From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Zheng Zhang <zheng.zhang@email.ucr.edu>,
Mike Snitzer <snitzer@kernel.org>
Subject: [PATCH 4.14 081/116] dm ioctl: fix nested locking in table_clear() to remove deadlock concern
Date: Mon, 15 May 2023 18:26:18 +0200 [thread overview]
Message-ID: <20230515161700.965006577@linuxfoundation.org> (raw)
In-Reply-To: <20230515161658.228491273@linuxfoundation.org>
From: Mike Snitzer <snitzer@kernel.org>
commit 3d32aaa7e66d5c1479a3c31d6c2c5d45dd0d3b89 upstream.
syzkaller found the following problematic rwsem locking (with write
lock already held):
down_read+0x9d/0x450 kernel/locking/rwsem.c:1509
dm_get_inactive_table+0x2b/0xc0 drivers/md/dm-ioctl.c:773
__dev_status+0x4fd/0x7c0 drivers/md/dm-ioctl.c:844
table_clear+0x197/0x280 drivers/md/dm-ioctl.c:1537
In table_clear, it first acquires a write lock
https://elixir.bootlin.com/linux/v6.2/source/drivers/md/dm-ioctl.c#L1520
down_write(&_hash_lock);
Then before the lock is released at L1539, there is a path shown above:
table_clear -> __dev_status -> dm_get_inactive_table -> down_read
https://elixir.bootlin.com/linux/v6.2/source/drivers/md/dm-ioctl.c#L773
down_read(&_hash_lock);
It tries to acquire the same read lock again, resulting in the deadlock
problem.
Fix this by moving table_clear()'s __dev_status() call to after its
up_write(&_hash_lock);
Cc: stable@vger.kernel.org
Reported-by: Zheng Zhang <zheng.zhang@email.ucr.edu>
Signed-off-by: Mike Snitzer <snitzer@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
drivers/md/dm-ioctl.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
--- a/drivers/md/dm-ioctl.c
+++ b/drivers/md/dm-ioctl.c
@@ -1409,11 +1409,12 @@ static int table_clear(struct file *filp
hc->new_map = NULL;
}
- param->flags &= ~DM_INACTIVE_PRESENT_FLAG;
-
- __dev_status(hc->md, param);
md = hc->md;
up_write(&_hash_lock);
+
+ param->flags &= ~DM_INACTIVE_PRESENT_FLAG;
+ __dev_status(md, param);
+
if (old_map) {
dm_sync_table(md);
dm_table_destroy(old_map);
next prev parent reply other threads:[~2023-05-15 16:35 UTC|newest]
Thread overview: 121+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-15 16:24 [PATCH 4.14 000/116] 4.14.315-rc1 review Greg Kroah-Hartman
2023-05-15 16:24 ` [PATCH 4.14 001/116] wifi: brcmfmac: slab-out-of-bounds read in brcmf_get_assoc_ies() Greg Kroah-Hartman
2023-05-15 16:24 ` [PATCH 4.14 002/116] bluetooth: Perform careful capability checks in hci_sock_ioctl() Greg Kroah-Hartman
2023-05-15 16:25 ` [PATCH 4.14 003/116] USB: serial: option: add UNISOC vendor and TOZED LT70C product Greg Kroah-Hartman
2023-05-15 16:25 ` [PATCH 4.14 004/116] iio: adc: palmas_gpadc: fix NULL dereference on rmmod Greg Kroah-Hartman
2023-05-15 16:25 ` [PATCH 4.14 005/116] IMA: allow/fix UML builds Greg Kroah-Hartman
2023-05-15 16:25 ` [PATCH 4.14 006/116] USB: dwc3: fix runtime pm imbalance on unbind Greg Kroah-Hartman
2023-05-15 16:25 ` [PATCH 4.14 007/116] perf sched: Cast PTHREAD_STACK_MIN to int as it may turn into sysconf(__SC_THREAD_STACK_MIN_VALUE) Greg Kroah-Hartman
2023-05-15 16:25 ` [PATCH 4.14 008/116] staging: iio: resolver: ads1210: fix config mode Greg Kroah-Hartman
2023-05-15 16:25 ` [PATCH 4.14 009/116] MIPS: fw: Allow firmware to pass a empty env Greg Kroah-Hartman
