Received: by 10.223.176.5 with SMTP id f5csp68796wra; Mon, 5 Feb 2018 16:52:18 -0800 (PST) X-Google-Smtp-Source: AH8x2254F+C+s8b9N0JnU7xURmHng0TuYW/6XQJniROPPMLiOyL8D/lptTAr7c+0NES6N4ApHe8n X-Received: by 10.99.126.19 with SMTP id z19mr488587pgc.182.1517878337963; Mon, 05 Feb 2018 16:52:17 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1517878337; cv=none; d=google.com; s=arc-20160816; b=LRPfLho0P0fY2LxODolcSIEDfu+vqQ4qLb3RBDmICZ96+sBgdVmp6ARWyFt7Fq5HtA duJBcQZGps/NwaI68Kt0RJRFBsAvIn10rsYAP0aJGYheqINyoZKvXs3yc7WCxnuBDNAF npb4t6DczXyy2e0KKBDs+vLM9BxPLkWB39VkbeJGsNrNTCi8dy5qGHL9cd2ThbPSNIgX yV1aXcurzNOcWGwTNnKZJsCio3ze2MK9UPcOaSsdXDCP3viMdzgfYtYeVAePpGsZidQg dy+5VRbjSbd3HJHlc0ktERHrqjwBnviMFWmnuHJL2rVp/rPrK96QXNP65VqsFN7Pmq4q +bxw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature:arc-authentication-results; bh=OhO9GTIf9u5gW/cyWgvvOkn4LXdSz17B6pcADIXNF6g=; b=WCqfZ01QzD48qJVTDRnMty87CwcpYGhN0gkiBBWgvTGEfJFq6NvJuKpDb/IXHrJgzb DiM71/s943Dx/mUTVAvYInlYazkMyyCuM4CuiMgZVib8euLs441ZtyY1kBTGQYd8l+A+ dkB5SYfjaCcRJNckJbO4emBbNorxpYQ8uPkYh/dSUyBKg1i7q+yXQNbxcn3XtR5BGvpk iWiRSQfgRauUsgcmBs0+QUbCT0LkWfB8yql0UdpGKN7OsMvMHeY63aIl0gLZ7Y5JByLM 4TTlOhiJh42igXoqAv//EFnFeb22zUbsv2mHPO9+CTbK/WhG7YfXCrv4jOTkgWEoyN6V Y5+g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=vceb2W3S; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id s199si582394pgs.289.2018.02.05.16.52.03; Mon, 05 Feb 2018 16:52:17 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=vceb2W3S; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752308AbeBFAuD (ORCPT + 99 others); Mon, 5 Feb 2018 19:50:03 -0500 Received: from mail-pl0-f67.google.com ([209.85.160.67]:44756 "EHLO mail-pl0-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751514AbeBFAt6 (ORCPT ); Mon, 5 Feb 2018 19:49:58 -0500 Received: by mail-pl0-f67.google.com with SMTP id f8so159543plk.11 for ; Mon, 05 Feb 2018 16:49:58 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=OhO9GTIf9u5gW/cyWgvvOkn4LXdSz17B6pcADIXNF6g=; b=vceb2W3S24PbCv53dh4Ut+a7kSlkWpS3VnyBY+mee4xTIGcbSZKMbBxkFIBV0NqAaq zh+VUYqExrAQzT5Q/l891jq5Ti/t5iMIE9EYK9cX6dwoWfitnkZHPpNRmdS1vazAgt+w Kru9N/iJnYLmX5EqvMQsdyq7gG9UGz4H2k9fmiVZ/HOjuhN+JoYmzqQas7SPZL8kR5Ua AAJdjKm04F7fNwuMJdVe+kuAewkHiQhqOgvWgYkyYO6ikxzP+iDPeG+AKIvuQsRcGbKD RGZqoIu9udOskRpjJR91hJwqzCqF2Gpz1AXM0BkfDf2v9s6A3eAJRFdAMfGwWCIFIGZV hbKw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=OhO9GTIf9u5gW/cyWgvvOkn4LXdSz17B6pcADIXNF6g=; b=f3rAQQLrKzShvEAVOCDsQpVJH8pzC3hYyTYiCBldhqvLCRR/5Yvw3Ngh90um5lRifX xZqIayqrXix+DGXz/XIzhBc3KEB1O6YtOPEyMRvW0a96NunED1lQgLkMEnW4ASCHTDRI 9AYhSRBwxlH1kAM5MzW4265zMhySl0ESLMD5IezlQjHXdJYGUobGkO5N+EBhUDedGnhG HVyRBFatGE9pNUFw+OHxl/yoIXk1x/ke8tisjBNTj8nFr0OzENJpjW63TI9mA3GfZ69/ 