[PATCH] brd: fix leeping function called from invalid context in brd_insert

All of lore.kernel.org
 help / color / mirror / Atom feed

* [PATCH] brd: fix leeping function called from invalid context in brd_insert_page()
@ 2025-06-28  1:14 Yu Kuai
  2025-06-28  1:14 ` Yu Kuai
  2025-06-30  5:35 ` Christoph Hellwig
  0 siblings, 2 replies; 4+ messages in thread
From: Yu Kuai @ 2025-06-28  1:14 UTC (permalink / raw)
  To: axboe, hch
  Cc: linux-block, linux-kernel, yukuai3, yukuai1, yi.zhang, yangerkun,
	johnny.chenyi

From: Yu Kuai <yukuai3@huawei.com>

__xa_cmpxchg() is called with rcu_read_lock(), and it will allocated
memory if necessary.

Fix the problem by moving rcu_read_lock() after __xa_cmpxchg, meanwhile,
it still should be held before xa_unlock(), prevent returned page to be
freed by concurrent discard.

Fixes: bbcacab2e8ee ("brd: avoid extra xarray lookups on first write")
Reported-by: syzbot+ea4c8fd177a47338881a@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/685ec4c9.a00a0220.129264.000c.GAE@google.com/
Signed-off-by: Yu Kuai <yukuai3@huawei.com>
---
 drivers/block/brd.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/block/brd.c b/drivers/block/brd.c
index b1be6c510372..0c2eabe14af3 100644
--- a/drivers/block/brd.c
+++ b/drivers/block/brd.c
@@ -64,13 +64,15 @@ static struct page *brd_insert_page(struct brd_device *brd, sector_t sector,
 
 	rcu_read_unlock();
 	page = alloc_page(gfp | __GFP_ZERO | __GFP_HIGHMEM);
-	rcu_read_lock();
-	if (!page)
+	if (!page) {
+		rcu_read_lock();
 		return ERR_PTR(-ENOMEM);
+	}
 
 	xa_lock(&brd->brd_pages);
 	ret = __xa_cmpxchg(&brd->brd_pages, sector >> PAGE_SECTORS_SHIFT, NULL,
 			page, gfp);
+	rcu_read_lock();
 	if (ret) {
 		xa_unlock(&brd->brd_pages);
 		__free_page(page);
-- 
2.39.2


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* [PATCH] brd: fix leeping function called from invalid context in brd_insert_page()
  2025-06-28  1:14 [PATCH] brd: fix leeping function called from invalid context in brd_insert_page() Yu Kuai
@ 2025-06-28  1:14 ` Yu Kuai
  2025-06-28  1:23   ` Yu Kuai
  2025-06-30  5:35 ` Christoph Hellwig
  1 sibling, 1 reply; 4+ messages in thread
From: Yu Kuai @ 2025-06-28  1:14 UTC (permalink / raw)
  To: axboe, hch
  Cc: linux-block, linux-kernel, yukuai3, yukuai1, yi.zhang, yangerkun,
	johnny.chenyi

From: Yu Kuai <yukuai3@huawei.com>

__xa_cmpxchg() is called with rcu_read_lock(), and it will allocated
memory if necessary.

Fix the problem by moving rcu_read_lock() after __xa_cmpxchg, meanwhile,
it still should be held before xa_unlock(), prevent returned page to be
freed by concurrent discard.

Fixes: bbcacab2e8ee ("brd: avoid extra xarray lookups on first write")
Reported-by: syzbot+ea4c8fd177a47338881a@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/685ec4c9.a00a0220.129264.000c.GAE@google.com/
Signed-off-by: Yu Kuai <yukuai3@huawei.com>
---
 drivers/block/brd.c | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/drivers/block/brd.c b/drivers/block/brd.c
index b1be6c510372..0c2eabe14af3 100644
--- a/drivers/block/brd.c
+++ b/drivers/block/brd.c
@@ -64,13 +64,15 @@ static struct page *brd_insert_page(struct brd_device *brd, sector_t sector,
 
 	rcu_read_unlock();
 	page = alloc_page(gfp | __GFP_ZERO | __GFP_HIGHMEM);
-	rcu_read_lock();
-	if (!page)
+	if (!page) {
+		rcu_read_lock();
 		return ERR_PTR(-ENOMEM);
+	}
 
 	xa_lock(&brd->brd_pages);
 	ret = __xa_cmpxchg(&brd->brd_pages, sector >> PAGE_SECTORS_SHIFT, NULL,
 			page, gfp);
+	rcu_read_lock();
 	if (ret) {
 		xa_unlock(&brd->brd_pages);
 		__free_page(page);
-- 
2.39.2