2023-05-15 16:25 ` [PATCH 4.14 010/116] ring-buffer: Sync IRQ works before buffer destruction Greg Kroah-Hartman
2023-05-15 16:25 ` [PATCH 4.14 011/116] reiserfs: Add security prefix to xattr name in reiserfs_security_write() Greg Kroah-Hartman
2023-05-15 16:25 ` [PATCH 4.14 012/116] i2c: omap: Fix standard mode false ACK readings Greg Kroah-Hartman
2023-05-15 16:25 ` [PATCH 4.14 013/116] Revert "ubifs: dirty_cow_znode: Fix memleak in error handling path" Greg Kroah-Hartman
2023-05-15 16:25 ` [PATCH 4.14 014/116] ubi: Fix return value overwrite issue in try_write_vid_and_data() Greg Kroah-Hartman
2023-05-15 16:25 ` [PATCH 4.14 015/116] ubifs: Free memory for tmpfile name Greg Kroah-Hartman
2023-05-15 16:25 ` [PATCH 4.14 016/116] selinux: fix Makefile dependencies of flask.h Greg Kroah-Hartman
2023-05-15 16:25 ` [PATCH 4.14 017/116] selinux: ensure av_permissions.h is built when needed Greg Kroah-Hartman
2023-05-15 16:25 ` [PATCH 4.14 018/116] drm/rockchip: Drop unbalanced obj unref Greg Kroah-Hartman
2023-05-15 16:25 ` [PATCH 4.14 019/116] drm/vgem: add missing mutex_destroy Greg Kroah-Hartman
2023-05-15 16:25 ` [PATCH 4.14 020/116] drm/probe-helper: Cancel previous job before starting new one Greg Kroah-Hartman
2023-05-15 16:25 ` [PATCH 4.14 021/116] media: bdisp: Add missing check for create_workqueue Greg Kroah-Hartman
2023-05-15 16:25 ` [PATCH 4.14 022/116] media: av7110: prevent underflow in write_ts_to_decoder() Greg Kroah-Hartman
2023-05-15 16:25 ` [PATCH 4.14 023/116] x86/apic: Fix atomic update of offset in reserve_eilvt_offset() Greg Kroah-Hartman
2023-05-15 16:25 ` [PATCH 4.14 024/116] media: dm1105: Fix use after free bug in dm1105_remove due to race condition Greg Kroah-Hartman
2023-05-15 16:25 ` [PATCH 4.14 025/116] x86/ioapic: Dont return 0 from arch_dynirq_lower_bound() Greg Kroah-Hartman
2023-05-15 16:25 ` [PATCH 4.14 026/116] arm64: kgdb: Set PSTATE.SS to 1 to re-enable single-step Greg Kroah-Hartman
2023-05-15 16:25 ` [PATCH 4.14 027/116] wifi: ath6kl: minor fix for allocation size Greg Kroah-Hartman
2023-05-15 16:25 ` [PATCH 4.14 028/116] wifi: ath5k: fix an off by one check in ath5k_eeprom_read_freq_list() Greg Kroah-Hartman
2023-05-15 16:25 ` [PATCH 4.14 029/116] wifi: ath6kl: reduce WARN to dev_dbg() in callback Greg Kroah-Hartman
2023-05-15 16:25 ` [PATCH 4.14 030/116] scm: fix MSG_CTRUNC setting condition for SO_PASSSEC Greg Kroah-Hartman
2023-05-15 16:25 ` [PATCH 4.14 031/116] vlan: partially enable SIOCSHWTSTAMP in container Greg Kroah-Hartman
2023-05-15 16:25 ` [PATCH 4.14 032/116] net/packet: convert po->origdev to an atomic flag Greg Kroah-Hartman
2023-05-15 16:25 ` [PATCH 4.14 033/116] net/packet: convert po->auxdata " Greg Kroah-Hartman
2023-05-15 16:25 ` [PATCH 4.14 034/116] scsi: target: iscsit: Fix TAS handling during conn cleanup Greg Kroah-Hartman
2023-05-15 16:25 ` [PATCH 4.14 035/116] scsi: megaraid: Fix mega_cmd_done() CMDID_INT_CMDS Greg Kroah-Hartman
2023-05-15 16:25 ` [PATCH 4.14 036/116] md/raid10: fix leak of r10bio->remaining for recovery Greg Kroah-Hartman
2023-05-15 16:25 ` [PATCH 4.14 037/116] wifi: iwlwifi: make the loop for card preparation effective Greg Kroah-Hartman
