[PATCH] loop: Fix ABBA locking race (Re: [syzbot] [exfat?] possible deadlock in fat_count_free_clusters)

linux-block.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
To: Jens Axboe <axboe@kernel.dk>
Cc: linux-block@vger.kernel.org,
	syzbot <syzbot+a5d8c609c02f508672cc@syzkaller.appspotmail.com>,
	linkinjeon@kernel.org, linux-fsdevel@vger.kernel.org,
	linux-kernel@vger.kernel.org, sj1557.seo@samsung.com,
	syzkaller-bugs@googlegroups.com
Subject: [PATCH] loop: Fix ABBA locking race (Re: [syzbot] [exfat?] possible deadlock in fat_count_free_clusters)
Date: Tue, 19 Nov 2024 16:27:37 +0900	[thread overview]
Message-ID: <871pz7adjq.fsf_-_@mail.parknet.co.jp> (raw)
In-Reply-To: <8734jxsyuu.fsf@mail.parknet.co.jp> (OGAWA Hirofumi's message of "Mon, 11 Nov 2024 22:07:21 +0900")

OGAWA Hirofumi <hirofumi@mail.parknet.co.jp> writes:

ping?

> Hi,
>
> syzbot <syzbot+a5d8c609c02f508672cc@syzkaller.appspotmail.com> writes:
>
>> syzbot found the following issue on:
>>
>> HEAD commit:    929beafbe7ac Add linux-next specific files for 20241108
>> git tree:       linux-next
>> console output: https://syzkaller.appspot.com/x/log.txt?x=1621bd87980000
>> kernel config:  https://syzkaller.appspot.com/x/.config?x=75175323f2078363
>> dashboard link: https://syzkaller.appspot.com/bug?extid=a5d8c609c02f508672cc
>> compiler:       Debian clang version 15.0.6, GNU ld (GNU Binutils for Debian) 2.40
>
> This patch is to fix the above race. Please check this.
>
> Thanks
>
>
> From: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
> Subject: [PATCH] loop: Fix ABBA locking race
> Date: Mon, 11 Nov 2024 21:53:36 +0900
>
> Current loop calls vfs_statfs() while holding the q->limits_lock. If
> FS takes some locking in vfs_statfs callback, this may lead to ABBA
> locking bug (at least, FAT fs has this issue actually).
>
> So this patch calls vfs_statfs() outside q->limits_locks instead,
> because looks like there is no reason to hold q->limits_locks while
> getting discard configs.
>
> Chain exists of:
>   &sbi->fat_lock --> &q->q_usage_counter(io)#17 --> &q->limits_lock
>
>  Possible unsafe locking scenario:
>
>        CPU0                    CPU1
>        ----                    ----
>   lock(&q->limits_lock);
>                                lock(&q->q_usage_counter(io)#17);
>                                lock(&q->limits_lock);
>   lock(&sbi->fat_lock);
>
>  *** DEADLOCK ***
>
> Reported-by: syzbot+a5d8c609c02f508672cc@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=a5d8c609c02f508672cc
> Signed-off-by: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
> ---
>  drivers/block/loop.c |   31 ++++++++++++++++---------------
>  1 file changed, 16 insertions(+), 15 deletions(-)
>
> diff --git a/drivers/block/loop.c b/drivers/block/loop.c
> index 78a7bb2..5f3ce51 100644
> --- a/drivers/block/loop.c	2024-09-16 13:45:20.253220178 +0900
> +++ b/drivers/block/loop.c	2024-11-11 21:51:00.910135443 +0900
> @@ -770,12 +770,11 @@ static void loop_sysfs_exit(struct loop_
>  				   &loop_attribute_group);
>  }
>  
> -static void loop_config_discard(struct loop_device *lo,
> -		struct queue_limits *lim)
> +static void loop_get_discard_config(struct loop_device *lo,
> +				    u32 *granularity, u32 *max_discard_sectors)
>  {
>  	struct file *file = lo->lo_backing_file;
>  	struct inode *inode = file->f_mapping->host;
