) ;
if ( flags & NBD_CFLAG_DESTROY_ON_DISCONNECT ) {
2021-02-22 15:09:53 -05:00
/*
* We have 1 ref to keep the device around , and then 1
* ref for our current operation here , which will be
* inherited by the config . If we already have
* DESTROY_ON_DISCONNECT set then we know we don ' t have
* that extra ref already held so we don ' t need the
* put_dev .
*/
if ( ! test_and_set_bit ( NBD_DESTROY_ON_DISCONNECT ,
& nbd - > flags ) )
put_dev = true ;
2019-09-17 17:26:06 +05:30
} else {
2021-02-22 15:09:53 -05:00
if ( test_and_clear_bit ( NBD_DESTROY_ON_DISCONNECT ,
& nbd - > flags ) )
refcount_inc ( & nbd - > refs ) ;
2017-04-06 17:02:07 -04:00
}
2018-06-15 14:05:32 -07:00
if ( flags & NBD_CFLAG_DISCONNECT_ON_CLOSE ) {
2019-09-17 17:26:05 +05:30
set_bit ( NBD_RT_DISCONNECT_ON_CLOSE ,
2018-06-15 14:05:32 -07:00
& config - > runtime_flags ) ;
}
2017-04-06 17:02:07 -04:00
}
2017-04-06 17:02:00 -04:00
if ( info - > attrs [ NBD_ATTR_SOCKETS ] ) {
struct nlattr * attr ;
int rem , fd ;
nla_for_each_nested ( attr , info - > attrs [ NBD_ATTR_SOCKETS ] ,
rem ) {
struct nlattr * socks [ NBD_SOCK_MAX + 1 ] ;
if ( nla_type ( attr ) ! = NBD_SOCK_ITEM ) {
printk ( KERN_ERR " nbd: socks must be embedded in a SOCK_ITEM attr \n " ) ;
ret = - EINVAL ;
goto out ;
}
netlink: make validation more configurable for future strictness
We currently have two levels of strict validation:
1) liberal (default)
- undefined (type >= max) & NLA_UNSPEC attributes accepted
- attribute length >= expected accepted
- garbage at end of message accepted
2) strict (opt-in)
- NLA_UNSPEC attributes accepted
- attribute length >= expected accepted
Split out parsing strictness into four different options:
* TRAILING - check that there's no trailing data after parsing
attributes (in message or nested)
* MAXTYPE - reject attrs > max known type
* UNSPEC - reject attributes with NLA_UNSPEC policy entries
* STRICT_ATTRS - strictly validate attribute size
The default for future things should be *everything*.
The current *_strict() is a combination of TRAILING and MAXTYPE,
and is renamed to _deprecated_strict().
The current regular parsing has none of this, and is renamed to
*_parse_deprecated().
Additionally it allows us to selectively set one of the new flags
even on old policies. Notably, the UNSPEC flag could be useful in
this case, since it can be arranged (by filling in the policy) to
not be an incompatible userspace ABI change, but would then going
forward prevent forgetting attribute entries. Similar can apply
to the POLICY flag.
We end up with the following renames:
* nla_parse -> nla_parse_deprecated
* nla_parse_strict -> nla_parse_deprecated_strict
* nlmsg_parse -> nlmsg_parse_deprecated
* nlmsg_parse_strict -> nlmsg_parse_deprecated_strict
* nla_parse_nested -> nla_parse_nested_deprecated
* nla_validate_nested -> nla_validate_nested_deprecated
Using spatch, of course:
@@
expression TB, MAX, HEAD, LEN, POL, EXT;
@@
-nla_parse(TB, MAX, HEAD, LEN, POL, EXT)
+nla_parse_deprecated(TB, MAX, HEAD, LEN, POL, EXT)
@@
expression NLH, HDRLEN, TB, MAX, POL, EXT;
@@
-nlmsg_parse(NLH, HDRLEN, TB, MAX, POL, EXT)
+nlmsg_parse_deprecated(NLH, HDRLEN, TB, MAX, POL, EXT)
@@
expression NLH, HDRLEN, TB, MAX, POL, EXT;
@@
-nlmsg_parse_strict(NLH, HDRLEN, TB, MAX, POL, EXT)
+nlmsg_parse_deprecated_strict(NLH, HDRLEN, TB, MAX, POL, EXT)
@@
expression TB, MAX, NLA, POL, EXT;
@@
-nla_parse_nested(TB, MAX, NLA, POL, EXT)
+nla_parse_nested_deprecated(TB, MAX, NLA, POL, EXT)
@@
expression START, MAX, POL, EXT;
@@
-nla_validate_nested(START, MAX, POL, EXT)
+nla_validate_nested_deprecated(START, MAX, POL, EXT)
@@
expression NLH, HDRLEN, MAX, POL, EXT;
@@
-nlmsg_validate(NLH, HDRLEN, MAX, POL, EXT)
+nlmsg_validate_deprecated(NLH, HDRLEN, MAX, POL, EXT)
For this patch, don't actually add the strict, non-renamed versions
yet so that it breaks compile if I get it wrong.
Also, while at it, make nla_validate and nla_parse go down to a
common __nla_validate_parse() function to avoid code duplication.
Ultimately, this allows us to have very strict validation for every
new caller of nla_parse()/nlmsg_parse() etc as re-introduced in the
next patch, while existing things will continue to work as is.
In effect then, this adds fully strict validation for any new command.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-04-26 14:07:28 +02:00
ret = nla_parse_nested_deprecated ( socks , NBD_SOCK_MAX ,
attr ,
nbd_sock_policy ,
info - > extack ) ;
2017-04-06 17:02:00 -04:00
if ( ret ! = 0 ) {
printk ( KERN_ERR " nbd: error processing sock list \n " ) ;
ret = - EINVAL ;
goto out ;
}
if ( ! socks [ NBD_SOCK_FD ] )
continue ;
fd = ( int ) nla_get_u32 ( socks [ NBD_SOCK_FD ] ) ;
ret = nbd_add_socket ( nbd , fd , true ) ;
if ( ret )
goto out ;
}
}
ret = nbd_start_device ( nbd ) ;
nbd: provide a way for userspace processes to identify device backends
Problem:
On reconfigure of device, there is no way to defend if the backend
storage is matching with the initial backend storage.
Say, if an initial connect request for backend "pool1/image1" got
mapped to /dev/nbd0 and the userspace process is terminated. A next
reconfigure request within NBD_ATTR_DEAD_CONN_TIMEOUT is allowed to
use /dev/nbd0 for a different backend "pool1/image2"
For example, an operation like below could be dangerous:
$ sudo rbd-nbd map --try-netlink rbd-pool/ext4-image
/dev/nbd0
$ sudo blkid /dev/nbd0
/dev/nbd0: UUID="bfc444b4-64b1-418f-8b36-6e0d170cfc04" TYPE="ext4"
$ sudo pkill -9 rbd-nbd
$ sudo rbd-nbd attach --try-netlink --device /dev/nbd0 rbd-pool/xfs-image
/dev/nbd0
$ sudo blkid /dev/nbd0
/dev/nbd0: UUID="d29bf343-6570-4069-a9ea-2fa156ced908" TYPE="xfs"
Solution:
Provide a way for userspace processes to keep some metadata to identify
between the device and the backend, so that when a reconfigure request is
made, we can compare and avoid such dangerous operations.
With this solution, as part of the initial connect request, backend
path can be stored in the sysfs per device config, so that on a reconfigure
request it's easy to check if the backend path matches with the initial
connect backend path.
Please note, ioctl interface to nbd will not have these changes, as there
won't be any reconfigure.
