On Thu, Nov 26, 2020 at 07:22:19PM +0100, Jan Kara wrote:
> On Thu 26-11-20 14:04:15, Christoph Hellwig wrote:
> > struct hd_struct *disk_get_part(struct gendisk *disk, int partno)
> > {
> > - struct hd_struct *part;
> > + struct block_device *part;
> >
> > rcu_read_lock();
> > part = __disk_get_part(disk, partno);
> > - if (part)
> > - get_device(part_to_dev(part));
> > - rcu_read_unlock();
> > + if (!part) {
> > + rcu_read_unlock();
> > + return NULL;
> > + }
> >
> > - return part;
> > + get_device(part_to_dev(part->bd_part));
> > + rcu_read_unlock();
> > + return part->bd_part;
> > }
>
> This is not directly related to this particular patch but I'm wondering:
> What prevents say del_gendisk() from racing with disk_get_part(), so that
> delete_partition() is called just after we fetched 'part' pointer and the
> last 'part' kobject ref is dropped before disk_get_part() calls
> get_device()? I don't see anything preventing that and so we'd hand out
> 'part' that is soon to be freed (after RCU grace period expires).
At this point the hd_struct is already allocated together with the
block_device, and thus only freed after the last block_device reference
goes away plus the inode freeing RCU grace period. So the device model
ref to part is indeed gone, but that simply does not matter any more.
