block: partition: initialize percpuref before sending out KOBJ_ADD

commit b30a337ca27c4f40439e4bfb290cba5f88d73bb7 upstream.

The initialization of partition's percpu_ref should have been done before
sending out KOBJ_ADD uevent, which may cause userspace to read partition
table. So the uninitialized percpu_ref may be accessed in data path.

This patch fixes this issue reported by Naveen.

Reported-by: Naveen Kaje <nkaje@codeaurora.org>
Tested-by: Naveen Kaje <nkaje@codeaurora.org>
Fixes: 6c71013ecb7e2(block: partition: convert percpu ref)
Signed-off-by: Ming Lei <ming.lei@canonical.com>
Signed-off-by: Jens Axboe <axboe@fb.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/block/partition-generic.c b/block/partition-generic.c
index 746935a5973ca6c76b8f66cfff8d58ce50566994..a241e3900bc91d330002a39afe7febf3819c0650 100644 (file)
--- a/block/partition-generic.c
+++ b/block/partition-generic.c
@@ -349,15 +349,20 @@ struct hd_struct *add_partition(struct gendisk *disk, int partno,
                        goto out_del;
        }
 
+       err = hd_ref_init(p);
+       if (err) {
+               if (flags & ADDPART_FLAG_WHOLEDISK)
+                       goto out_remove_file;
+               goto out_del;
+       }
+
        /* everything is up and running, commence */
        rcu_assign_pointer(ptbl->part[partno], p);
 
        /* suppress uevent if the disk suppresses it */
        if (!dev_get_uevent_suppress(ddev))
                kobject_uevent(&pdev->kobj, KOBJ_ADD);
-
-       if (!hd_ref_init(p))
-               return p;
+       return p;
 
 out_free_info:
        free_part_info(p);
@@ -366,6 +371,8 @@ out_free_stats:
 out_free:
        kfree(p);
        return ERR_PTR(err);
+out_remove_file:
+       device_remove_file(pdev, &dev_attr_whole_disk);
 out_del:
        kobject_put(p->holder_dir);
        device_del(pdev);