2023-05-15 16:25 ` [PATCH 4.14 038/116] wifi: iwlwifi: mvm: check firmware response size Greg Kroah-Hartman
2023-05-15 16:25 ` [PATCH 4.14 039/116] ixgbe: Allow flow hash to be set via ethtool Greg Kroah-Hartman
2023-05-15 16:25 ` [PATCH 4.14 040/116] ixgbe: Enable setting RSS table to default values Greg Kroah-Hartman
2023-05-15 16:25 ` [PATCH 4.14 041/116] ipv4: Fix potential uninit variable access bug in __ip_make_skb() Greg Kroah-Hartman
2023-05-15 16:25 ` [PATCH 4.14 042/116] Revert "Bluetooth: btsdio: fix use after free bug in btsdio_remove due to unfinished work" Greg Kroah-Hartman
2023-05-15 16:25 ` [PATCH 4.14 043/116] net: amd: Fix link leak when verifying config failed Greg Kroah-Hartman
2023-05-15 16:25 ` [PATCH 4.14 044/116] tcp/udp: Fix memleaks of sk and zerocopy skbs with TX timestamp Greg Kroah-Hartman
2023-05-15 16:25 ` [PATCH 4.14 045/116] pstore: Revert pmsg_lock back to a normal mutex Greg Kroah-Hartman
2023-05-15 16:25 ` [PATCH 4.14 046/116] linux/vt_buffer.h: allow either builtin or modular for macros Greg Kroah-Hartman
2023-05-15 16:25 ` [PATCH 4.14 047/116] spi: fsl-spi: Fix CPM/QE mode Litte Endian Greg Kroah-Hartman
2023-05-15 16:25 ` [PATCH 4.14 048/116] of: Fix modalias string generation Greg Kroah-Hartman
2023-05-15 16:25 ` [PATCH 4.14 049/116] ia64: mm/contig: fix section mismatch warning/error Greg Kroah-Hartman
2023-05-15 16:25 ` [PATCH 4.14 050/116] uapi/linux/const.h: prefer ISO-friendly __typeof__ Greg Kroah-Hartman
2023-05-15 16:25 ` [PATCH 4.14 051/116] sh: sq: Fix incorrect element size for allocating bitmap buffer Greg Kroah-Hartman
2023-05-15 16:25 ` [PATCH 4.14 052/116] usb: chipidea: fix missing goto in `ci_hdrc_probe` Greg Kroah-Hartman
2023-05-15 16:25 ` [PATCH 4.14 053/116] tty: serial: fsl_lpuart: adjust buffer length to the intended size Greg Kroah-Hartman
2023-05-15 16:25 ` [PATCH 4.14 054/116] serial: 8250: Add missing wakeup event reporting Greg Kroah-Hartman
2023-05-15 16:25 ` [PATCH 4.14 055/116] staging: rtl8192e: Fix W_DISABLE# does not work after stop/start Greg Kroah-Hartman
2023-05-15 16:25 ` [PATCH 4.14 056/116] spmi: Add a check for remove callback when removing a SPMI driver Greg Kroah-Hartman
2023-05-15 16:25 ` [PATCH 4.14 057/116] macintosh/windfarm_smu_sat: Add missing of_node_put() Greg Kroah-Hartman
2023-05-15 16:25 ` [PATCH 4.14 058/116] powerpc/mpc512x: fix resource printk format warning Greg Kroah-Hartman
2023-05-15 16:25 ` [PATCH 4.14 059/116] powerpc/wii: fix resource printk format warnings Greg Kroah-Hartman
2023-05-15 16:25 ` [PATCH 4.14 060/116] powerpc/sysdev/tsi108: " Greg Kroah-Hartman
2023-05-15 16:25 ` [PATCH 4.14 061/116] macintosh: via-pmu-led: requires ATA to be set Greg Kroah-Hartman
2023-05-15 16:25 ` [PATCH 4.14 062/116] powerpc/rtas: use memmove for potentially overlapping buffer copy Greg Kroah-Hartman
2023-05-15 16:26 ` [PATCH 4.14 063/116] perf/core: Fix hardlockup failure caused by perf throttle Greg Kroah-Hartman
2023-05-15 16:26 ` [PATCH 4.14 064/116] RDMA/rdmavt: Delete unnecessary NULL check Greg Kroah-Hartman
2023-05-15 16:26 ` [PATCH 4.14 065/116] power: supply: generic-adc-battery: fix unit scaling Greg Kroah-Hartman
2023-05-15 16:26 ` [PATCH 4.14 066/116] clk: add missing of_node_put() in "assigned-clocks" property parsing Greg Kroah-Hartman
