From patchwork Fri Jul 28 23:17:19 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Yuxuan Luo X-Patchwork-Id: 1814456 Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@legolas.ozlabs.org Authentication-Results: legolas.ozlabs.org; spf=pass (sender SPF authorized) smtp.mailfrom=lists.ubuntu.com (client-ip=91.189.94.19; helo=huckleberry.canonical.com; envelope-from=kernel-team-bounces@lists.ubuntu.com; receiver=) Authentication-Results: legolas.ozlabs.org; dkim=fail reason="signature verification failed" (2048-bit key; unprotected) header.d=canonical.com header.i=@canonical.com header.a=rsa-sha256 header.s=20210705 header.b=fXYIVHAJ; dkim-atps=neutral Received: from huckleberry.canonical.com (huckleberry.canonical.com [91.189.94.19]) (using TLSv1.2 with cipher ECDHE-ECDSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by legolas.ozlabs.org (Postfix) with ESMTPS id 4RCNpB4jMyz1ydh for ; Sat, 29 Jul 2023 09:17:38 +1000 (AEST) Received: from localhost ([127.0.0.1] helo=huckleberry.canonical.com) by huckleberry.canonical.com with esmtp (Exim 4.86_2) (envelope-from ) id 1qPWiB-0007xy-8f; Fri, 28 Jul 2023 23:17:31 +0000 Received: from smtp-relay-internal-0.internal ([10.131.114.225] helo=smtp-relay-internal-0.canonical.com) by huckleberry.canonical.com with esmtps (TLS1.2:ECDHE_RSA_AES_128_GCM_SHA256:128) (Exim 4.86_2) (envelope-from ) id 1qPWi9-0007xU-Iz for kernel-team@lists.ubuntu.com; Fri, 28 Jul 2023 23:17:29 +0000 Received: from mail-yw1-f197.google.com (mail-yw1-f197.google.com [209.85.128.197]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by smtp-relay-internal-0.canonical.com (Postfix) with ESMTPS id 3944E3F71D for ; Fri, 28 Jul 2023 23:17:28 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=canonical.com; s=20210705; t=1690586248; bh=rsPUQaMNXznphFt+Si2chGd7UjXV9tsGj2nzYHw7SKM=; h=From:To:Subject:Date:Message-Id:In-Reply-To:References: MIME-Version; b=fXYIVHAJ2OvKF59tiZzMhkVEnGkn7AhVLYTCIaeti/0/YrBL26MyV2jrXOUAByopP Ag9uOuXn2vg2ZYBbp6p+26/iQ+EsqUQz5MsCW72AnhY+HG///64qafYedBhCYQFrpK 1ZGs4kS7owJpYgoTm36eyLmBO/TjMjN4/7b39FbsbLzldc6E+lOpMbP7fT/VsTrEZ9 I4odOEswP7pjlO/e3WFXiKrIfNKxIt2dioSFRyI7wdZPKsLbCVEGQzdfLzwEjBsDko 0EcLkWN6uNlBS4N22cMWHpVddY2Bxl6/rnW8B7aEtOtGZetyPTgHnDGjkYQ/hZpRLR 6LNDkHmg+3wuQ== Received: by mail-yw1-f197.google.com with SMTP id 00721157ae682-5734d919156so26864647b3.3 for ; Fri, 28 Jul 2023 16:17:28 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1690586247; x=1691191047; h=content-transfer-encoding:mime-version:references:in-reply-to :message-id:date:subject:to:from:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=rsPUQaMNXznphFt+Si2chGd7UjXV9tsGj2nzYHw7SKM=; b=aQRJdG47c6R2zRUvAL6ofl+4C5Nujp2o2wI4V2OGkXDgfDS1YNOQSVX0AgBqDBwfkF bWUiXXbRzgvsTY/pYRqS7fvThAQInOaB9O+r2lOWzD17JQMfDOUNG47wgakmZ9gPi9FM 4h5sJ9RyG/ZfYcW2v4EEvp3BVp87iYrDRekDm7j53QXgFhDa3tMmjaIXfxzjZ4oRcCTu ZCPug8FvSOOEMGkO8qUZI77RT1E8mWqAkSjJ5YfbXdBlGMAlVPh3QDJvOSlmhHoUKlYG BAimvpL5zu7qChCudz67ssgSWqNYVvM06zwikYaf1iUjYUoy5PIfmb3B7Ed5U6Htv5Hg Bf3Q== X-Gm-Message-State: ABy/qLYb5aZZc14/IFPoce3tvEhHBdLnmTI24gXlGBMNwHEKoj5/OlXe huSSjh5IL+k5UjytfbbPKsrXxo9UpP/7x75y9IO7tXYxShUIX8HrREWez3S2jtHfs30i6ioPIVt