Received: by 10.223.185.116 with SMTP id b49csp1045935wrg; Fri, 16 Feb 2018 11:24:43 -0800 (PST) X-Google-Smtp-Source: AH8x224gOdYFMpRk0Jwhq5k/vMf3FGJu1nW9UjNFPd3ckaSjBlph/MXkIS1xA17pgHHNfpQm1THL X-Received: by 2002:a17:902:8c86:: with SMTP id t6-v6mr6889941plo.400.1518809083317; Fri, 16 Feb 2018 11:24:43 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1518809083; cv=none; d=google.com; s=arc-20160816; b=Kb4t7N710Mz0zRQosZ3OtM0YfNkrkXkJImSJ7eXToi1K3Hl+ERK2siWuRMyAjae4Gk zthp6mMvVGcV0ho8DGFLQS8n6CkCWzM0pldau+6ScUGbDFgVkit3tMRdnS3rCHlD5w3p lktkW6TIY4ZkJ54y9xa1a+JgjSI1L9fwBRlzIi8DJMi5eZVc06CWA3AiMlkFYp7Fsbaj s0xG7cedoXaKCrTEhcZFO522Mg0VPqAiUpYwWEplagXi1YEBxR9OYoMxouYDaT8eP1A1 5cHyM1bF7BfmyDNxMDmXSDjH0WZd+fiptz8vTqmnPfiYNbXLVA3rvHO12YlHyzEZyHFZ 5UyQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature:arc-authentication-results; bh=+rnonRjScOnova6YSyUbdCD2ttK8HEFFfQI18AG4dkc=; b=X6HW7HC9FZe9gljgpnMQHt7ux1Ce/B3R0pLmCWKdgIpwuYTxj1kpvWP1JyQH4jyHtZ +VwIE2PMY2L1W/uRF7l6wZordMQsk1OAAjIksUp+t40xGZspPjrGPatRBbkGgnje8bom /Oj78ujw5W4aocm5+ACc39k+7KYcVWCBJ6v8Lqfx3+O0kN3ERChE/5ASQf5jdQQwCAvZ Egok1q9d8fkMbmZAxE0p1TygcBtIKHmjRXQrMLw7E9SyrLjHejEDIieskdkaCoYYVNZp zjG/TFLySd4T7/Doc7zJFJQNsCpC4wpGnIrV3gcbOr9KeOu/1LOrU+6mm4X6yHfHD4f1 aqcA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=MnLJ6ULT; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id u10-v6si259110plu.509.2018.02.16.11.24.29; Fri, 16 Feb 2018 11:24:43 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=MnLJ6ULT; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752824AbeBPTCP (ORCPT + 99 others); Fri, 16 Feb 2018 14:02:15 -0500 Received: from mail-pl0-f68.google.com ([209.85.160.68]:32808 "EHLO mail-pl0-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751259AbeBPTCM (ORCPT ); Fri, 16 Feb 2018 14:02:12 -0500 Received: by mail-pl0-f68.google.com with SMTP id t4so2164661plo.0 for ; Fri, 16 Feb 2018 11:02:12 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=+rnonRjScOnova6YSyUbdCD2ttK8HEFFfQI18AG4dkc=; b=MnLJ6ULTRKN8tbTNjZVrO7bTUFcrJGOby3KfDSuYaEPtqAEB7oGI6mEi+0oN1P123P SSqhDAoSyb08ilzaUQTv4jLUcv0VMGgWr9aqCX8UJRG/PEY1vzb5H5+P+M6SVZ4N6M7U ta4ieaIC7HPe0/YeU6hHZEr6vpGN7R2olF5ZMME4m7zfukbbocd3uozu86UxkdrwtWsh HQ8Ja82V1BDG0gs88uMa6B5hKhodaHYfdY1lC1o1PJ7Sy5MsBiUYO0yl0lyIvNkDElfL BJbxsnWdIr5QzAGoACiu6oQgDLz/XGWlb2gjq9zPEmXXAflikxFekp+QZO8An0g/vJ7W 2JJw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=+rnonRjScOnova6YSyUbdCD2ttK8HEFFfQI18AG4dkc=; b=LUJBiMCTAngBZkBazAvCpzuExnayiOEs/R/Jie4um4Sb29uakZWIShIA3FYTmRBDFA vLTNNfULY+m/J5W5R4aXkxZ3CDQPc5mfh9KWPrJ/+HqzN8cA8eh0RegoEjzSRWFjPa4H jTA61a2LGoefp0qXOsxxqXDpc0590E7uIZYqM72LyYSoVRUxwjRtnfnCab812QoMyFPV YjPSBmF1jPY1wux95mwlZV29KyS8q6DTIBTC7mjYbxyI29/HxMxEhE1X9aa9jZR109Nr WeSVSRp5wUIO59CDkY3obeelJSp3QzOaZCHFdV/GUmMH8njpie98KiTsuONCpSAtorqG jI5g== X-Gm-Message-State: APf1xPBAa+a7h5mWwx58CEAqIqoIURyWWU7iY0f+tmMtuhymhUSAS/j/ ncndIdXfZNAxpS9njQiiKK0WTlLp+vk= X-Received: by 2002:a17:902:aa5:: with SMTP id 34-v6mr99708plp.429.1518807731482; Fri, 16 Feb 2018 11:02:11 -0800 (PST) Received: from joelaf.mtv.corp.google.com ([172.22.121.121]) by smtp.gmail.com with ESMTPSA id v19sm12862039pfa.137.2018.02.16.11.02.09 (version=TLS1_2 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Fri, 16 Feb 2018 11:02:09 -0800 (PST) From: Joel Fernandes To: linux-kernel@vger.kernel.org Cc: Joel Fernandes , Todd Kjos , Arve Hjonnevag , Greg Hackmann , Greg Kroah-Hartman , stable@vger.kernel.org Subject: [PATCH v2] ashmem: Fix lockdep issue during llseek Date: Fri, 16 Feb 2018 11:02:01 -0800 Message-Id: <20180216190201.59572-1-joelaf@google.com> X-Mailer: git-send-email 2.16.1.291.g4437f3f132-goog Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org ashmem_mutex create a chain of dependencies like so: (1) mmap syscall -> mmap_sem -> (acquired) ashmem_mmap ashmem_mutex (try to acquire) (block) (2) llseek syscall -> ashmem_llseek -> ashmem_mutex -> (acquired) inode_lock -> inode->i_rwsem (try to acquire) (block) (3) getdents -> iterate_dir -> inode_lock -> inode->i_rwsem (acquired) copy_to_user -> mmap_sem (try to acquire) There is a lock ordering created between mmap_sem and inode->i_rwsem causing a lockdep splat [2] during a syzcaller test, this patch fixes the issue by unlocking the mutex earlier. Functionally that's Ok since we don't need to protect vfs_llseek. [1] https://patchwork.kernel.org/patch/10185031/ [2] https://lkml.org/lkml/2018/1/10/48 Cc: Todd Kjos Cc: Arve Hjonnevag Cc: Greg Hackmann Cc: Greg Kroah-Hartman Cc: stable@vger.kernel.org Reported-by: syzbot+8ec30bb7bf1a981a2012@syzkaller.appspotmail.com Signed-off-by: Joel Fernandes --- Changes since first version: Don't relock after vfs call since its not needed. Only reason we lock is to protect races with asma->file. https://patchwork.kernel.org/patch/10185031/ drivers/staging/android/ashmem.c | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/drivers/staging/android/ashmem.c b/drivers/staging/android/ashmem.c index bbdc53b686dd..b330e86b3a49 100644 --- a/drivers/staging/android/ashmem.c +++ b/drivers/staging/android/ashmem.c @@ -326,24 +326,23 @@ static loff_t ashmem_llseek(struct file *file, loff_t offset, int origin) mutex_lock(&ashmem_mutex); if (asma->size == 0) { - ret = -EINVAL; - goto out; + mutex_unlock(&ashmem_mutex); + return -EINVAL; } if (!asma->file) { - ret = -EBADF; - goto out; + mutex_unlock(&ashmem_mutex); + return -EBADF; } + mutex_unlock(&ashmem_mutex); + ret = vfs_llseek(asma->file, offset, origin); if (ret < 0) - goto out; + return ret; /** Copy f_pos from backing file, since f_ops->llseek() sets it */ file->f_pos = asma->file->f_pos; - -out: - mutex_unlock(&ashmem_mutex); return ret; } -- 2.16.1.291.g4437f3f132-goog