Signed-off-by: Prasanna Kumar Kalever <prasanna.kalever@redhat.com>
Reviewed-by: Xiubo Li <xiubli@redhat.com>
Reviewed-by: Ming Lei <ming.lei@redhat.com>
Link: https://lore.kernel.org/r/20210429102828.31248-1-prasanna.kalever@redhat.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2021-04-29 15:58:28 +05:30
if ( ret )
goto out ;
if ( info - > attrs [ NBD_ATTR_BACKEND_IDENTIFIER ] ) {
nbd - > backend = nla_strdup ( info - > attrs [ NBD_ATTR_BACKEND_IDENTIFIER ] ,
GFP_KERNEL ) ;
if ( ! nbd - > backend ) {
ret = - ENOMEM ;
goto out ;
}
}
ret = device_create_file ( disk_to_dev ( nbd - > disk ) , & backend_attr ) ;
if ( ret ) {
dev_err ( disk_to_dev ( nbd - > disk ) ,
" device_create_file failed for backend! \n " ) ;
goto out ;
}
set_bit ( NBD_RT_HAS_BACKEND_FILE , & config - > runtime_flags ) ;
2017-04-06 17:02:00 -04:00
out :
mutex_unlock ( & nbd - > config_lock ) ;
if ( ! ret ) {
2019-09-17 17:26:05 +05:30
set_bit ( NBD_RT_HAS_CONFIG_REF , & config - > runtime_flags ) ;
2017-04-06 17:02:00 -04:00
refcount_inc ( & nbd - > config_refs ) ;
nbd_connect_reply ( info , nbd - > index ) ;
}
nbd_config_put ( nbd ) ;
2017-04-06 17:02:07 -04:00
if ( put_dev )
nbd_put ( nbd ) ;
2017-04-06 17:02:00 -04:00
return ret ;
}
2018-06-15 14:05:32 -07:00
static void nbd_disconnect_and_put ( struct nbd_device * nbd )
{
mutex_lock ( & nbd - > config_lock ) ;
nbd_disconnect ( nbd ) ;
2021-08-13 23:13:30 +08:00
sock_shutdown ( nbd ) ;
2019-08-04 14:10:06 -05:00
/*
* Make sure recv thread has finished , so it does not drop the last
* config ref and try to destroy the workqueue from inside the work
2021-08-13 23:13:30 +08:00
* queue . And this also ensure that we can safely call nbd_clear_que ( )
* to cancel the inflight I / Os .
2019-08-04 14:10:06 -05:00
*/
2021-05-12 19:43:30 +08:00
if ( nbd - > recv_workq )
flush_workqueue ( nbd - > recv_workq ) ;
2021-08-13 23:13:30 +08:00
nbd_clear_que ( nbd ) ;
nbd - > task_setup = NULL ;
mutex_unlock ( & nbd - > config_lock ) ;
2019-09-17 17:26:05 +05:30
if ( test_and_clear_bit ( NBD_RT_HAS_CONFIG_REF ,
2018-06-15 14:05:32 -07:00
& nbd - > config - > runtime_flags ) )
nbd_config_put ( nbd ) ;
}
2017-04-06 17:02:00 -04:00
static int nbd_genl_disconnect ( struct sk_buff * skb , struct genl_info * info )
{
struct nbd_device * nbd ;
int index ;
if ( ! netlink_capable ( skb , CAP_SYS_ADMIN ) )
return - EPERM ;
if ( ! info - > attrs [ NBD_ATTR_INDEX ] ) {
printk ( KERN_ERR " nbd: must specify an index to disconnect \n " ) ;
return - EINVAL ;
}
index = nla_get_u32 ( info - > attrs [ NBD_ATTR_INDEX ] ) ;
mutex_lock ( & nbd_index_mutex ) ;
nbd = idr_find ( & nbd_index_idr , index ) ;
if ( ! nbd ) {
2017-04-06 17:02:06 -04:00
mutex_unlock ( & nbd_index_mutex ) ;
2017-04-06 17:02:00 -04:00
printk ( KERN_ERR " nbd: couldn't find device at index %d \n " ,
index ) ;
return - EINVAL ;
}
2017-04-06 17:02:06 -04:00
if ( ! refcount_inc_not_zero ( & nbd - > refs ) ) {
mutex_unlock ( & nbd_index_mutex ) ;
printk ( KERN_ERR " nbd: device at index %d is going down \n " ,
index ) ;
return - EINVAL ;
}
mutex_unlock ( & nbd_index_mutex ) ;
2021-05-12 19:43:31 +08:00
if ( ! refcount_inc_not_zero ( & nbd - > config_refs ) )
goto put_nbd ;
2018-06-15 14:05:32 -07:00
nbd_disconnect_and_put ( nbd ) ;
2017-04-06 17:02:00 -04:00
nbd_config_put ( nbd ) ;
2021-05-12 19:43:31 +08:00
put_nbd :
2017-04-06 17:02:06 -04:00
nbd_put ( nbd ) ;
2017-04-06 17:02:00 -04:00
return 0 ;
}
2017-04-06 17:02:01 -04:00
static int nbd_genl_reconfigure ( struct sk_buff * skb , struct genl_info * info )
{
struct nbd_device * nbd = NULL ;
struct nbd_config * config ;
int index ;
2018-06-15 14:05:32 -07:00
int ret = 0 ;
2017-04-06 17:02:07 -04:00
bool put_dev = false ;
2017-04-06 17:02:01 -04:00
if ( ! netlink_capable ( skb , CAP_SYS_ADMIN ) )
return - EPERM ;
if ( ! info - > attrs [ NBD_ATTR_INDEX ] ) {
printk ( KERN_ERR " nbd: must specify a device to reconfigure \n " ) ;
return - EINVAL ;
}
index = nla_get_u32 ( info - > attrs [ NBD_ATTR_INDEX ] ) ;
mutex_lock ( & nbd_index_mutex ) ;
nbd = idr_find ( & nbd_index_idr , index ) ;
if ( ! nbd ) {
2017-04-06 17:02:06 -04:00
mutex_unlock ( & nbd_index_mutex ) ;
2017-04-06 17:02:01 -04:00
printk ( KERN_ERR " nbd: couldn't find a device at index %d \n " ,
index ) ;
return - EINVAL ;
}
nbd: provide a way for userspace processes to identify device backends
Problem:
On reconfigure of device, there is no way to defend if the backend
storage is matching with the initial backend storage.
Say, if an initial connect request for backend "pool1/image1" got
mapped to /dev/nbd0 and the userspace process is terminated. A next
reconfigure request within NBD_ATTR_DEAD_CONN_TIMEOUT is allowed to
use /dev/nbd0 for a different backend "pool1/image2"
For example, an operation like below could be dangerous:
$ sudo rbd-nbd map --try-netlink rbd-pool/ext4-image
/dev/nbd0
$ sudo blkid /dev/nbd0
/dev/nbd0: UUID="bfc444b4-64b1-418f-8b36-6e0d170cfc04" TYPE="ext4"
$ sudo pkill -9 rbd-nbd
$ sudo rbd-nbd attach --try-netlink --device /dev/nbd0 rbd-pool/xfs-image
/dev/nbd0
$ sudo blkid /dev/nbd0
/dev/nbd0: UUID="d29bf343-6570-4069-a9ea-2fa156ced908" TYPE="xfs"
Solution:
Provide a way for userspace processes to keep some metadata to identify
between the device and the backend, so that when a reconfigure request is
made, we can compare and avoid such dangerous operations.
With this solution, as part of the initial connect request, backend
path can be stored in the sysfs per device config, so that on a reconfigure
request it's easy to check if the backend path matches with the initial
connect backend path.
Please note, ioctl interface to nbd will not have these changes, as there
won't be any reconfigure.
