Received: by 2002:ab2:b82:0:b0:1f3:401:3cfb with SMTP id 2csp1073342lqh; Fri, 29 Mar 2024 06:35:20 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCWucfzcOh5cyWy5A1mIRQHL8W994C/6qI8OqmsHS0GFwRmz2TvbgSzNfXwb3pDl/TuMhZvyeU2L86NfZa+kaMwecBI5L2kxfMXEnkyhCw== X-Google-Smtp-Source: AGHT+IHs2+wp7SqSrCkbwvOQFHsZsMxBWJKLbrN6tLm61lpdUldKcDAl3WQqIvNfM5A1lSGY2Lt0 X-Received: by 2002:a05:6512:314a:b0:515:d31f:ce2b with SMTP id s10-20020a056512314a00b00515d31fce2bmr786051lfi.15.1711719320768; Fri, 29 Mar 2024 06:35:20 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1711719320; cv=pass; d=google.com; s=arc-20160816; b=pndBjvFid6hYv8OQCvKMnrlFjU8CTh7iFFpVQdpY6X5zoXaU+vyCYPUSVg2Q/PrM4L ti23u0QteXnMBqh2YnVwNqBNMlRVIt+J5qDki6n1mh4DUu9xjl36FqNTgYd9im05UJYF e8iaCfGaoENA7iSzQq4EAtrOAMtZIg8YSGWHVJkgQEjPnzLEvKYBKlAoALS+RPzzeMF8 aLltRe90xtlM65VXUu2Z7HqokzpEZ2LWdczjAykh3SWzRfaPjQFzKcsOmvKL3W6p6EAx mhRRsagUzX1Go655VInZFQDelFmnRXcihpXHl6Co/GYJXWpnbhtCfiqYfJwfRbMutXR4 Yg2w== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=content-transfer-encoding:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:in-reply-to:message-id :date:subject:cc:to:from:dkim-signature; bh=u1oK4fZkV5w0UIm4OdRTL+3Tsaln836WwcldR2jO10k=; fh=A0VSLb1OmIg+7AML5h56dqU3to0nUGt/OicqX5fwDbU=; b=zKcrvFmyJRbpXpTX18mHsRrk/p8I8ktbu6QR4Qr97jk4ovW+Cief79Yx8FBajODvaf H6p4ImVq4NjL2BuWc4EBfl5QFWvyhFepZz/b5nOigdZ5Bd47D+o18DOoaKGsJeG+ggk+ KMeIhCtLjo9lNoXWmQUIGGGL0ndeolQ4G67Ryl3q0CIK7ZPKoxfNApEiROrzSBcIeLwo tuAiqdeN3ztItCTiX8310cY1ONat4NRayn/+mJH0lUuKC9/rXFNNSn6/8aZVrpeCtIHj W6y5YGi6DcKMNbkNosq0iKKr6p55gHOwQuBAEsDm+MvdHqHYHT5RzQFLyWQGATbMncbe OM4Q==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=Ukg1yKLE; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-kernel+bounces-124725-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-124725-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [147.75.80.249]) by mx.google.com with ESMTPS id p3-20020a170906604300b00a46328866d0si1776706ejj.508.2024.03.29.06.35.20 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 29 Mar 2024 06:35:20 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-124725-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) client-ip=147.75.80.249; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=Ukg1yKLE; arc=pass (i=1 dkim=pass dkdomain=kernel.org); spf=pass (google.com: domain of linux-kernel+bounces-124725-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.80.249 as permitted sender) smtp.mailfrom="linux-kernel+bounces-124725-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 1D7D81F26B60 for ; Fri, 29 Mar 2024 13:34:48 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id ABC171779AB; Fri, 29 Mar 2024 12:40:18 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="Ukg1yKLE" Received: from smtp.kernel.org (aws-us-west-2-korg-mail-1.web.codeaurora.org [10.30.226.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D311A177A9A; Fri, 29 Mar 2024 12:40:17 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=10.30.226.201 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711716017; cv=none; b=NpLmuz2R5Qxf1Co6SosAvipcZNhNG8JBMGiRt21nX6IYiZS3TYXaAtcxUNTe4MyWOjC9rXgnbZFOR3M3klL5qrBiDYjwCnX05yIa+PMIoImy19PZLzMZfTGQWrosIRp12yNoYfA2li9wtG81JQ97jNc3NEX4Row7JxRuJY8oiWg= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1711716017; c=relaxed/simple; bh=unewMvCYxmOenMyhEJ0M480mxzurkE5usvV/94GPtlY=; h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References: MIME-Version; b=FqSybOTo92shaasjRxmhD+ZlzcTOWLqnAWGnFvC+167pnIRVbhQ3M/F1r3YFE74rvcOWrMKSElf2srqCdwb3Ycudj3+ZKljmY5p39pwAOxCBQniYr/MbmI38yAb4w2HG6pdpg0humgml6pjZd6YmZH6Ns7gq9tkDaRuk0SNc0eo= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=Ukg1yKLE; arc=none smtp.client-ip=10.30.226.201 Received: by smtp.kernel.org (Postfix) with ESMTPSA id 7AA3CC433F1; Fri, 29 Mar 2024 12:40:16 