On Wed, 16 Sep 2020 16:52:45 +0200
Danny Milosavljevic <dannym@scratchpost.org> wrote:

> commit 692d0626557451c4b557397f20b7394b612d0289
> Author: Christoph Hellwig <hch@lst.de>
> Date:   Tue Sep 1 11:59:41 2020 +0200
> 
>     block: fix locking in bdev_del_partition
>     
>     [ Upstream commit 08fc1ab6d748ab1a690fd483f41e2938984ce353 ]
>     
>     We need to hold the whole device bd_mutex to protect against
>     other thread concurrently deleting out partition before we get
>     to it, and thus causing a use after free.
>     
>     Fixes: cddae808aeb7 ("block: pass a hd_struct to delete_partition")
>     Reported-by: syzbot+6448f3c229bc52b82f69@syzkaller.appspotmail.com
>     Signed-off-by: Christoph Hellwig <hch@lst.de>
>     Signed-off-by: Jens Axboe <axboe@kernel.dk>
>     Signed-off-by: Sasha Levin <sashal@kernel.org>
> 

int bdev_del_partition(struct block_device *bdev, int partno)
{
        struct block_device *bdevp;
        struct hd_struct *part = NULL;
        int ret;

        bdevp = bdget_disk(bdev->bd_disk, partno);
        if (!bdevp)
                return -ENOMEM; <--------------

...
}

struct block_device *bdget_disk(struct gendisk *disk, int partno)
{
        struct hd_struct *part;
        struct block_device *bdev = NULL;

        part = disk_get_part(disk, partno);
        if (part)
                bdev = bdget(part_devt(part));
        disk_put_part(part);

        return bdev;
}

struct block_device *bdget(dev_t dev)
{
        struct block_device *bdev;
        struct inode *inode;

        inode = iget5_locked(blockdev_superblock, hash(dev),
                        bdev_test, bdev_set, &dev);

        if (!inode)
                return NULL; <--------------------
[...]
}