Signed-off-by: Prasanna Kumar Kalever <prasanna.kalever@redhat.com>
Reviewed-by: Xiubo Li <xiubli@redhat.com>
Reviewed-by: Ming Lei <ming.lei@redhat.com>
Link: https://lore.kernel.org/r/20210429102828.31248-1-prasanna.kalever@redhat.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2021-04-29 15:58:28 +05:30
if ( nbd - > backend ) {
if ( info - > attrs [ NBD_ATTR_BACKEND_IDENTIFIER ] ) {
if ( nla_strcmp ( info - > attrs [ NBD_ATTR_BACKEND_IDENTIFIER ] ,
nbd - > backend ) ) {
mutex_unlock ( & nbd_index_mutex ) ;
dev_err ( nbd_to_dev ( nbd ) ,
" backend image doesn't match with %s \n " ,
nbd - > backend ) ;
return - EINVAL ;
}
} else {
mutex_unlock ( & nbd_index_mutex ) ;
dev_err ( nbd_to_dev ( nbd ) , " must specify backend \n " ) ;
return - EINVAL ;
}
}
2017-04-06 17:02:06 -04:00
if ( ! refcount_inc_not_zero ( & nbd - > refs ) ) {
mutex_unlock ( & nbd_index_mutex ) ;
printk ( KERN_ERR " nbd: device at index %d is going down \n " ,
index ) ;
return - EINVAL ;
}
mutex_unlock ( & nbd_index_mutex ) ;
2017-04-06 17:02:01 -04:00
if ( ! refcount_inc_not_zero ( & nbd - > config_refs ) ) {
dev_err ( nbd_to_dev ( nbd ) ,
" not configured, cannot reconfigure \n " ) ;
2017-04-06 17:02:06 -04:00
nbd_put ( nbd ) ;
2017-04-06 17:02:01 -04:00
return - EINVAL ;
}
mutex_lock ( & nbd - > config_lock ) ;
config = nbd - > config ;
2019-09-17 17:26:05 +05:30
if ( ! test_bit ( NBD_RT_BOUND , & config - > runtime_flags ) | |
2017-04-06 17:02:01 -04:00
! nbd - > task_recv ) {
dev_err ( nbd_to_dev ( nbd ) ,
" not configured, cannot reconfigure \n " ) ;
2018-06-15 14:05:32 -07:00
ret = - EINVAL ;
2017-04-06 17:02:01 -04:00
goto out ;
}
2019-05-29 15:16:06 -05:00
ret = nbd_genl_size_set ( info , nbd ) ;
if ( ret )
goto out ;
2019-08-13 11:39:49 -05:00
if ( info - > attrs [ NBD_ATTR_TIMEOUT ] )
nbd_set_cmd_timeout ( nbd ,
nla_get_u64 ( info - > attrs [ NBD_ATTR_TIMEOUT ] ) ) ;
2017-04-06 17:02:04 -04:00
if ( info - > attrs [ NBD_ATTR_DEAD_CONN_TIMEOUT ] ) {
config - > dead_conn_timeout =
nla_get_u64 ( info - > attrs [ NBD_ATTR_DEAD_CONN_TIMEOUT ] ) ;
config - > dead_conn_timeout * = HZ ;
}
2017-04-06 17:02:07 -04:00
if ( info - > attrs [ NBD_ATTR_CLIENT_FLAGS ] ) {
u64 flags = nla_get_u64 ( info - > attrs [ NBD_ATTR_CLIENT_FLAGS ] ) ;
if ( flags & NBD_CFLAG_DESTROY_ON_DISCONNECT ) {
2021-02-22 15:09:53 -05:00
if ( ! test_and_set_bit ( NBD_DESTROY_ON_DISCONNECT ,
& nbd - > flags ) )
2017-04-06 17:02:07 -04:00
put_dev = true ;
} else {
2021-02-22 15:09:53 -05:00
if ( test_and_clear_bit ( NBD_DESTROY_ON_DISCONNECT ,
& nbd - > flags ) )
2017-04-06 17:02:07 -04:00
refcount_inc ( & nbd - > refs ) ;
}
2018-06-15 14:05:32 -07:00
if ( flags & NBD_CFLAG_DISCONNECT_ON_CLOSE ) {
2019-09-17 17:26:05 +05:30
set_bit ( NBD_RT_DISCONNECT_ON_CLOSE ,
2018-06-15 14:05:32 -07:00
& config - > runtime_flags ) ;
} else {
2019-09-17 17:26:05 +05:30
clear_bit ( NBD_RT_DISCONNECT_ON_CLOSE ,
2018-06-15 14:05:32 -07:00
& config - > runtime_flags ) ;
}
2017-04-06 17:02:07 -04:00
}
2017-04-06 17:02:01 -04:00
if ( info - > attrs [ NBD_ATTR_SOCKETS ] ) {
struct nlattr * attr ;
int rem , fd ;
nla_for_each_nested ( attr , info - > attrs [ NBD_ATTR_SOCKETS ] ,
rem ) {
struct nlattr * socks [ NBD_SOCK_MAX + 1 ] ;
if ( nla_type ( attr ) ! = NBD_SOCK_ITEM ) {
printk ( KERN_ERR " nbd: socks must be embedded in a SOCK_ITEM attr \n " ) ;
ret = - EINVAL ;
goto out ;
}
netlink: make validation more configurable for future strictness
We currently have two levels of strict validation:
1) liberal (default)
- undefined (type >= max) & NLA_UNSPEC attributes accepted
- attribute length >= expected accepted
- garbage at end of message accepted
2) strict (opt-in)
- NLA_UNSPEC attributes accepted
- attribute length >= expected accepted
Split out parsing strictness into four different options:
* TRAILING - check that there's no trailing data after parsing
attributes (in message or nested)
* MAXTYPE - reject attrs > max known type
* UNSPEC - reject attributes with NLA_UNSPEC policy entries
* STRICT_ATTRS - strictly validate attribute size
The default for future things should be *everything*.
The current *_strict() is a combination of TRAILING and MAXTYPE,
and is renamed to _deprecated_strict().
The current regular parsing has none of this, and is renamed to
*_parse_deprecated().
Additionally it allows us to selectively set one of the new flags
even on old policies. Notably, the UNSPEC flag could be useful in
this case, since it can be arranged (by filling in the policy) to
not be an incompatible userspace ABI change, but would then going
forward prevent forgetting attribute entries. Similar can apply
to the POLICY flag.
We end up with the following renames:
* nla_parse -> nla_parse_deprecated
* nla_parse_strict -> nla_parse_deprecated_strict
* nlmsg_parse -> nlmsg_parse_deprecated
* nlmsg_parse_strict -> nlmsg_parse_deprecated_strict
* nla_parse_nested -> nla_parse_nested_deprecated
* nla_validate_nested -> nla_validate_nested_deprecated
Using spatch, of course:
@@
expression TB, MAX, HEAD, LEN, POL, EXT;
@@
-nla_parse(TB, MAX, HEAD, LEN, POL, EXT)
+nla_parse_deprecated(TB, MAX, HEAD, LEN, POL, EXT)
@@
expression NLH, HDRLEN, TB, MAX, POL, EXT;
@@
-nlmsg_parse(NLH, HDRLEN, TB, MAX, POL, EXT)
+nlmsg_parse_deprecated(NLH, HDRLEN, TB, MAX, POL, EXT)
@@
expression NLH, HDRLEN, TB, MAX, POL, EXT;
@@
-nlmsg_parse_strict(NLH, HDRLEN, TB, MAX, POL, EXT)
+nlmsg_parse_deprecated_strict(NLH, HDRLEN, TB, MAX, POL, EXT)
@@
expression TB, MAX, NLA, POL, EXT;
@@
-nla_parse_nested(TB, MAX, NLA, POL, EXT)
+nla_parse_nested_deprecated(TB, MAX, NLA, POL, EXT)
@@
expression START, MAX, POL, EXT;
@@
-nla_validate_nested(START, MAX, POL, EXT)
+nla_validate_nested_deprecated(START, MAX, POL, EXT)
@@
expression NLH, HDRLEN, MAX, POL, EXT;
@@
-nlmsg_validate(NLH, HDRLEN, MAX, POL, EXT)
+nlmsg_validate_deprecated(NLH, HDRLEN, MAX, POL, EXT)
For this patch, don't actually add the strict, non-renamed versions
yet so that it breaks compile if I get it wrong.
Also, while at it, make nla_validate and nla_parse go down to a
common __nla_validate_parse() function to avoid code duplication.
Ultimately, this allows us to have very strict validation for every
new caller of nla_parse()/nlmsg_parse() etc as re-introduced in the
next patch, while existing things will continue to work as is.