9JyKatFkCXJPEep60sj/BigQNtxMKH++mVFHpHhMc6B8SQ7MpnTGtqX6qHNWGlFbZgZe r5LQ== X-Gm-Message-State: APf1xPCRopZgAxywO3aoTWu2r2r6qjJEDqJ+D5jxEV5ADxOH/9gIif7p F1Kc6PsHlc/DQMtrTUpFpBWMax4Ql/E= X-Received: by 2002:a17:902:3084:: with SMTP id v4-v6mr615131plb.131.1517878197277; Mon, 05 Feb 2018 16:49:57 -0800 (PST) Received: from joelaf.mtv.corp.google.com ([172.22.121.121]) by smtp.gmail.com with ESMTPSA id c19sm6641671pfk.22.2018.02.05.16.49.55 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Mon, 05 Feb 2018 16:49:55 -0800 (PST) From: Joel Fernandes To: linux-kernel@vger.kernel.org Cc: Joel Fernandes , Todd Kjos , Arve Hjonnevag , Greg Hackmann , Greg Kroah-Hartman Subject: [PATCH] ashmem: Fix lockdep issue during llseek Date: Mon, 5 Feb 2018 16:49:43 -0800 Message-Id: <20180206004943.224559-1-joelaf@google.com> X-Mailer: git-send-email 2.16.0.rc1.238.g530d649a79-goog Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org ashmem_mutex create a chain of dependencies like so: (1) mmap syscall -> mmap_sem -> (acquired) ashmem_mmap ashmem_mutex (try to acquire) (block) (2) llseek syscall -> ashmem_llseek -> ashmem_mutex -> (acquired) inode_lock -> inode->i_rwsem (try to acquire) (block) (3) getdents -> iterate_dir -> inode_lock -> inode->i_rwsem (acquired) copy_to_user -> mmap_sem (try to acquire) There is a lock ordering created between mmap_sem and inode->i_rwsem causing a lockdep splat [2] during a syzcaller test, this patch fixes the issue by unlocking the mutex earlier. Functionally that's Ok since we don't need to protect vfs_llseek. [1] https://patchwork.kernel.org/patch/10185031/ [2] https://lkml.org/lkml/2018/1/10/48 Cc: Todd Kjos Cc: Arve Hjonnevag Cc: Greg Hackmann Cc: Greg Kroah-Hartman Reported-by: syzbot+8ec30bb7bf1a981a2012@syzkaller.appspotmail.com Signed-off-by: Joel Fernandes --- drivers/staging/android/ashmem.c | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/drivers/staging/android/ashmem.c b/drivers/staging/android/ashmem.c index 7e060f32aaa8..c8b74ae53936 100644 --- a/drivers/staging/android/ashmem.c +++ b/drivers/staging/android/ashmem.c @@ -335,24 +335,23 @@ static loff_t ashmem_llseek(struct file *file, loff_t offset, int origin) mutex_lock(&ashmem_mutex); if (asma->size == 0) { - ret = -EINVAL; - goto out; + mutex_unlock(&ashmem_mutex); + return -EINVAL; } if (!asma->file) { - ret = -EBADF; - goto out; + mutex_unlock(&ashmem_mutex); + return -EBADF; } + mutex_unlock(&ashmem_mutex); + ret = vfs_llseek(asma->file, offset, origin); if (ret < 0) - goto out; + return ret; /** Copy f_pos from backing file, since f_ops->llseek() sets it */ file->f_pos = asma->file->f_pos; - -out: - mutex_unlock(&ashmem_mutex); return ret; } -- 2.16.0.rc1.238.g530d649a79-goog