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1711716017; bh=unewMvCYxmOenMyhEJ0M480mxzurkE5usvV/94GPtlY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=Ukg1yKLE1radBPclUPtBczeHuikqrAc7BlcvTj/Ttde6lrgrZDRcQsg65p8HseBFu IyC1xM1TWgSWAwfJ5ITgacLqjXeHzuGic0STOeJAhM3w+mmHYlOgGeWDiBaTsBdVP+ mQnNWCIkAITs6Ll3ANx9QwZ14utOSAFPmFC0gn869P/M9Y28ZxjvrnW/eR1fL+iWXm XQMBbEZ8jueTw/Wj11RGPIijilTEmOiHjjpqwJ/l+LKPVv5Sggmf9vOnpLE35i21eU uBM++YXCt8gr/F2R8FWKeTIe9D3Legb001mfxY5E5vnhOsmIqVt/60Qt8u+Ex6Fgc0 bEQJ1G+4BJOSA== From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Tetsuo Handa , syzbot , Al Viro , Christian Brauner , Sasha Levin , jlayton@kernel.org, jack@suse.cz, pc@manguebit.com, willy@infradead.org, princekumarmaurya06@gmail.com Subject: [PATCH AUTOSEL 6.8 16/98] sysv: don't call sb_bread() with pointers_lock held Date: Fri, 29 Mar 2024 08:36:47 -0400 Message-ID: <20240329123919.3087149-16-sashal@kernel.org> X-Mailer: git-send-email 2.43.0 In-Reply-To: <20240329123919.3087149-1-sashal@kernel.org> References: <20240329123919.3087149-1-sashal@kernel.org> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore X-stable-base: Linux 6.8.2 Content-Transfer-Encoding: 8bit From: Tetsuo Handa [ Upstream commit f123dc86388cb669c3d6322702dc441abc35c31e ] syzbot is reporting sleep in atomic context in SysV filesystem [1], for sb_bread() is called with rw_spinlock held. A "write_lock(&pointers_lock) => read_lock(&pointers_lock) deadlock" bug and a "sb_bread() with write_lock(&pointers_lock)" bug were introduced by "Replace BKL for chain locking with sysvfs-private rwlock" in Linux 2.5.12. Then, "[PATCH] err1-40: sysvfs locking fix" in Linux 2.6.8 fixed the former bug by moving pointers_lock lock to the callers, but instead introduced a "sb_bread() with read_lock(&pointers_lock)" bug (which made this problem easier to hit). Al Viro suggested that why not to do like get_branch()/get_block()/ find_shared() in Minix filesystem does. And doing like that is almost a revert of "[PATCH] err1-40: sysvfs locking fix" except that get_branch() from with find_shared() is called without write_lock(&pointers_lock). Reported-by: syzbot Link: https://syzkaller.appspot.com/bug?extid=69b40dc5fd40f32c199f Suggested-by: Al Viro Signed-off-by: Tetsuo Handa Link: https://lore.kernel.org/r/0d195f93-a22a-49a2-0020-103534d6f7f6@I-love.SAKURA.ne.jp Signed-off-by: Christian Brauner Signed-off-by: Sasha Levin --- fs/sysv/itree.c | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/fs/sysv/itree.c b/fs/sysv/itree.c index 410ab2a44d2f6..19bcb51a22036 100644 --- a/fs/sysv/itree.c +++ b/fs/sysv/itree.c @@ -83,9 +83,6 @@ static inline sysv_zone_t *block_end(struct buffer_head *bh) return (sysv_zone_t*)((char*)bh->b_data + bh->b_size); } -/* - * Requires read_lock(&pointers_lock) or write_lock(&pointers_lock) - */ static Indirect *get_branch(struct inode *inode, int depth, int offsets[], @@ -105,15 +102,18 @@ static Indirect *get_branch(struct inode *inode, bh = sb_bread(sb, block); if (!bh) goto failure; + read_lock(&pointers_lock); if (!verify_chain(chain, p)) goto changed; add_chain(++p, bh, (sysv_zone_t*)bh->b_data + *++offsets); + read_unlock(&pointers_lock); if (!p->key) goto no_block; } return NULL; changed: + read_unlock(&pointers_lock); brelse(bh); *err = -EAGAIN; goto no_block; @@ -219,9 +219,7 @@ static int get_block(struct inode *inode, sector_t iblock, struct buffer_head *b goto out; reread: - read_lock(&pointers_lock); partial = get_branch(inode, depth, offsets, chain, &err); - read_unlock(&pointers_lock); /* Simplest case - block found, no allocation needed */ if (!partial) { @@ -291,9 +289,9 @@ static Indirect *find_shared(struct inode *inode, *top = 0; for (k = depth; k > 1 && !offsets[k-1]; k--) ; + partial = get_branch(inode, k, offsets, chain, &err); write_lock(&pointers_lock); - partial = get_branch(inode, k, offsets, chain, &err); if (!partial) partial = chain + k-1; /* -- 2.43.0