In effect then, this adds fully strict validation for any new command.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-04-26 14:07:28 +02:00
ret = nla_parse_nested_deprecated ( socks , NBD_SOCK_MAX ,
attr ,
nbd_sock_policy ,
info - > extack ) ;
2017-04-06 17:02:01 -04:00
if ( ret ! = 0 ) {
printk ( KERN_ERR " nbd: error processing sock list \n " ) ;
ret = - EINVAL ;
goto out ;
}
if ( ! socks [ NBD_SOCK_FD ] )
continue ;
fd = ( int ) nla_get_u32 ( socks [ NBD_SOCK_FD ] ) ;
ret = nbd_reconnect_socket ( nbd , fd ) ;
if ( ret ) {
if ( ret = = - ENOSPC )
ret = 0 ;
goto out ;
}
dev_info ( nbd_to_dev ( nbd ) , " reconnected socket \n " ) ;
}
}
out :
mutex_unlock ( & nbd - > config_lock ) ;
nbd_config_put ( nbd ) ;
2017-04-06 17:02:06 -04:00
nbd_put ( nbd ) ;
2017-04-06 17:02:07 -04:00
if ( put_dev )
nbd_put ( nbd ) ;
2017-04-06 17:02:01 -04:00
return ret ;
}
2020-10-02 14:49:54 -07:00
static const struct genl_small_ops nbd_connect_genl_ops [ ] = {
2017-04-06 17:02:00 -04:00
{
. cmd = NBD_CMD_CONNECT ,
2019-04-26 14:07:31 +02:00
. validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP ,
2017-04-06 17:02:00 -04:00
. doit = nbd_genl_connect ,
} ,
{
. cmd = NBD_CMD_DISCONNECT ,
2019-04-26 14:07:31 +02:00
. validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP ,
2017-04-06 17:02:00 -04:00
. doit = nbd_genl_disconnect ,
} ,
2017-04-06 17:02:01 -04:00
{
. cmd = NBD_CMD_RECONFIGURE ,
2019-04-26 14:07:31 +02:00
. validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP ,
2017-04-06 17:02:01 -04:00
. doit = nbd_genl_reconfigure ,
} ,
2017-04-06 17:02:05 -04:00
{
. cmd = NBD_CMD_STATUS ,
2019-04-26 14:07:31 +02:00
. validate = GENL_DONT_VALIDATE_STRICT | GENL_DONT_VALIDATE_DUMP ,
2017-04-06 17:02:05 -04:00
. doit = nbd_genl_status ,
} ,
2017-04-06 17:02:00 -04:00
} ;
2017-04-06 17:02:02 -04:00
static const struct genl_multicast_group nbd_mcast_grps [ ] = {
{ . name = NBD_GENL_MCAST_GROUP_NAME , } ,
} ;
2017-04-06 17:02:00 -04:00
static struct genl_family nbd_genl_family __ro_after_init = {
. hdrsize = 0 ,
. name = NBD_GENL_FAMILY_NAME ,
. version = NBD_GENL_VERSION ,
. module = THIS_MODULE ,
2020-10-02 14:49:54 -07:00
. small_ops = nbd_connect_genl_ops ,
. n_small_ops = ARRAY_SIZE ( nbd_connect_genl_ops ) ,
2017-04-06 17:02:00 -04:00
. maxattr = NBD_ATTR_MAX ,
genetlink: make policy common to family
Since maxattr is common, the policy can't really differ sanely,
so make it common as well.
The only user that did in fact manage to make a non-common policy
is taskstats, which has to be really careful about it (since it's
still using a common maxattr!). This is no longer supported, but
we can fake it using pre_doit.
This reduces the size of e.g. nl80211.o (which has lots of commands):
text data bss dec hex filename
398745 14323 2240 415308 6564c net/wireless/nl80211.o (before)
397913 14331 2240 414484 65314 net/wireless/nl80211.o (after)
--------------------------------
-832 +8 0 -824
Which is obviously just 8 bytes for each command, and an added 8
bytes for the new policy pointer. I'm not sure why the ops list is
counted as .text though.
Most of the code transformations were done using the following spatch:
@ops@
identifier OPS;
expression POLICY;
@@
struct genl_ops OPS[] = {
...,
{
- .policy = POLICY,
},
...
};
@@
identifier ops.OPS;
expression ops.POLICY;
identifier fam;
expression M;
@@
struct genl_family fam = {
.ops = OPS,
.maxattr = M,
+ .policy = POLICY,
...
};
This also gets rid of devlink_nl_cmd_region_read_dumpit() accessing
the cb->data as ops, which we want to change in a later genl patch.
Signed-off-by: Johannes Berg <johannes.berg@intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-03-21 22:51:02 +01:00
. policy = nbd_attr_policy ,
2017-04-06 17:02:02 -04:00
. mcgrps = nbd_mcast_grps ,
. n_mcgrps = ARRAY_SIZE ( nbd_mcast_grps ) ,
2017-04-06 17:02:00 -04:00
} ;
2017-04-06 17:02:05 -04:00
static int populate_nbd_status ( struct nbd_device * nbd , struct sk_buff * reply )
{
struct nlattr * dev_opt ;
u8 connected = 0 ;
int ret ;
/* This is a little racey, but for status it's ok. The
* reason we don ' t take a ref here is because we can ' t
* take a ref in the index = = - 1 case as we would need
* to put under the nbd_index_mutex , which could
* deadlock if we are configured to remove ourselves
* once we ' re disconnected .
*/
if ( refcount_read ( & nbd - > config_refs ) )
connected = 1 ;
2019-04-26 11:13:06 +02:00
dev_opt = nla_nest_start_noflag ( reply , NBD_DEVICE_ITEM ) ;
2017-04-06 17:02:05 -04:00
if ( ! dev_opt )
return - EMSGSIZE ;
ret = nla_put_u32 ( reply , NBD_DEVICE_INDEX , nbd - > index ) ;
if ( ret )
return - EMSGSIZE ;
ret = nla_put_u8 ( reply , NBD_DEVICE_CONNECTED ,
connected ) ;
if ( ret )
return - EMSGSIZE ;
nla_nest_end ( reply , dev_opt ) ;
return 0 ;
}
static int status_cb ( int id , void * ptr , void * data )
{
struct nbd_device * nbd = ptr ;
return populate_nbd_status ( nbd , ( struct sk_buff * ) data ) ;
}
static int nbd_genl_status ( struct sk_buff * skb , struct genl_info * info )
{
struct nlattr * dev_list ;
struct sk_buff * reply ;
void * reply_head ;
size_t msg_size ;
int index = - 1 ;
int ret = - ENOMEM ;
if ( info - > attrs [ NBD_ATTR_INDEX ] )
index = nla_get_u32 ( info - > attrs [ NBD_ATTR_INDEX ] ) ;
mutex_lock ( & nbd_index_mutex ) ;
msg_size = nla_total_size ( nla_attr_size ( sizeof ( u32 ) ) +
nla_attr_size ( sizeof ( u8 ) ) ) ;
msg_size * = ( index = = - 1 ) ? nbd_total_devices : 1 ;
reply = genlmsg_new ( msg_size , GFP_KERNEL ) ;
if ( ! reply )
goto out ;
reply_head = genlmsg_put_reply ( reply , info , & nbd_genl_family , 0 ,
NBD_CMD_STATUS ) ;
if ( ! reply_head ) {
nlmsg_free ( reply ) ;
goto out ;
}
