lib/error-inject: traverse list with mutex

Traversing list without mutex in get_injectable_error_type will
race with the following code:
    list_del_init(&ent->list)
    kfree(ent)
in module_unload_ei_list. So fix that.

Link: https://lkml.kernel.org/r/20220620100244.82896-1-wuchi.zero@gmail.com
Signed-off-by: wuchi <wuchi.zero@gmail.com>
Cc: Masami Hiramatsu (Google) <mhiramat@kernel.org>
Cc: Martin KaFai Lau <kafai@fb.com>
Cc: Song Liu <songliubraving@fb.com>
Cc: Yonghong Song <yhs@fb.com>
Cc: John Fastabend <john.fastabend@gmail.com>
Cc: KP Singh <kpsingh@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>

diff --git a/lib/error-inject.c b/lib/error-inject.c
index 4a4f1278c419166cd327a32a8e18c74f45d34028..1afca1b1cdead000910f822fcbcaddc63d4aa310 100644 (file)
--- a/lib/error-inject.c
+++ b/lib/error-inject.c
@@ -40,12 +40,18 @@ bool within_error_injection_list(unsigned long addr)
 int get_injectable_error_type(unsigned long addr)
 {
        struct ei_entry *ent;
+       int ei_type = EI_ETYPE_NONE;
 
+       mutex_lock(&ei_mutex);
        list_for_each_entry(ent, &error_injection_list, list) {
-               if (addr >= ent->start_addr && addr < ent->end_addr)
-                       return ent->etype;
+               if (addr >= ent->start_addr && addr < ent->end_addr) {
+                       ei_type = ent->etype;
+                       break;
+               }
        }
-       return EI_ETYPE_NONE;
+       mutex_unlock(&ei_mutex);
+
+       return ei_type;
 }
 
 /*