From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Todd Kjos <tkjos@google.com>,
Arve Hjonnevag <arve@android.com>,
syzbot+8ec30bb7bf1a981a2012@syzkaller.appspotmail.com,
Joel Fernandes <joelaf@google.com>,
Greg Hackmann <ghackmann@google.com>
Subject: [PATCH 3.18 20/25] staging: android: ashmem: Fix lockdep issue during llseek
Date: Fri, 16 Mar 2018 16:23:07 +0100 [thread overview]
Message-ID: <20180316152233.570461348@linuxfoundation.org> (raw)
In-Reply-To: <20180316152232.750180431@linuxfoundation.org>
3.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Joel Fernandes <joelaf@google.com>
commit cb57469c9573f6018cd1302953dd45d6e05aba7b upstream.
ashmem_mutex create a chain of dependencies like so:
(1)
mmap syscall ->
mmap_sem -> (acquired)
ashmem_mmap
ashmem_mutex (try to acquire)
(block)
(2)
llseek syscall ->
ashmem_llseek ->
ashmem_mutex -> (acquired)
inode_lock ->
inode->i_rwsem (try to acquire)
(block)
(3)
getdents ->
iterate_dir ->
inode_lock ->
inode->i_rwsem (acquired)
copy_to_user ->
mmap_sem (try to acquire)
There is a lock ordering created between mmap_sem and inode->i_rwsem
causing a lockdep splat [2] during a syzcaller test, this patch fixes
the issue by unlocking the mutex earlier. Functionally that's Ok since
we don't need to protect vfs_llseek.
[1] https://patchwork.kernel.org/patch/10185031/
[2] https://lkml.org/lkml/2018/1/10/48
Acked-by: Todd Kjos <tkjos@google.com>
Cc: Arve Hjonnevag <arve@android.com>
Cc: stable@vger.kernel.org
Reported-by: syzbot+8ec30bb7bf1a981a2012@syzkaller.appspotmail.com
Signed-off-by: Joel Fernandes <joelaf@google.com>
Acked-by: Greg Hackmann <ghackmann@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/staging/android/ashmem.c | 15 +++++++--------
1 file changed, 7 insertions(+), 8 deletions(-)
--- a/drivers/staging/android/ashmem.c
+++ b/drivers/staging/android/ashmem.c
@@ -330,24 +330,23 @@ static loff_t ashmem_llseek(struct file
mutex_lock(&ashmem_mutex);
if (asma->size == 0) {
- ret = -EINVAL;
- goto out;
+ mutex_unlock(&ashmem_mutex);
+ return -EINVAL;
}
if (!asma->file) {
- ret = -EBADF;
- goto out;
+ mutex_unlock(&ashmem_mutex);
+ return -EBADF;
}
+ mutex_unlock(&ashmem_mutex);
+
ret = vfs_llseek(asma->file, offset, origin);
if (ret < 0)
- goto out;
+ return ret;
/** Copy f_pos from backing file, since f_ops->llseek() sets it */
file->f_pos = asma->file->f_pos;
-
-out:
- mutex_unlock(&ashmem_mutex);
return ret;
}
next prev parent reply other threads:[~2018-03-16 15:23 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-16 15:22 [PATCH 3.18 00/25] 3.18.100-stable review Greg Kroah-Hartman
2018-03-16 15:22 ` [PATCH 3.18 01/25] scsi: qla2xxx: Fix NULL pointer crash due to active timer for ABTS Greg Kroah-Hartman
2018-03-16 15:22 ` Greg Kroah-Hartman
2018-03-16 15:22 ` [PATCH 3.18 02/25] MIPS: BMIPS: Do not mask IPIs during suspend Greg Kroah-Hartman
2018-03-16 15:22 ` [PATCH 3.18 03/25] Input: matrix_keypad - fix race when disabling interrupts Greg Kroah-Hartman