2019-04-26 11:13:06 +02:00
dev_list = nla_nest_start_noflag ( reply , NBD_ATTR_DEVICE_LIST ) ;
2017-04-06 17:02:05 -04:00
if ( index = = - 1 ) {
ret = idr_for_each ( & nbd_index_idr , & status_cb , reply ) ;
if ( ret ) {
nlmsg_free ( reply ) ;
goto out ;
}
} else {
struct nbd_device * nbd ;
nbd = idr_find ( & nbd_index_idr , index ) ;
if ( nbd ) {
ret = populate_nbd_status ( nbd , reply ) ;
if ( ret ) {
nlmsg_free ( reply ) ;
goto out ;
}
}
}
nla_nest_end ( reply , dev_list ) ;
genlmsg_end ( reply , reply_head ) ;
2019-02-19 13:14:07 +08:00
ret = genlmsg_reply ( reply , info ) ;
2017-04-06 17:02:05 -04:00
out :
mutex_unlock ( & nbd_index_mutex ) ;
return ret ;
}
2017-04-06 17:02:00 -04:00
static void nbd_connect_reply ( struct genl_info * info , int index )
{
struct sk_buff * skb ;
void * msg_head ;
int ret ;
skb = genlmsg_new ( nla_total_size ( sizeof ( u32 ) ) , GFP_KERNEL ) ;
if ( ! skb )
return ;
msg_head = genlmsg_put_reply ( skb , info , & nbd_genl_family , 0 ,
NBD_CMD_CONNECT ) ;
if ( ! msg_head ) {
nlmsg_free ( skb ) ;
return ;
}
ret = nla_put_u32 ( skb , NBD_ATTR_INDEX , index ) ;
if ( ret ) {
nlmsg_free ( skb ) ;
return ;
}
genlmsg_end ( skb , msg_head ) ;
genlmsg_reply ( skb , info ) ;
}
2005-04-16 15:20:36 -07:00
2017-04-06 17:02:02 -04:00
static void nbd_mcast_index ( int index )
{
struct sk_buff * skb ;
void * msg_head ;
int ret ;
skb = genlmsg_new ( nla_total_size ( sizeof ( u32 ) ) , GFP_KERNEL ) ;
if ( ! skb )
return ;
msg_head = genlmsg_put ( skb , 0 , 0 , & nbd_genl_family , 0 ,
NBD_CMD_LINK_DEAD ) ;
if ( ! msg_head ) {
nlmsg_free ( skb ) ;
return ;
}
ret = nla_put_u32 ( skb , NBD_ATTR_INDEX , index ) ;
if ( ret ) {
nlmsg_free ( skb ) ;
return ;
}
genlmsg_end ( skb , msg_head ) ;
genlmsg_multicast ( & nbd_genl_family , skb , 0 , 0 , GFP_KERNEL ) ;
}
static void nbd_dead_link_work ( struct work_struct * work )
{
struct link_dead_args * args = container_of ( work , struct link_dead_args ,
work ) ;
nbd_mcast_index ( args - > index ) ;
kfree ( args ) ;
}
2005-04-16 15:20:36 -07:00
static int __init nbd_init ( void )
{
int i ;
2006-03-25 03:07:04 -08:00
BUILD_BUG_ON ( sizeof ( struct nbd_request ) ! = 28 ) ;
2005-04-16 15:20:36 -07:00
NBD: add partition support
Permit the use of partitions with network block devices (NBD).
A new parameter is introduced to define how many partition we want to be able
to manage per network block device. This parameter is "max_part".
For instance, to manage 63 partitions / loop device, we will do:
[on the server side]
# nbd-server 1234 /dev/sdb
[on the client side]
# modprobe nbd max_part=63
# ls -l /dev/nbd*
brw-rw---- 1 root disk 43, 0 2008-03-25 11:14 /dev/nbd0
brw-rw---- 1 root disk 43, 64 2008-03-25 11:11 /dev/nbd1
brw-rw---- 1 root disk 43, 640 2008-03-25 11:11 /dev/nbd10
brw-rw---- 1 root disk 43, 704 2008-03-25 11:11 /dev/nbd11
brw-rw---- 1 root disk 43, 768 2008-03-25 11:11 /dev/nbd12
brw-rw---- 1 root disk 43, 832 2008-03-25 11:11 /dev/nbd13
brw-rw---- 1 root disk 43, 896 2008-03-25 11:11 /dev/nbd14
brw-rw---- 1 root disk 43, 960 2008-03-25 11:11 /dev/nbd15
brw-rw---- 1 root disk 43, 128 2008-03-25 11:11 /dev/nbd2
brw-rw---- 1 root disk 43, 192 2008-03-25 11:11 /dev/nbd3
brw-rw---- 1 root disk 43, 256 2008-03-25 11:11 /dev/nbd4
brw-rw---- 1 root disk 43, 320 2008-03-25 11:11 /dev/nbd5
brw-rw---- 1 root disk 43, 384 2008-03-25 11:11 /dev/nbd6
brw-rw---- 1 root disk 43, 448 2008-03-25 11:11 /dev/nbd7
brw-rw---- 1 root disk 43, 512 2008-03-25 11:11 /dev/nbd8
brw-rw---- 1 root disk 43, 576 2008-03-25 11:11 /dev/nbd9
# nbd-client localhost 1234 /dev/nbd0
Negotiation: ..size = 80418240KB
bs=1024, sz=80418240
-------NOTE, RFC: partition table is not automatically read.
The driver sets bdev->bd_invalidated to 1 to force the read of the partition
table of the device, but this is done only on an open of the device.
So we have to do a "touch /dev/nbdX" or something like that.
It can't be done from the nbd-client or nbd driver because at this
level we can't ask to read the partition table and to serve the request
at the same time (-> deadlock)
If someone has a better idea, I'm open to any suggestion.
-------NOTE, RFC
# fdisk -l /dev/nbd0
Disk /dev/nbd0: 82.3 GB, 82348277760 bytes
255 heads, 63 sectors/track, 10011 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Device Boot Start End Blocks Id System
/dev/nbd0p1 * 1 9965 80043831 83 Linux
/dev/nbd0p2 9966 10011 369495 5 Extended
/dev/nbd0p5 9966 10011 369463+ 82 Linux swap / Solaris
# ls -l /dev/nbd0*
brw-rw---- 1 root disk 43, 0 2008-03-25 11:16 /dev/nbd0
brw-rw---- 1 root disk 43, 1 2008-03-25 11:16 /dev/nbd0p1
brw-rw---- 1 root disk 43, 2 2008-03-25 11:16 /dev/nbd0p2
brw-rw---- 1 root disk 43, 5 2008-03-25 11:16 /dev/nbd0p5
# mount /dev/nbd0p1 /mnt
# ls /mnt
bin dev initrd lost+found opt sbin sys var
boot etc initrd.img media proc selinux tmp vmlinuz
cdrom home lib mnt root srv usr
# umount /mnt
# nbd-client -d /dev/nbd0
# ls -l /dev/nbd0*
brw-rw---- 1 root disk 43, 0 2008-03-25 11:16 /dev/nbd0
-------NOTE
On "nbd-client -d", we can do an iocl(BLKRRPART) to update partition table:
as the size of the device is 0, we don't have to serve the partition manager
request (-> no deadlock).
-------NOTE
Signed-off-by: Paul Clements <paul.clements@steeleye.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2008-04-29 01:02:51 -07:00
if ( max_part < 0 ) {
2011-08-19 14:48:28 +02:00
printk ( KERN_ERR " nbd: max_part must be >= 0 \n " ) ;
NBD: add partition support
Permit the use of partitions with network block devices (NBD).
A new parameter is introduced to define how many partition we want to be able
to manage per network block device. This parameter is "max_part".
