Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp6251987imu; Mon, 21 Jan 2019 05:53:00 -0800 (PST) X-Google-Smtp-Source: ALg8bN4izfbCiBTnxpz6cNXgikCcyf3+WZQL/vhljqBZtjd0KrH/6U7EhfR02r2pWuhjIKUo39fF X-Received: by 2002:a65:65c9:: with SMTP id y9mr28805456pgv.438.1548078780203; Mon, 21 Jan 2019 05:53:00 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1548078780; cv=none; d=google.com; s=arc-20160816; b=ZmbOnAv583oIbCYTfJEBc95DjWQajpXJ4YeZ/vZMuo6IvqCcpDa/DuXnXtS8Yaq0Hh ok4z5WBBaeTOo5+yGvTtLG1aibriSEUgLfbzIECykyW+wJuAZFWH3JXel4Dw6oDaC6nS nC85Q9k+kniuIH0MlFjReeMk7ci9iZaWjBpcdtsnwUq1whuVqzxHYErbxeaPx9AToAXv KM/yu5OOrK4bh+iSyDUeJt353m0yVxOia3xbXLX7U5RwFmvQKvxT2KFmHN9jcyyFJ+FO 7OmE4Z4LzyzF9pHzX8fO1wHsDMUqF3+juBMrbrIR1EfgFzrZID4X+mYw0p4EPqoIchxM DMxg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=0epDIlaJEUBoT/C8vYIA8Zn69+wuYfTH1LBFFZEHkB4=; b=cd+LjQBOazHgqi4iO1hpmtuzZZm1NLMUs15quq3Lye7zhBdTf7j7smRi5Ud+tz5FkM dMsoF85lTaAOsAp7nRMMnBDdfJnQ0xDHLZl+NH5n6JpM26hdvs6gti4Ln4A2+DhzxbyZ +n53G/1oeZfY4Z2ImWiMPzrdd9tUS1tKL80GDNGUYpDbCvvhKVTQFIMHkqY6MGQ7TuUs wR7q+Ycf0x0/DHnFnMQpQYDNXM1HXfOjrIh+EAfirWd1nliUnl/0nUxBPje1wKUtxEzK rX1HNbZqKhFZLjfI6W9qYyhDLTvleG1r/ktL2oW4F/mp82k6bDv2WCxoa92vr2VbRP3J Us7g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=dkcsqvsC; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t13si13158427pgm.175.2019.01.21.05.52.44; Mon, 21 Jan 2019 05:53:00 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=dkcsqvsC; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729993AbfAUNu4 (ORCPT + 99 others); Mon, 21 Jan 2019 08:50:56 -0500 Received: from mail.kernel.org ([198.145.29.99]:33684 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730668AbfAUNuy (ORCPT ); Mon, 21 Jan 2019 08:50:54 -0500 Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 2A64A2063F; Mon, 21 Jan 2019 13:50:52 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1548078652; bh=xBjduPOz16xQhYaAE4btfiJQxGmAdlN2uDd0iEm2Egw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=dkcsqvsClcRtHZz3NiVDeMa869+eGQQaRfNFkeMps6Gk9BCuSEXYtUYZ2R8+DV2o8 sEFn+W5XwhSabAV1WuOxIzrc2pY4nr1nqoUQi5Fx3XtZgybq8A/PUafK92WDr4RtBh YlffKei1o7qxGW7sKN/6Gi4l9q41OhTll/fSK5t8= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Tetsuo Handa , Jan Kara , Jens Axboe Subject: [PATCH 4.20 107/111] loop: Avoid circular locking dependency between loop_ctl_mutex and bd_mutex Date: Mon, 21 Jan 2019 14:43:41 +0100 Message-Id: <20190121122506.972806750@linuxfoundation.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20190121122455.819406896@linuxfoundation.org> References: <20190121122455.819406896@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.20-stable review patch. If anyone has any objections, please let me know. ------------------ From: Jan Kara commit 1dded9acf6dc9a34cd27fcf8815507e4e65b3c4f upstream. Code in loop_change_fd() drops reference to the old file (and also the new file in a failure case) under loop_ctl_mutex. Similarly to a situation in loop_set_fd() this can create a circular locking dependency if this was the last reference holding the file open. Delay dropping of the file reference until we have released loop_ctl_mutex. Reported-by: Tetsuo Handa Signed-off-by: Jan Kara Signed-off-by: Jens Axboe Signed-off-by: Greg Kroah-Hartman --- drivers/block/loop.c | 26 +++++++++++++++----------- 1 file changed, 15 insertions(+), 11 deletions(-) --- a/drivers/block/loop.c +++ b/drivers/block/loop.c @@ -677,7 +677,7 @@ static int loop_validate_file(struct fil static int loop_change_fd(struct loop_device *lo, struct block_device *bdev, unsigned int arg) { - struct file *file, *old_file; + struct file *file = NULL, *old_file; int error; bool partscan; @@ -686,21 +686,21 @@ static int loop_change_fd(struct loop_de return error; error = -ENXIO; if (lo->lo_state != Lo_bound) - goto out_unlock; + goto out_err; /* the loop device has to be read-only */ error = -EINVAL; if (!(lo->lo_flags & LO_FLAGS_READ_ONLY)) - goto out_unlock; + goto out_err; error = -EBADF; file = fget(arg); if (!file) - goto out_unlock; + goto out_err; error = loop_validate_file(file, bdev); if (error) - goto out_putf; + goto out_err; old_file = lo->lo_backing_file; @@ -708,7 +708,7 @@ static int loop_change_fd(struct loop_de /* size of the new backing store needs to be the same */ if (get_loop_size(lo, file) != get_loop_size(lo, old_file)) - goto out_putf; + goto out_err; /* and ... switch */ blk_mq_freeze_queue(lo->lo_queue); @@ -719,18 +719,22 @@ static int loop_change_fd(struct loop_de lo->old_gfp_mask & ~(__GFP_IO|__GFP_FS)); loop_update_dio(lo); blk_mq_unfreeze_queue(lo->lo_queue); - - fput(old_file); partscan = lo->lo_flags & LO_FLAGS_PARTSCAN; mutex_unlock(&loop_ctl_mutex); + /* + * We must drop file reference outside of loop_ctl_mutex as dropping + * the file ref can take bd_mutex which creates circular locking + * dependency. + */ + fput(old_file); if (partscan) loop_reread_partitions(lo, bdev); return 0; -out_putf: - fput(file); -out_unlock: +out_err: mutex_unlock(&loop_ctl_mutex); + if (file) + fput(file); return error; }