brd: fix sleeping function called from invalid context in brd_insert_page()

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

__xa_cmpxchg() is called with rcu_read_lock(), and it will allocate
memory if necessary.

Fix the problem by moving rcu_read_lock() after __xa_cmpxchg(), meanwhile,
it still should be held before xa_unlock(), prevent returned page to be
freed by concurrent discard.

Fixes: bbcacab2e8ee ("brd: avoid extra xarray lookups on first write")
Reported-by: syzbot+ea4c8fd177a47338881a@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/685ec4c9.a00a0220.129264.000c.GAE@google.com/
Signed-off-by: Yu Kuai <yukuai3@huawei.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Link: https://lore.kernel.org/r/20250630112828.421219-1-yukuai1@huaweicloud.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>

authored by

Yu Kuai and committed by

Jens Axboe 9 months ago 0d519bb0 01ed88ae

+4 -2

1 changed file

expand all

drivers

block

brd.c

+4 -2

drivers/block/brd.c

··· 64 64 65 65 rcu_read_unlock(); 66 66 page = alloc_page(gfp | __GFP_ZERO | __GFP_HIGHMEM); 67 - rcu_read_lock(); 68 - if (!page) 67 + if (!page) { 68 + rcu_read_lock(); 69 69 return ERR_PTR(-ENOMEM); 70 + } 70 71 71 72 xa_lock(&brd->brd_pages); 72 73 ret = __xa_cmpxchg(&brd->brd_pages, sector >> PAGE_SECTORS_SHIFT, NULL, 73 74 page, gfp); 75 + rcu_read_lock(); 74 76 if (ret) { 75 77 xa_unlock(&brd->brd_pages); 76 78 __free_page(page);