For instance, to manage 63 partitions / loop device, we will do:
[on the server side]
# nbd-server 1234 /dev/sdb
[on the client side]
# modprobe nbd max_part=63
# ls -l /dev/nbd*
brw-rw---- 1 root disk 43, 0 2008-03-25 11:14 /dev/nbd0
brw-rw---- 1 root disk 43, 64 2008-03-25 11:11 /dev/nbd1
brw-rw---- 1 root disk 43, 640 2008-03-25 11:11 /dev/nbd10
brw-rw---- 1 root disk 43, 704 2008-03-25 11:11 /dev/nbd11
brw-rw---- 1 root disk 43, 768 2008-03-25 11:11 /dev/nbd12
brw-rw---- 1 root disk 43, 832 2008-03-25 11:11 /dev/nbd13
brw-rw---- 1 root disk 43, 896 2008-03-25 11:11 /dev/nbd14
brw-rw---- 1 root disk 43, 960 2008-03-25 11:11 /dev/nbd15
brw-rw---- 1 root disk 43, 128 2008-03-25 11:11 /dev/nbd2
brw-rw---- 1 root disk 43, 192 2008-03-25 11:11 /dev/nbd3
brw-rw---- 1 root disk 43, 256 2008-03-25 11:11 /dev/nbd4
brw-rw---- 1 root disk 43, 320 2008-03-25 11:11 /dev/nbd5
brw-rw---- 1 root disk 43, 384 2008-03-25 11:11 /dev/nbd6
brw-rw---- 1 root disk 43, 448 2008-03-25 11:11 /dev/nbd7
brw-rw---- 1 root disk 43, 512 2008-03-25 11:11 /dev/nbd8
brw-rw---- 1 root disk 43, 576 2008-03-25 11:11 /dev/nbd9
# nbd-client localhost 1234 /dev/nbd0
Negotiation: ..size = 80418240KB
bs=1024, sz=80418240
-------NOTE, RFC: partition table is not automatically read.
The driver sets bdev->bd_invalidated to 1 to force the read of the partition
table of the device, but this is done only on an open of the device.
So we have to do a "touch /dev/nbdX" or something like that.
It can't be done from the nbd-client or nbd driver because at this
level we can't ask to read the partition table and to serve the request
at the same time (-> deadlock)
If someone has a better idea, I'm open to any suggestion.
-------NOTE, RFC
# fdisk -l /dev/nbd0
Disk /dev/nbd0: 82.3 GB, 82348277760 bytes
255 heads, 63 sectors/track, 10011 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Device Boot Start End Blocks Id System
/dev/nbd0p1 * 1 9965 80043831 83 Linux
/dev/nbd0p2 9966 10011 369495 5 Extended
/dev/nbd0p5 9966 10011 369463+ 82 Linux swap / Solaris
# ls -l /dev/nbd0*
brw-rw---- 1 root disk 43, 0 2008-03-25 11:16 /dev/nbd0
brw-rw---- 1 root disk 43, 1 2008-03-25 11:16 /dev/nbd0p1
brw-rw---- 1 root disk 43, 2 2008-03-25 11:16 /dev/nbd0p2
brw-rw---- 1 root disk 43, 5 2008-03-25 11:16 /dev/nbd0p5
# mount /dev/nbd0p1 /mnt
# ls /mnt
bin dev initrd lost+found opt sbin sys var
boot etc initrd.img media proc selinux tmp vmlinuz
cdrom home lib mnt root srv usr
# umount /mnt
# nbd-client -d /dev/nbd0
# ls -l /dev/nbd0*
brw-rw---- 1 root disk 43, 0 2008-03-25 11:16 /dev/nbd0
-------NOTE
On "nbd-client -d", we can do an iocl(BLKRRPART) to update partition table:
as the size of the device is 0, we don't have to serve the partition manager
request (-> no deadlock).
-------NOTE
Signed-off-by: Paul Clements <paul.clements@steeleye.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2008-04-29 01:02:51 -07:00
return - EINVAL ;
}
part_shift = 0 ;
2011-05-28 14:44:46 +02:00
if ( max_part > 0 ) {
NBD: add partition support
Permit the use of partitions with network block devices (NBD).
A new parameter is introduced to define how many partition we want to be able
to manage per network block device. This parameter is "max_part".
For instance, to manage 63 partitions / loop device, we will do:
[on the server side]
# nbd-server 1234 /dev/sdb
[on the client side]
# modprobe nbd max_part=63
# ls -l /dev/nbd*
brw-rw---- 1 root disk 43, 0 2008-03-25 11:14 /dev/nbd0
brw-rw---- 1 root disk 43, 64 2008-03-25 11:11 /dev/nbd1
brw-rw---- 1 root disk 43, 640 2008-03-25 11:11 /dev/nbd10
brw-rw---- 1 root disk 43, 704 2008-03-25 11:11 /dev/nbd11
brw-rw---- 1 root disk 43, 768 2008-03-25 11:11 /dev/nbd12
brw-rw---- 1 root disk 43, 832 2008-03-25 11:11 /dev/nbd13
brw-rw---- 1 root disk 43, 896 2008-03-25 11:11 /dev/nbd14
brw-rw---- 1 root disk 43, 960 2008-03-25 11:11 /dev/nbd15
brw-rw---- 1 root disk 43, 128 2008-03-25 11:11 /dev/nbd2
brw-rw---- 1 root disk 43, 192 2008-03-25 11:11 /dev/nbd3
brw-rw---- 1 root disk 43, 256 2008-03-25 11:11 /dev/nbd4
brw-rw---- 1 root disk 43, 320 2008-03-25 11:11 /dev/nbd5
brw-rw---- 1 root disk 43, 384 2008-03-25 11:11 /dev/nbd6
brw-rw---- 1 root disk 43, 448 2008-03-25 11:11 /dev/nbd7
brw-rw---- 1 root disk 43, 512 2008-03-25 11:11 /dev/nbd8
brw-rw---- 1 root disk 43, 576 2008-03-25 11:11 /dev/nbd9
# nbd-client localhost 1234 /dev/nbd0
Negotiation: ..size = 80418240KB
bs=1024, sz=80418240
-------NOTE, RFC: partition table is not automatically read.
The driver sets bdev->bd_invalidated to 1 to force the read of the partition
table of the device, but this is done only on an open of the device.
So we have to do a "touch /dev/nbdX" or something like that.
It can't be done from the nbd-client or nbd driver because at this
level we can't ask to read the partition table and to serve the request
at the same time (-> deadlock)
If someone has a better idea, I'm open to any suggestion.
-------NOTE, RFC
# fdisk -l /dev/nbd0
Disk /dev/nbd0: 82.3 GB, 82348277760 bytes
255 heads, 63 sectors/track, 10011 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Device Boot Start End Blocks Id System
/dev/nbd0p1 * 1 9965 80043831 83 Linux
/dev/nbd0p2 9966 10011 369495 5 Extended
/dev/nbd0p5 9966 10011 369463+ 82 Linux swap / Solaris
# ls -l /dev/nbd0*
brw-rw---- 1 root disk 43, 0 2008-03-25 11:16 /dev/nbd0
brw-rw---- 1 root disk 43, 1 2008-03-25 11:16 /dev/nbd0p1
brw-rw---- 1 root disk 43, 2 2008-03-25 11:16 /dev/nbd0p2
brw-rw---- 1 root disk 43, 5 2008-03-25 11:16 /dev/nbd0p5
# mount /dev/nbd0p1 /mnt
# ls /mnt
bin dev initrd lost+found opt sbin sys var
boot etc initrd.img media proc selinux tmp vmlinuz
cdrom home lib mnt root srv usr
# umount /mnt
# nbd-client -d /dev/nbd0
# ls -l /dev/nbd0*
brw-rw---- 1 root disk 43, 0 2008-03-25 11:16 /dev/nbd0
-------NOTE
On "nbd-client -d", we can do an iocl(BLKRRPART) to update partition table:
as the size of the device is 0, we don't have to serve the partition manager
request (-> no deadlock).
-------NOTE
Signed-off-by: Paul Clements <paul.clements@steeleye.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2008-04-29 01:02:51 -07:00
part_shift = fls ( max_part ) ;
2011-05-28 14:44:46 +02:00
/*
* Adjust max_part according to part_shift as it is exported
* to user space so that user can know the max number of
* partition kernel should be able to manage .
*
* Note that - 1 is required because partition 0 is reserved
* for the whole disk .