2023-05-15 16:26 ` [PATCH 4.14 067/116] IB/hfi1: Fix SDMA mmu_rb_node not being evicted in LRU order Greg Kroah-Hartman
2023-05-15 16:26 ` [PATCH 4.14 068/116] NFSv4.1: Always send a RECLAIM_COMPLETE after establishing lease Greg Kroah-Hartman
2023-05-15 16:26 ` [PATCH 4.14 069/116] SUNRPC: remove the maximum number of retries in call_bind_status Greg Kroah-Hartman
2023-05-15 16:26 ` [PATCH 4.14 070/116] phy: tegra: xusb: Add missing tegra_xusb_port_unregister for usb2_port and ulpi_port Greg Kroah-Hartman
2023-05-15 16:26 ` [PATCH 4.14 071/116] dmaengine: at_xdmac: do not enable all cyclic channels Greg Kroah-Hartman
2023-05-15 16:26 ` [PATCH 4.14 072/116] parisc: Fix argument pointer in real64_call_asm() Greg Kroah-Hartman
2023-05-15 16:26 ` [PATCH 4.14 073/116] nilfs2: do not write dirty data after degenerating to read-only Greg Kroah-Hartman
2023-05-15 16:26 ` [PATCH 4.14 074/116] nilfs2: fix infinite loop in nilfs_mdt_get_block() Greg Kroah-Hartman
2023-05-15 16:26 ` [PATCH 4.14 075/116] wifi: rtl8xxxu: RTL8192EU always needs full init Greg Kroah-Hartman
2023-05-15 16:26 ` [PATCH 4.14 076/116] clk: rockchip: rk3399: allow clk_cifout to force clk_cifout_src to reparent Greg Kroah-Hartman
2023-05-15 16:26 ` [PATCH 4.14 077/116] btrfs: scrub: reject unsupported scrub flags Greg Kroah-Hartman
2023-05-15 16:26 ` [PATCH 4.14 078/116] s390/dasd: fix hanging blockdevice after request requeue Greg Kroah-Hartman
2023-05-15 16:26 ` [PATCH 4.14 079/116] dm integrity: call kmem_cache_destroy() in dm_integrity_init() error path Greg Kroah-Hartman
2023-05-15 16:26 ` [PATCH 4.14 080/116] dm flakey: fix a crash with invalid table line Greg Kroah-Hartman
2023-05-15 16:26 ` Greg Kroah-Hartman [this message]
2023-05-15 16:26 ` [PATCH 4.14 082/116] perf auxtrace: Fix address filter entire kernel size Greg Kroah-Hartman
2023-05-15 16:26 ` [PATCH 4.14 083/116] netfilter: nf_tables: split set destruction in deactivate and destroy phase Greg Kroah-Hartman
2023-05-15 16:26 ` [PATCH 4.14 084/116] netfilter: nf_tables: unbind set in rule from commit path Greg Kroah-Hartman
2023-05-15 16:26 ` [PATCH 4.14 085/116] netfilter: nft_hash: fix nft_hash_deactivate Greg Kroah-Hartman
2023-05-15 16:26 ` [PATCH 4.14 086/116] netfilter: nf_tables: use-after-free in failing rule with bound set Greg Kroah-Hartman
2023-05-15 16:26 ` [PATCH 4.14 087/116] netfilter: nf_tables: bogus EBUSY when deleting set after flush Greg Kroah-Hartman
2023-05-15 16:26 ` [PATCH 4.14 088/116] netfilter: nf_tables: deactivate anonymous set from preparation phase Greg Kroah-Hartman
2023-05-15 16:26 ` [PATCH 4.14 089/116] sit: update dev->needed_headroom in ipip6_tunnel_bind_dev() Greg Kroah-Hartman
2023-05-15 16:26 ` [PATCH 4.14 090/116] writeback: fix call of incorrect macro Greg Kroah-Hartman
2023-05-15 16:26 ` [PATCH 4.14 091/116] net/sched: act_mirred: Add carrier check Greg Kroah-Hartman
2023-05-15 16:26 ` [PATCH 4.14 092/116] af_packet: Dont send zero-byte data in packet_sendmsg_spkt() Greg Kroah-Hartman
2023-05-15 16:26 ` [PATCH 4.14 093/116] ALSA: caiaq: input: Add error handling for unsupported input methods in `snd_usb_caiaq_input_init` Greg Kroah-Hartman