g2xhG8Fz0MT6knDE3lWgYBrnvfzdiDb5qAz3gp+6LUQfEAyohRQ== X-Received: by 2002:a81:6dc9:0:b0:583:b4fe:f9c7 with SMTP id i192-20020a816dc9000000b00583b4fef9c7mr3293041ywc.39.1690586246884; Fri, 28 Jul 2023 16:17:26 -0700 (PDT) X-Google-Smtp-Source: APBJJlEbF4v8VB/992QwCVrMzmTujhs1SkN+nK+Z/yZ7bfSd0aejxjVdP8z8xsXS3qmW+iOVPmuEIQ== X-Received: by 2002:a81:6dc9:0:b0:583:b4fe:f9c7 with SMTP id i192-20020a816dc9000000b00583b4fef9c7mr3293029ywc.39.1690586246621; Fri, 28 Jul 2023 16:17:26 -0700 (PDT) Received: from cache-ubuntu.hsd1.nj.comcast.net ([2601:86:200:98b0:da04:6059:8f11:999b]) by smtp.gmail.com with ESMTPSA id d28-20020a0caa1c000000b006363f2c37f0sm1617060qvb.91.2023.07.28.16.17.25 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 28 Jul 2023 16:17:25 -0700 (PDT) From: Yuxuan Luo To: kernel-team@lists.ubuntu.com Subject: [SRU][Jammy-OEM-5.17][PATCH 1/1] dm ioctl: fix nested locking in table_clear() to remove deadlock concern Date: Fri, 28 Jul 2023 19:17:19 -0400 Message-Id: <20230728231720.104751-2-yuxuan.luo@canonical.com> X-Mailer: git-send-email 2.34.1 In-Reply-To: <20230728231720.104751-1-yuxuan.luo@canonical.com> References: <20230728231720.104751-1-yuxuan.luo@canonical.com> MIME-Version: 1.0 X-BeenThere: kernel-team@lists.ubuntu.com X-Mailman-Version: 2.1.20 Precedence: list List-Id: Kernel team discussions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: kernel-team-bounces@lists.ubuntu.com Sender: "kernel-team" From: Mike Snitzer syzkaller found the following problematic rwsem locking (with write lock already held): down_read+0x9d/0x450 kernel/locking/rwsem.c:1509 dm_get_inactive_table+0x2b/0xc0 drivers/md/dm-ioctl.c:773 __dev_status+0x4fd/0x7c0 drivers/md/dm-ioctl.c:844 table_clear+0x197/0x280 drivers/md/dm-ioctl.c:1537 In table_clear, it first acquires a write lock https://elixir.bootlin.com/linux/v6.2/source/drivers/md/dm-ioctl.c#L1520 down_write(&_hash_lock); Then before the lock is released at L1539, there is a path shown above: table_clear -> __dev_status -> dm_get_inactive_table -> down_read https://elixir.bootlin.com/linux/v6.2/source/drivers/md/dm-ioctl.c#L773 down_read(&_hash_lock); It tries to acquire the same read lock again, resulting in the deadlock problem. Fix this by moving table_clear()'s __dev_status() call to after its up_write(&_hash_lock); Cc: stable@vger.kernel.org Reported-by: Zheng Zhang Signed-off-by: Mike Snitzer (cherry picked from commit 3d32aaa7e66d5c1479a3c31d6c2c5d45dd0d3b89) CVE-2023-2269 Signed-off-by: Yuxuan Luo --- drivers/md/dm-ioctl.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/drivers/md/dm-ioctl.c b/drivers/md/dm-ioctl.c index 901abd6dea41..c2a9e1ecf6ed 100644 --- a/drivers/md/dm-ioctl.c +++ b/drivers/md/dm-ioctl.c @@ -1526,11 +1526,12 @@ static int table_clear(struct file *filp, struct dm_ioctl *param, size_t param_s has_new_map = true; } - param->flags &= ~DM_INACTIVE_PRESENT_FLAG; - - __dev_status(hc->md, param); md = hc->md; up_write(&_hash_lock); + + param->flags &= ~DM_INACTIVE_PRESENT_FLAG; + __dev_status(md, param); + if (old_map) { dm_sync_table(md); dm_table_destroy(old_map);