*/
max_part = ( 1UL < < part_shift ) - 1 ;
}
2011-05-28 14:44:46 +02:00
if ( ( 1UL < < part_shift ) > DISK_MAX_PARTS )
return - EINVAL ;
if ( nbds_max > 1UL < < ( MINORBITS - part_shift ) )
return - EINVAL ;
2019-08-04 14:10:06 -05:00
if ( register_blkdev ( NBD_MAJOR , " nbd " ) )
2017-02-01 16:11:40 -05:00
return - EIO ;
2005-04-16 15:20:36 -07:00
nbd: do del_gendisk() asynchronously for NBD_DESTROY_ON_DISCONNECT
Now open_mutex is used to synchronize partition operations (e.g,
blk_drop_partitions() and blkdev_reread_part()), however it makes
nbd driver broken, because nbd may call del_gendisk() in nbd_release()
or nbd_genl_disconnect() if NBD_CFLAG_DESTROY_ON_DISCONNECT is enabled,
and deadlock occurs, as shown below:
// AB-BA dead-lock
nbd_genl_disconnect blkdev_open
nbd_disconnect_and_put
lock bd_mutex
// last ref
nbd_put
lock nbd_index_mutex
del_gendisk
nbd_open
try lock nbd_index_mutex
try lock bd_mutex
or
// AA dead-lock
nbd_release
lock bd_mutex
nbd_put
try lock bd_mutex
Instead of fixing block layer (e.g, introduce another lock), fixing
the nbd driver to call del_gendisk() in a kworker when
NBD_DESTROY_ON_DISCONNECT is enabled. When NBD_DESTROY_ON_DISCONNECT
is disabled, nbd device will always be destroy through module removal,
and there is no risky of deadlock.
To ensure the reuse of nbd index succeeds, moving the calling of
idr_remove() after del_gendisk(), so if the reused index is not found
in nbd_index_idr, the old disk must have been deleted. And reusing
the existing destroy_complete mechanism to ensure nbd_genl_connect()
will wait for the completion of del_gendisk().
Also adding a new workqueue for nbd removal, so nbd_cleanup()
can ensure all removals complete before exits.
Reported-by: syzbot+0fe7752e52337864d29b@syzkaller.appspotmail.com
Fixes: c76f48eb5c08 ("block: take bd_mutex around delete_partitions in del_gendisk")
Signed-off-by: Hou Tao <houtao1@huawei.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Link: https://lore.kernel.org/r/20210811124428.2368491-2-hch@lst.de
Reviewed-by: Josef Bacik <josef@toxicpanda.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2021-08-11 14:44:23 +02:00
nbd_del_wq = alloc_workqueue ( " nbd-del " , WQ_UNBOUND , 0 ) ;
if ( ! nbd_del_wq ) {
unregister_blkdev ( NBD_MAJOR , " nbd " ) ;
return - ENOMEM ;
}
2017-04-06 17:02:00 -04:00
if ( genl_register_family ( & nbd_genl_family ) ) {
nbd: do del_gendisk() asynchronously for NBD_DESTROY_ON_DISCONNECT
Now open_mutex is used to synchronize partition operations (e.g,
blk_drop_partitions() and blkdev_reread_part()), however it makes
nbd driver broken, because nbd may call del_gendisk() in nbd_release()
or nbd_genl_disconnect() if NBD_CFLAG_DESTROY_ON_DISCONNECT is enabled,
and deadlock occurs, as shown below:
// AB-BA dead-lock
nbd_genl_disconnect blkdev_open
nbd_disconnect_and_put
lock bd_mutex
// last ref
nbd_put
lock nbd_index_mutex
del_gendisk
nbd_open
try lock nbd_index_mutex
try lock bd_mutex
or
// AA dead-lock
nbd_release
lock bd_mutex
nbd_put
try lock bd_mutex
Instead of fixing block layer (e.g, introduce another lock), fixing
the nbd driver to call del_gendisk() in a kworker when
NBD_DESTROY_ON_DISCONNECT is enabled. When NBD_DESTROY_ON_DISCONNECT
is disabled, nbd device will always be destroy through module removal,
and there is no risky of deadlock.
To ensure the reuse of nbd index succeeds, moving the calling of
idr_remove() after del_gendisk(), so if the reused index is not found
in nbd_index_idr, the old disk must have been deleted. And reusing
the existing destroy_complete mechanism to ensure nbd_genl_connect()
will wait for the completion of del_gendisk().
Also adding a new workqueue for nbd removal, so nbd_cleanup()
can ensure all removals complete before exits.
Reported-by: syzbot+0fe7752e52337864d29b@syzkaller.appspotmail.com
Fixes: c76f48eb5c08 ("block: take bd_mutex around delete_partitions in del_gendisk")
Signed-off-by: Hou Tao <houtao1@huawei.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Link: https://lore.kernel.org/r/20210811124428.2368491-2-hch@lst.de
Reviewed-by: Josef Bacik <josef@toxicpanda.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2021-08-11 14:44:23 +02:00
destroy_workqueue ( nbd_del_wq ) ;
2017-04-06 17:02:00 -04:00
unregister_blkdev ( NBD_MAJOR , " nbd " ) ;
return - EINVAL ;
}
2015-08-17 08:20:06 +02:00
nbd_dbg_init ( ) ;
2017-02-01 16:11:40 -05:00
for ( i = 0 ; i < nbds_max ; i + + )
2021-08-11 14:44:28 +02:00
nbd_dev_add ( i , 1 ) ;
2017-02-01 16:11:40 -05:00
return 0 ;
}
2005-04-16 15:20:36 -07:00
2017-02-01 16:11:40 -05:00
static int nbd_exit_cb ( int id , void * ptr , void * data )
{
2017-04-06 17:02:06 -04:00
struct list_head * list = ( struct list_head * ) data ;
2017-02-01 16:11:40 -05:00
struct nbd_device * nbd = ptr ;
2017-04-06 17:02:06 -04:00
nbd: do del_gendisk() asynchronously for NBD_DESTROY_ON_DISCONNECT
Now open_mutex is used to synchronize partition operations (e.g,
blk_drop_partitions() and blkdev_reread_part()), however it makes
nbd driver broken, because nbd may call del_gendisk() in nbd_release()
or nbd_genl_disconnect() if NBD_CFLAG_DESTROY_ON_DISCONNECT is enabled,
and deadlock occurs, as shown below:
// AB-BA dead-lock
nbd_genl_disconnect blkdev_open
nbd_disconnect_and_put
lock bd_mutex
// last ref
nbd_put
lock nbd_index_mutex
del_gendisk
nbd_open
try lock nbd_index_mutex
try lock bd_mutex
or
// AA dead-lock
nbd_release
lock bd_mutex
nbd_put
try lock bd_mutex
Instead of fixing block layer (e.g, introduce another lock), fixing
the nbd driver to call del_gendisk() in a kworker when
NBD_DESTROY_ON_DISCONNECT is enabled. When NBD_DESTROY_ON_DISCONNECT
is disabled, nbd device will always be destroy through module removal,
and there is no risky of deadlock.
To ensure the reuse of nbd index succeeds, moving the calling of
idr_remove() after del_gendisk(), so if the reused index is not found
in nbd_index_idr, the old disk must have been deleted. And reusing
the existing destroy_complete mechanism to ensure nbd_genl_connect()
will wait for the completion of del_gendisk().
Also adding a new workqueue for nbd removal, so nbd_cleanup()
can ensure all removals complete before exits.