2023-05-15 16:26 ` [PATCH 4.14 094/116] perf vendor events power9: Remove UTF-8 characters from JSON files Greg Kroah-Hartman
2023-05-15 16:26 ` [PATCH 4.14 095/116] perf map: Delete two variable initialisations before null pointer checks in sort__sym_from_cmp() Greg Kroah-Hartman
2023-05-15 16:26 ` [PATCH 4.14 096/116] perf symbols: Fix return incorrect build_id size in elf_read_build_id() Greg Kroah-Hartman
2023-05-15 16:26 ` [PATCH 4.14 097/116] btrfs: fix btrfs_prev_leaf() to not return the same key twice Greg Kroah-Hartman
2023-05-15 16:26 ` [PATCH 4.14 098/116] btrfs: print-tree: parent bytenr must be aligned to sector size Greg Kroah-Hartman
2023-05-15 16:26 ` [PATCH 4.14 099/116] cifs: fix pcchunk length type in smb2_copychunk_range Greg Kroah-Hartman
2023-05-15 16:26 ` [PATCH 4.14 100/116] sh: math-emu: fix macro redefined warning Greg Kroah-Hartman
2023-05-15 16:26 ` [PATCH 4.14 101/116] sh: nmi_debug: fix return value of __setup handler Greg Kroah-Hartman
2023-05-15 16:26 ` [PATCH 4.14 102/116] ARM: dts: exynos: fix WM8960 clock name in Itop Elite Greg Kroah-Hartman
2023-05-15 16:26 ` [PATCH 4.14 103/116] ARM: dts: s5pv210: correct MIPI CSIS clock name Greg Kroah-Hartman
2023-05-15 16:26 ` [PATCH 4.14 104/116] HID: wacom: Set a default resolution for older tablets Greg Kroah-Hartman
2023-05-15 16:26 ` [PATCH 4.14 105/116] ext4: avoid a potential slab-out-of-bounds in ext4_group_desc_csum Greg Kroah-Hartman
2023-05-15 16:26 ` [PATCH 4.14 106/116] ext4: improve error recovery code paths in __ext4_remount() Greg Kroah-Hartman
2023-05-15 16:26 ` [PATCH 4.14 107/116] ext4: add bounds checking in get_max_inline_xattr_value_size() Greg Kroah-Hartman
2023-05-15 16:26 ` [PATCH 4.14 108/116] ext4: bail out of ext4_xattr_ibody_get() fails for any reason Greg Kroah-Hartman
2023-05-15 16:26 ` [PATCH 4.14 109/116] ext4: remove a BUG_ON in ext4_mb_release_group_pa() Greg Kroah-Hartman
2023-05-15 16:26 ` [PATCH 4.14 110/116] ext4: fix invalid free tracking in ext4_xattr_move_to_block() Greg Kroah-Hartman
2023-05-15 16:26 ` [PATCH 4.14 111/116] perf bench: Share some global variables to fix build with gcc 10 Greg Kroah-Hartman
2023-05-15 16:26 ` [PATCH 4.14 112/116] tty: Prevent writing chars during tcsetattr TCSADRAIN/FLUSH Greg Kroah-Hartman
2023-05-15 16:26 ` [PATCH 4.14 113/116] serial: 8250: Fix serial8250_tx_empty() race with DMA Tx Greg Kroah-Hartman
2023-05-15 16:26 ` [PATCH 4.14 114/116] drbd: correctly submit flush bio on barrier Greg Kroah-Hartman
2023-05-15 16:26 ` [PATCH 4.14 115/116] printk: declare printk_deferred_{enter,safe}() in include/linux/printk.h Greg Kroah-Hartman
2023-05-15 16:26 ` [PATCH 4.14 116/116] mm/page_alloc: fix potential deadlock on zonelist_update_seq seqlock Greg Kroah-Hartman
2023-05-15 20:08 ` [PATCH 4.14 000/116] 4.14.315-rc1 review Chris Paterson
2023-05-16 10:07 ` Harshit Mogalapalli
2023-05-16 20:08 ` Naresh Kamboju
2023-05-17 2:46 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20230515161700.965006577@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=patches@lists.linux.dev \
--cc=snitzer@kernel.org \
--cc=stable@vger.kernel.org \
--cc=zheng.zhang@email.ucr.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).