2018-03-16 15:22 ` [PATCH 3.18 05/25] ALSA: seq: Dont allow resizing pool in use Greg Kroah-Hartman
2018-03-16 15:22 ` [PATCH 3.18 06/25] ALSA: seq: More protection for concurrent write and ioctl races Greg Kroah-Hartman
2018-03-16 15:22 ` [PATCH 3.18 07/25] netfilter: x_tables: fix missing timer initialization in xt_LED Greg Kroah-Hartman
2018-03-16 15:22 ` [PATCH 3.18 08/25] netfilter: nat: cope with negative port range Greg Kroah-Hartman
2018-03-16 15:22 ` [PATCH 3.18 09/25] netfilter: IDLETIMER: be syzkaller friendly Greg Kroah-Hartman
2018-03-16 15:22 ` [PATCH 3.18 10/25] netfilter: ebtables: CONFIG_COMPAT: dont trust userland offsets Greg Kroah-Hartman
2018-03-16 15:22 ` [PATCH 3.18 11/25] netfilter: bridge: ebt_among: add missing match size checks Greg Kroah-Hartman
2018-03-16 15:22 ` [PATCH 3.18 12/25] netfilter: ipv6: fix use-after-free Write in nf_nat_ipv6_manip_pkt Greg Kroah-Hartman
2018-03-16 15:23 ` [PATCH 3.18 13/25] ubi: Fix race condition between ubi volume creation and udev Greg Kroah-Hartman
2018-03-16 15:23 ` [PATCH 3.18 14/25] scripts: recordmcount: break hardlinks Greg Kroah-Hartman
2018-03-16 15:23 ` [PATCH 3.18 15/25] x86/module: Detect and skip invalid relocations Greg Kroah-Hartman
2018-03-16 15:23 ` [PATCH 3.18 16/25] x86: Treat R_X86_64_PLT32 as R_X86_64_PC32 Greg Kroah-Hartman
2018-03-16 15:23 ` [PATCH 3.18 17/25] serial: sh-sci: prevent lockup on full TTY buffers Greg Kroah-Hartman
2018-03-16 15:23 ` [PATCH 3.18 18/25] tty/serial: atmel: add new version check for usart Greg Kroah-Hartman
2018-03-16 15:23 ` [PATCH 3.18 19/25] uas: fix comparison for error code Greg Kroah-Hartman
2018-03-16 15:23 ` Greg Kroah-Hartman [this message]
2018-03-16 15:23 ` [PATCH 3.18 21/25] usb: quirks: add control message delay for 1b1c:1b20 Greg Kroah-Hartman
2018-03-16 15:23 ` [PATCH 3.18 22/25] USB: usbmon: remove assignment from IS_ERR argument Greg Kroah-Hartman
2018-03-16 15:23 ` [PATCH 3.18 23/25] usb: usbmon: Read text within supplied buffer size Greg Kroah-Hartman
2018-03-16 15:23 ` [PATCH 3.18 24/25] serial: 8250_pci: Add Brainboxes UC-260 4 port serial device Greg Kroah-Hartman
2018-03-16 15:23 ` [PATCH 3.18 25/25] fixup: sctp: verify size of a new chunk in _sctp_make_chunk() Greg Kroah-Hartman
2018-03-16 19:21 ` [PATCH 3.18 00/25] 3.18.100-stable review Harsh Shandilya
2018-03-18 10:14 ` Greg Kroah-Hartman
2018-03-16 21:00 ` kernelci.org bot
2018-03-17 14:39 ` Guenter Roeck
-- strict thread matches above, loose matches on Subject: below --
2018-03-16 15:22 [3.18,04/25] x86/MCE: Serialize sysfs changes Greg Kroah-Hartman
2018-03-16 15:22 ` [PATCH 3.18 04/25] " Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180316152233.570461348@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=arve@android.com \
--cc=ghackmann@google.com \
--cc=joelaf@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+8ec30bb7bf1a981a2012@syzkaller.appspotmail.com \
--cc=tkjos@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.