From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Todd Kjos <tkjos@google.com>,
Arve Hjonnevag <arve@android.com>,
syzbot+8ec30bb7bf1a981a2012@syzkaller.appspotmail.com,
Joel Fernandes <joelaf@google.com>,
Greg Hackmann <ghackmann@google.com>
Subject: [PATCH 3.18 20/25] staging: android: ashmem: Fix lockdep issue during llseek
Date: Fri, 16 Mar 2018 16:23:07 +0100 [thread overview]
Message-ID: <20180316152233.570461348@linuxfoundation.org> (raw)
In-Reply-To: <20180316152232.750180431@linuxfoundation.org>
3.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Joel Fernandes <joelaf@google.com>
commit cb57469c9573f6018cd1302953dd45d6e05aba7b upstream.
ashmem_mutex create a chain of dependencies like so:
(1)
mmap syscall ->
mmap_sem -> (acquired)
ashmem_mmap
ashmem_mutex (try to acquire)
(block)
(2)
llseek syscall ->
ashmem_llseek ->
ashmem_mutex -> (acquired)
inode_lock ->
inode->i_rwsem (try to acquire)
(block)
(3)
getdents ->
iterate_dir ->
inode_lock ->
inode->i_rwsem (acquired)
copy_to_user ->
mmap_sem (try to acquire)
There is a lock ordering created between mmap_sem and inode->i_rwsem
causing a lockdep splat [2] during a syzcaller test, this patch fixes
the issue by unlocking the mutex earlier. Functionally that's Ok since
we don't need to protect vfs_llseek.
[1] https://patchwork.kernel.org/patch/10185031/
[2] https://lkml.org/lkml/2018/1/10/48
Acked-by: Todd Kjos <tkjos@google.com>
Cc: Arve Hjonnevag <arve@android.com>
Cc: stable@vger.kernel.org
Reported-by: syzbot+8ec30bb7bf1a981a2012@syzkaller.appspotmail.com
Signed-off-by: Joel Fernandes <joelaf@google.com>
Acked-by: Greg Hackmann <ghackmann@google.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/staging/android/ashmem.c | 15 +++++++--------
1 file changed, 7 insertions(+), 8 deletions(-)
--- a/drivers/staging/android/ashmem.c
+++ b/drivers/staging/android/ashmem.c
@@ -330,24 +330,23 @@ static loff_t ashmem_llseek(struct file
mutex_lock(&ashmem_mutex);
if (asma->size == 0) {
- ret = -EINVAL;
- goto out;
+ mutex_unlock(&ashmem_mutex);
+ return -EINVAL;
}
if (!asma->file) {
- ret = -EBADF;
- goto out;
+ mutex_unlock(&ashmem_mutex);
+ return -EBADF;
}
+ mutex_unlock(&ashmem_mutex);
+
ret = vfs_llseek(asma->file, offset, origin);
if (ret < 0)
- goto out;
+ return ret;
/** Copy f_pos from backing file, since f_ops->llseek() sets it */
file->f_pos = asma->file->f_pos;
-
-out:
- mutex_unlock(&ashmem_mutex);
return ret;
}
next prev parent reply other threads:[~2018-03-16 15:23 UTC|newest]
Thread overview: 26+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-03-16 15:22 [PATCH 3.18 00/25] 3.18.100-stable review Greg Kroah-Hartman
2018-03-16 15:22 ` [PATCH 3.18 01/25] scsi: qla2xxx: Fix NULL pointer crash due to active timer for ABTS Greg Kroah-Hartman
2018-03-16 15:22 ` [PATCH 3.18 02/25] MIPS: BMIPS: Do not mask IPIs during suspend Greg Kroah-Hartman
2018-03-16 15:22 ` [PATCH 3.18 03/25] Input: matrix_keypad - fix race when disabling interrupts Greg Kroah-Hartman
2018-03-16 15:22 ` [PATCH 3.18 04/25] x86/MCE: Serialize sysfs changes Greg Kroah-Hartman
2018-03-16 15:22 ` [PATCH 3.18 07/25] netfilter: x_tables: fix missing timer initialization in xt_LED Greg Kroah-Hartman
2018-03-16 15:22 ` [PATCH 3.18 08/25] netfilter: nat: cope with negative port range Greg Kroah-Hartman
2018-03-16 15:22 ` [PATCH 3.18 09/25] netfilter: IDLETIMER: be syzkaller friendly Greg Kroah-Hartman
2018-03-16 15:22 ` [PATCH 3.18 10/25] netfilter: ebtables: CONFIG_COMPAT: dont trust userland offsets Greg Kroah-Hartman
2018-03-16 15:22 ` [PATCH 3.18 11/25] netfilter: bridge: ebt_among: add missing match size checks Greg Kroah-Hartman
2018-03-16 15:22 ` [PATCH 3.18 12/25] netfilter: ipv6: fix use-after-free Write in nf_nat_ipv6_manip_pkt Greg Kroah-Hartman
2018-03-16 15:23 ` [PATCH 3.18 13/25] ubi: Fix race condition between ubi volume creation and udev Greg Kroah-Hartman
2018-03-16 15:23 ` [PATCH 3.18 14/25] scripts: recordmcount: break hardlinks Greg Kroah-Hartman
2018-03-16 15:23 ` [PATCH 3.18 15/25] x86/module: Detect and skip invalid relocations Greg Kroah-Hartman
2018-03-16 15:23 ` [PATCH 3.18 16/25] x86: Treat R_X86_64_PLT32 as R_X86_64_PC32 Greg Kroah-Hartman
2018-03-16 15:23 ` [PATCH 3.18 17/25] serial: sh-sci: prevent lockup on full TTY buffers Greg Kroah-Hartman
2018-03-16 15:23 ` [PATCH 3.18 18/25] tty/serial: atmel: add new version check for usart Greg Kroah-Hartman
2018-03-16 15:23 ` [PATCH 3.18 19/25] uas: fix comparison for error code Greg Kroah-Hartman
2018-03-16 15:23 ` Greg Kroah-Hartman [this message]
2018-03-16 15:23 ` [PATCH 3.18 21/25] usb: quirks: add control message delay for 1b1c:1b20 Greg Kroah-Hartman
2018-03-16 15:23 ` [PATCH 3.18 22/25] USB: usbmon: remove assignment from IS_ERR argument Greg Kroah-Hartman
2018-03-16 15:23 ` [PATCH 3.18 23/25] usb: usbmon: Read text within supplied buffer size Greg Kroah-Hartman
2018-03-16 15:23 ` [PATCH 3.18 24/25] serial: 8250_pci: Add Brainboxes UC-260 4 port serial device Greg Kroah-Hartman
2018-03-16 15:23 ` [PATCH 3.18 25/25] fixup: sctp: verify size of a new chunk in _sctp_make_chunk() Greg Kroah-Hartman
2018-03-17 14:39 ` [PATCH 3.18 00/25] 3.18.100-stable review Guenter Roeck
[not found] ` <CALpmF+FmSSq9S=PX+pZzDmgFZRWJk5hNSd5msqAnfp=xFDFSEQ@mail.gmail.com>
2018-03-18 10:14 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180316152233.570461348@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=arve@android.com \
--cc=ghackmann@google.com \
--cc=joelaf@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@vger.kernel.org \
--cc=syzbot+8ec30bb7bf1a981a2012@syzkaller.appspotmail.com \
--cc=tkjos@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).