Reported-by: syzbot+0fe7752e52337864d29b@syzkaller.appspotmail.com
Fixes: c76f48eb5c08 ("block: take bd_mutex around delete_partitions in del_gendisk")
Signed-off-by: Hou Tao <houtao1@huawei.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Link: https://lore.kernel.org/r/20210811124428.2368491-2-hch@lst.de
Reviewed-by: Josef Bacik <josef@toxicpanda.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2021-08-11 14:44:23 +02:00
/* Skip nbd that is being removed asynchronously */
if ( refcount_read ( & nbd - > refs ) )
list_add_tail ( & nbd - > list , list ) ;
2005-04-16 15:20:36 -07:00
return 0 ;
}
static void __exit nbd_cleanup ( void )
{
2017-04-06 17:02:06 -04:00
struct nbd_device * nbd ;
LIST_HEAD ( del_list ) ;
2015-08-17 08:20:06 +02:00
nbd_dbg_close ( ) ;
2017-04-06 17:02:06 -04:00
mutex_lock ( & nbd_index_mutex ) ;
idr_for_each ( & nbd_index_idr , & nbd_exit_cb , & del_list ) ;
mutex_unlock ( & nbd_index_mutex ) ;
2017-04-28 09:49:19 -04:00
while ( ! list_empty ( & del_list ) ) {
nbd = list_first_entry ( & del_list , struct nbd_device , list ) ;
list_del_init ( & nbd - > list ) ;
if ( refcount_read ( & nbd - > refs ) ! = 1 )
2017-04-06 17:02:06 -04:00
printk ( KERN_ERR " nbd: possibly leaking a device \n " ) ;
nbd_put ( nbd ) ;
}
nbd: do del_gendisk() asynchronously for NBD_DESTROY_ON_DISCONNECT
Now open_mutex is used to synchronize partition operations (e.g,
blk_drop_partitions() and blkdev_reread_part()), however it makes
nbd driver broken, because nbd may call del_gendisk() in nbd_release()
or nbd_genl_disconnect() if NBD_CFLAG_DESTROY_ON_DISCONNECT is enabled,
and deadlock occurs, as shown below:
// AB-BA dead-lock
nbd_genl_disconnect blkdev_open
nbd_disconnect_and_put
lock bd_mutex
// last ref
nbd_put
lock nbd_index_mutex
del_gendisk
nbd_open
try lock nbd_index_mutex
try lock bd_mutex
or
// AA dead-lock
nbd_release
lock bd_mutex
nbd_put
try lock bd_mutex
Instead of fixing block layer (e.g, introduce another lock), fixing
the nbd driver to call del_gendisk() in a kworker when
NBD_DESTROY_ON_DISCONNECT is enabled. When NBD_DESTROY_ON_DISCONNECT
is disabled, nbd device will always be destroy through module removal,
and there is no risky of deadlock.
To ensure the reuse of nbd index succeeds, moving the calling of
idr_remove() after del_gendisk(), so if the reused index is not found
in nbd_index_idr, the old disk must have been deleted. And reusing
the existing destroy_complete mechanism to ensure nbd_genl_connect()
will wait for the completion of del_gendisk().
Also adding a new workqueue for nbd removal, so nbd_cleanup()
can ensure all removals complete before exits.
Reported-by: syzbot+0fe7752e52337864d29b@syzkaller.appspotmail.com
Fixes: c76f48eb5c08 ("block: take bd_mutex around delete_partitions in del_gendisk")
Signed-off-by: Hou Tao <houtao1@huawei.com>
Signed-off-by: Christoph Hellwig <hch@lst.de>
Link: https://lore.kernel.org/r/20210811124428.2368491-2-hch@lst.de
Reviewed-by: Josef Bacik <josef@toxicpanda.com>
Signed-off-by: Jens Axboe <axboe@kernel.dk>
2021-08-11 14:44:23 +02:00
/* Also wait for nbd_dev_remove_work() completes */
destroy_workqueue ( nbd_del_wq ) ;
2017-02-01 16:11:40 -05:00
idr_destroy ( & nbd_index_idr ) ;
2017-04-06 17:02:00 -04:00
genl_unregister_family ( & nbd_genl_family ) ;
2005-04-16 15:20:36 -07:00
unregister_blkdev ( NBD_MAJOR , " nbd " ) ;
}
module_init ( nbd_init ) ;
module_exit ( nbd_cleanup ) ;
MODULE_DESCRIPTION ( " Network Block Device " ) ;
MODULE_LICENSE ( " GPL " ) ;
2005-05-01 08:59:07 -07:00
module_param ( nbds_max , int , 0444 ) ;
NBD: add partition support
Permit the use of partitions with network block devices (NBD).
A new parameter is introduced to define how many partition we want to be able
to manage per network block device. This parameter is "max_part".
For instance, to manage 63 partitions / loop device, we will do:
[on the server side]
# nbd-server 1234 /dev/sdb
[on the client side]
# modprobe nbd max_part=63
# ls -l /dev/nbd*
brw-rw---- 1 root disk 43, 0 2008-03-25 11:14 /dev/nbd0
brw-rw---- 1 root disk 43, 64 2008-03-25 11:11 /dev/nbd1
brw-rw---- 1 root disk 43, 640 2008-03-25 11:11 /dev/nbd10
brw-rw---- 1 root disk 43, 704 2008-03-25 11:11 /dev/nbd11
brw-rw---- 1 root disk 43, 768 2008-03-25 11:11 /dev/nbd12
brw-rw---- 1 root disk 43, 832 2008-03-25 11:11 /dev/nbd13
brw-rw---- 1 root disk 43, 896 2008-03-25 11:11 /dev/nbd14
brw-rw---- 1 root disk 43, 960 2008-03-25 11:11 /dev/nbd15
brw-rw---- 1 root disk 43, 128 2008-03-25 11:11 /dev/nbd2
brw-rw---- 1 root disk 43, 192 2008-03-25 11:11 /dev/nbd3
brw-rw---- 1 root disk 43, 256 2008-03-25 11:11 /dev/nbd4
brw-rw---- 1 root disk 43, 320 2008-03-25 11:11 /dev/nbd5
brw-rw---- 1 root disk 43, 384 2008-03-25 11:11 /dev/nbd6
brw-rw---- 1 root disk 43, 448 2008-03-25 11:11 /dev/nbd7
brw-rw---- 1 root disk 43, 512 2008-03-25 11:11 /dev/nbd8
brw-rw---- 1 root disk 43, 576 2008-03-25 11:11 /dev/nbd9
# nbd-client localhost 1234 /dev/nbd0
Negotiation: ..size = 80418240KB
bs=1024, sz=80418240
-------NOTE, RFC: partition table is not automatically read.
The driver sets bdev->bd_invalidated to 1 to force the read of the partition
table of the device, but this is done only on an open of the device.
So we have to do a "touch /dev/nbdX" or something like that.
It can't be done from the nbd-client or nbd driver because at this
level we can't ask to read the partition table and to serve the request
at the same time (-> deadlock)
If someone has a better idea, I'm open to any suggestion.
-------NOTE, RFC
# fdisk -l /dev/nbd0
Disk /dev/nbd0: 82.3 GB, 82348277760 bytes
255 heads, 63 sectors/track, 10011 cylinders
Units = cylinders of 16065 * 512 = 8225280 bytes
Device Boot Start End Blocks Id System
/dev/nbd0p1 * 1 9965 80043831 83 Linux
/dev/nbd0p2 9966 10011 369495 5 Extended
/dev/nbd0p5 9966 10011 369463+ 82 Linux swap / Solaris
# ls -l /dev/nbd0*
brw-rw---- 1 root disk 43, 0 2008-03-25 11:16 /dev/nbd0
brw-rw---- 1 root disk 43, 1 2008-03-25 11:16 /dev/nbd0p1
brw-rw---- 1 root disk 43, 2 2008-03-25 11:16 /dev/nbd0p2
brw-rw---- 1 root disk 43, 5 2008-03-25 11:16 /dev/nbd0p5
# mount /dev/nbd0p1 /mnt
# ls /mnt
bin dev initrd lost+found opt sbin sys var
boot etc initrd.img media proc selinux tmp vmlinuz
cdrom home lib mnt root srv usr
# umount /mnt
# nbd-client -d /dev/nbd0
# ls -l /dev/nbd0*
brw-rw---- 1 root disk 43, 0 2008-03-25 11:16 /dev/nbd0
-------NOTE
On "nbd-client -d", we can do an iocl(BLKRRPART) to update partition table:
as the size of the device is 0, we don't have to serve the partition manager
request (-> no deadlock).
-------NOTE
Signed-off-by: Paul Clements <paul.clements@steeleye.com>
Cc: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
2008-04-29 01:02:51 -07:00
MODULE_PARM_DESC ( nbds_max , " number of network block devices to initialize (default: 16) " ) ;
module_param ( max_part , int , 0444 ) ;
2017-08-14 18:56:16 +00:00
MODULE_PARM_DESC ( max_part , " number of partitions per device (default: 16) " ) ;