| commit | c5be2a096efc24a95d3497f9d10e50badb9c07b0 | [log] [tgz] |
|---|---|---|
| author | Mike Snitzer <[email protected]> | Mon Apr 17 11:59:56 2023 -0400 |
| committer | Michael Kochera <[email protected]> | Thu Jul 20 02:43:43 2023 +0000 |
| tree | df8ff1e094620166c987e7135835c1546f684af0 | |
| parent | d25dcb0cf6b0d2d8ba1b35af669d55514b82d65e [diff] |
dm ioctl: fix nested locking in table_clear() to remove deadlock concern commit 3d32aaa7e66d5c1479a3c31d6c2c5d45dd0d3b89 upstream. syzkaller found the following problematic rwsem locking (with write lock already held): down_read+0x9d/0x450 kernel/locking/rwsem.c:1509 dm_get_inactive_table+0x2b/0xc0 drivers/md/dm-ioctl.c:773 __dev_status+0x4fd/0x7c0 drivers/md/dm-ioctl.c:844 table_clear+0x197/0x280 drivers/md/dm-ioctl.c:1537 In table_clear, it first acquires a write lock https://elixir.bootlin.com/linux/v6.2/source/drivers/md/dm-ioctl.c#L1520 down_write(&_hash_lock); Then before the lock is released at L1539, there is a path shown above: table_clear -> __dev_status -> dm_get_inactive_table -> down_read https://elixir.bootlin.com/linux/v6.2/source/drivers/md/dm-ioctl.c#L773 down_read(&_hash_lock); It tries to acquire the same read lock again, resulting in the deadlock problem. Fix this by moving table_clear()'s __dev_status() call to after its up_write(&_hash_lock); BUG=b/290186282 TEST=None RELEASE_NOTE=Fix CVE-2023-2269 in the kernel. cos-patch: security-moderate Cc: [email protected] Reported-by: Zheng Zhang <[email protected]> Change-Id: I34ea2b1860708f6797275cd1c550e43897362caf Signed-off-by: Mike Snitzer <[email protected]> Signed-off-by: Greg Kroah-Hartman <[email protected]> Reviewed-on: https://cos-review.googlesource.com/c/third_party/kernel/+/52409 Tested-by: Cusky Presubmit Bot <[email protected]> Reviewed-by: Oleksandr Tymoshenko <[email protected]>