loop: Fix ABBA locking race · tjh.dev/kernel@b491255

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

loop: Fix ABBA locking race

Current loop calls vfs_statfs() while holding the q->limits_lock. If
FS takes some locking in vfs_statfs callback, this may lead to ABBA
locking bug (at least, FAT fs has this issue actually).

So this patch calls vfs_statfs() outside q->limits_locks instead,
because looks like no reason to hold q->limits_locks while getting
discord configs.

Chain exists of:
&sbi->fat_lock --> &q->q_usage_counter(io)#17 --> &q->limits_lock

Possible unsafe locking scenario:

CPU0 CPU1
---- ----
lock(&q->limits_lock);
lock(&q->q_usage_counter(io)#17);
lock(&q->limits_lock);
lock(&sbi->fat_lock);

*** DEADLOCK ***

Reported-by: syzbot+a5d8c609c02f508672cc@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=a5d8c609c02f508672cc
Reviewed-by: Ming Lei <ming.lei@redhat.com>
Signed-off-by: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
Signed-off-by: Jens Axboe <axboe@kernel.dk>

authored by

OGAWA Hirofumi and committed by

Jens Axboe 1 year ago b4912557 46fd48ab

+15 -15

1 changed file

expand all

drivers

block

loop.c

+15 -15

drivers/block/loop.c

··· 770 770 &loop_attribute_group); 771 771 } 772 772 773 - static void loop_config_discard(struct loop_device *lo, 774 - struct queue_limits *lim) 773 + static void loop_get_discard_config(struct loop_device *lo, 774 + u32 *granularity, u32 *max_discard_sectors) 775 775 { 776 776 struct file *file = lo->lo_backing_file; 777 777 struct inode *inode = file->f_mapping->host; 778 - u32 granularity = 0, max_discard_sectors = 0; 779 778 struct kstatfs sbuf; 780 779 781 780 /* ··· 787 788 if (S_ISBLK(inode->i_mode)) { 788 789 struct block_device *bdev = I_BDEV(inode); 789 790 790 - max_discard_sectors = bdev_write_zeroes_sectors(bdev); 791 - granularity = bdev_discard_granularity(bdev); 791 + *max_discard_sectors = bdev_write_zeroes_sectors(bdev); 792 + *granularity = bdev_discard_granularity(bdev); 792 793 793 794 /* 794 795 * We use punch hole to reclaim the free space used by the 795 796 * image a.k.a. discard. 796 797 */ 797 798 } else if (file->f_op->fallocate && !vfs_statfs(&file->f_path, &sbuf)) { 798 - max_discard_sectors = UINT_MAX >> 9; 799 - granularity = sbuf.f_bsize; 799 + *max_discard_sectors = UINT_MAX >> 9; 800 + *granularity = sbuf.f_bsize; 800 801 } 801 - 802 - lim->max_hw_discard_sectors = max_discard_sectors; 803 - lim->max_write_zeroes_sectors = max_discard_sectors; 804 - if (max_discard_sectors) 805 - lim->discard_granularity = granularity; 806 - else 807 - lim->discard_granularity = 0; 808 802 } 809 803 810 804 struct loop_worker { ··· 983 991 struct inode *inode = file->f_mapping->host; 984 992 struct block_device *backing_bdev = NULL; 985 993 struct queue_limits lim; 994 + u32 granularity = 0, max_discard_sectors = 0; 986 995 987 996 if (S_ISBLK(inode->i_mode)) 988 997 backing_bdev = I_BDEV(inode); ··· 992 999 993 1000 if (!bsize) 994 1001 bsize = loop_default_blocksize(lo, backing_bdev); 1002 + 1003 + loop_get_discard_config(lo, &granularity, &max_discard_sectors); 995 1004 996 1005 lim = queue_limits_start_update(lo->lo_queue); 997 1006 lim.logical_block_size = bsize; ··· 1004 1009 lim.features |= BLK_FEAT_WRITE_CACHE; 1005 1010 if (backing_bdev && !bdev_nonrot(backing_bdev)) 1006 1011 lim.features |= BLK_FEAT_ROTATIONAL; 1007 - loop_config_discard(lo, &lim); 1012 + lim.max_hw_discard_sectors = max_discard_sectors; 1013 + lim.max_write_zeroes_sectors = max_discard_sectors; 1014 + if (max_discard_sectors) 1015 + lim.discard_granularity = granularity; 1016 + else 1017 + lim.discard_granularity = 0; 1008 1018 return queue_limits_commit_update(lo->lo_queue, &lim); 1009 1019 } 1010 1020