^ permalink raw reply related	[flat|nested] 4+ messages in thread

* Re: [PATCH] brd: fix leeping function called from invalid context in brd_insert_page()
  2025-06-28  1:14 ` Yu Kuai
@ 2025-06-28  1:23   ` Yu Kuai
  0 siblings, 0 replies; 4+ messages in thread
From: Yu Kuai @ 2025-06-28  1:23 UTC (permalink / raw)
  To: Yu Kuai, axboe, hch
  Cc: linux-block, linux-kernel, yi.zhang, yangerkun, johnny.chenyi,
	yukuai (C)

Sorry that I somehow send this patch twice. Please ignore the redundant
one.

Thanks,
Kuai

在 2025/06/28 9:14, Yu Kuai 写道:
> From: Yu Kuai <yukuai3@huawei.com>
> 
> __xa_cmpxchg() is called with rcu_read_lock(), and it will allocated
> memory if necessary.
> 
> Fix the problem by moving rcu_read_lock() after __xa_cmpxchg, meanwhile,
> it still should be held before xa_unlock(), prevent returned page to be
> freed by concurrent discard.
> 
> Fixes: bbcacab2e8ee ("brd: avoid extra xarray lookups on first write")
> Reported-by: syzbot+ea4c8fd177a47338881a@syzkaller.appspotmail.com
> Closes: https://lore.kernel.org/all/685ec4c9.a00a0220.129264.000c.GAE@google.com/
> Signed-off-by: Yu Kuai <yukuai3@huawei.com>
> ---
>   drivers/block/brd.c | 6 ++++--
>   1 file changed, 4 insertions(+), 2 deletions(-)
> 
> diff --git a/drivers/block/brd.c b/drivers/block/brd.c
> index b1be6c510372..0c2eabe14af3 100644
> --- a/drivers/block/brd.c
> +++ b/drivers/block/brd.c
> @@ -64,13 +64,15 @@ static struct page *brd_insert_page(struct brd_device *brd, sector_t sector,
>   
>   	rcu_read_unlock();
>   	page = alloc_page(gfp | __GFP_ZERO | __GFP_HIGHMEM);
> -	rcu_read_lock();
> -	if (!page)
> +	if (!page) {
> +		rcu_read_lock();
>   		return ERR_PTR(-ENOMEM);
> +	}
>   
>   	xa_lock(&brd->brd_pages);
>   	ret = __xa_cmpxchg(&brd->brd_pages, sector >> PAGE_SECTORS_SHIFT, NULL,
>   			page, gfp);
> +	rcu_read_lock();
>   	if (ret) {
>   		xa_unlock(&brd->brd_pages);
>   		__free_page(page);
> 


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] brd: fix leeping function called from invalid context in brd_insert_page()
  2025-06-28  1:14 [PATCH] brd: fix leeping function called from invalid context in brd_insert_page() Yu Kuai
  2025-06-28  1:14 ` Yu Kuai
@ 2025-06-30  5:35 ` Christoph Hellwig
  1 sibling, 0 replies; 4+ messages in thread
From: Christoph Hellwig @ 2025-06-30  5:35 UTC (permalink / raw)
  To: Yu Kuai
  Cc: axboe, hch, linux-block, linux-kernel, yukuai3, yi.zhang,
	yangerkun, johnny.chenyi

s/leeping/sleeping/ in the subject.

Otherwise looks good:

Reviewed-by: Christoph Hellwig <hch@lst.de>

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2025-06-30  5:35 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2025-06-28  1:14 [PATCH] brd: fix leeping function called from invalid context in brd_insert_page() Yu Kuai
2025-06-28  1:14 ` Yu Kuai
2025-06-28  1:23   ` Yu Kuai
2025-06-30  5:35 ` Christoph Hellwig

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.