> -	u32 granularity = 0, max_discard_sectors = 0;
>  	struct kstatfs sbuf;
>  
>  	/*
> @@ -788,8 +787,9 @@ static void loop_config_discard(struct l
>  	if (S_ISBLK(inode->i_mode)) {
>  		struct request_queue *backingq = bdev_get_queue(I_BDEV(inode));
>  
> -		max_discard_sectors = backingq->limits.max_write_zeroes_sectors;
> -		granularity = bdev_discard_granularity(I_BDEV(inode)) ?:
> +		*max_discard_sectors =
> +			backingq->limits.max_write_zeroes_sectors;
> +		*granularity = bdev_discard_granularity(I_BDEV(inode)) ?:
>  			queue_physical_block_size(backingq);
>  
>  	/*
> @@ -797,16 +797,9 @@ static void loop_config_discard(struct l
>  	 * image a.k.a. discard.
>  	 */
>  	} else if (file->f_op->fallocate && !vfs_statfs(&file->f_path, &sbuf)) {
> -		max_discard_sectors = UINT_MAX >> 9;
> -		granularity = sbuf.f_bsize;
> +		*max_discard_sectors = UINT_MAX >> 9;
> +		*granularity = sbuf.f_bsize;
>  	}
> -
> -	lim->max_hw_discard_sectors = max_discard_sectors;
> -	lim->max_write_zeroes_sectors = max_discard_sectors;
> -	if (max_discard_sectors)
> -		lim->discard_granularity = granularity;
> -	else
> -		lim->discard_granularity = 0;
>  }
>  
>  struct loop_worker {
> @@ -992,6 +985,7 @@ static int loop_reconfigure_limits(struc
>  	struct inode *inode = file->f_mapping->host;
>  	struct block_device *backing_bdev = NULL;
>  	struct queue_limits lim;
> +	u32 granularity = 0, max_discard_sectors = 0;
>  
>  	if (S_ISBLK(inode->i_mode))
>  		backing_bdev = I_BDEV(inode);
> @@ -1001,6 +995,8 @@ static int loop_reconfigure_limits(struc
>  	if (!bsize)
>  		bsize = loop_default_blocksize(lo, backing_bdev);
>  
> +	loop_get_discard_config(lo, &granularity, &max_discard_sectors);
> +
>  	lim = queue_limits_start_update(lo->lo_queue);
>  	lim.logical_block_size = bsize;
>  	lim.physical_block_size = bsize;
> @@ -1010,7 +1006,12 @@ static int loop_reconfigure_limits(struc
>  		lim.features |= BLK_FEAT_WRITE_CACHE;
>  	if (backing_bdev && !bdev_nonrot(backing_bdev))
>  		lim.features |= BLK_FEAT_ROTATIONAL;
> -	loop_config_discard(lo, &lim);
> +	lim.max_hw_discard_sectors = max_discard_sectors;
> +	lim.max_write_zeroes_sectors = max_discard_sectors;
> +	if (max_discard_sectors)
> +		lim.discard_granularity = granularity;
> +	else
> +		lim.discard_granularity = 0;
>  	return queue_limits_commit_update(lo->lo_queue, &lim);
>  }
>  
> _

-- 
OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>

next prev parent reply	other threads:[~2024-11-19  7:33 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <67313d9e.050a0220.138bd5.0054.GAE@google.com>
2024-11-11 13:07 ` [syzbot] [exfat?] possible deadlock in fat_count_free_clusters OGAWA Hirofumi
2024-11-19  7:27   ` OGAWA Hirofumi [this message]
2024-11-19 12:10   ` Ming Lei
2024-11-19 14:18     ` Jens Axboe
2024-11-19 14:46       ` OGAWA Hirofumi
2024-11-19 14:55         ` Jens Axboe
2024-11-19 15:12           ` OGAWA Hirofumi

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=871pz7adjq.fsf_-_@mail.parknet.co.jp \
    --to=hirofumi@mail.parknet.co.jp \
    --cc=axboe@kernel.dk \
    --cc=linkinjeon@kernel.org \
    --cc=linux-block@vger.kernel.org \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=sj1557.seo@samsung.com \
    --cc=syzbot+a5d8c609c02f508672cc@syzkaller.appspotmail.com \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).