diff options
| author | Yu Kuai <yukuai3@huawei.com> | 2025-06-30 14:28:28 +0300 |
|---|---|---|
| committer | Jens Axboe <axboe@kernel.dk> | 2025-07-01 17:14:01 +0300 |
| commit | 0d519bb0de3bf0ac9e6f401d4910fc119062d7be (patch) | |
| tree | 953f5e9d53b326fd7c23be0a1813fad723a11282 | |
| parent | 01ed88aea527e19def9070349399684522c66c72 (diff) | |
| download | linux-0d519bb0de3bf0ac9e6f401d4910fc119062d7be.tar.xz | |
brd: fix sleeping function called from invalid context in brd_insert_page()
__xa_cmpxchg() is called with rcu_read_lock(), and it will allocate
memory if necessary.
Fix the problem by moving rcu_read_lock() after __xa_cmpxchg(), meanwhile,
it still should be held before xa_unlock(), prevent returned page to be
freed by concurrent discard.
Fixes: bbcacab2e8ee ("brd: avoid extra xarray lookups on first write")
Reported-by: syzbot+ea4c8fd177a47338881a@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/685ec4c9.a00a0220.129264.000c.GAE@google.com/
Signed-off-by: Yu Kuai <yukuai3@huawei.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Link: https://lore.kernel.org/r/20250630112828.421219-1-yukuai1@huaweicloud.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>
| -rw-r--r-- | drivers/block/brd.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/drivers/block/brd.c b/drivers/block/brd.c index b1be6c510372..0c2eabe14af3 100644 --- a/drivers/block/brd.c +++ b/drivers/block/brd.c @@ -64,13 +64,15 @@ static struct page *brd_insert_page(struct brd_device *brd, sector_t sector, rcu_read_unlock(); page = alloc_page(gfp | __GFP_ZERO | __GFP_HIGHMEM); - rcu_read_lock(); - if (!page) + if (!page) { + rcu_read_lock(); return ERR_PTR(-ENOMEM); + } xa_lock(&brd->brd_pages); ret = __xa_cmpxchg(&brd->brd_pages, sector >> PAGE_SECTORS_SHIFT, NULL, page, gfp); + rcu_read_lock(); if (ret) { xa_unlock(&brd->brd_pages); __free_page(page); |