blktrace: move copy_[to|from]_user() out of ->debugfs_lock

Move copy_[to|from]_user() out of ->debugfs_lock and cut the dependency
between mm->mmap_lock and q->debugfs_lock, then we avoids lots of
lockdep false positive warning. Obviously ->debug_lock isn't needed
for copy_[to|from]_user().

The only behavior change is to call blk_trace_remove() in case of setup
failure handling by re-grabbing ->debugfs_lock, and this way is just
fine since we do cover concurrent setup() & remove().

Reported-by: syzbot+91585b36b538053343e4@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/linux-block/67450fd4.050a0220.1286eb.0007.GAE@google.com/
Closes: https://lore.kernel.org/linux-block/6742e584.050a0220.1cc393.0038.GAE@google.com/
Closes: https://lore.kernel.org/linux-block/6742a600.050a0220.1cc393.002e.GAE@google.com/
Closes: https://lore.kernel.org/linux-block/67420102.050a0220.1cc393.0019.GAE@google.com/
Signed-off-by: Ming Lei <ming.lei@redhat.com>
Link: https://lore.kernel.org/r/20241128125029.4152292-3-ming.lei@redhat.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>

diff --git a/kernel/trace/blktrace.c b/kernel/trace/blktrace.c
index f01aae3a2f7bfe8dcdc486611a8a94e37405c83f..18c81e6aa496df2907b3a26b0b72243cdd9f8ab4 100644 (file)
--- a/kernel/trace/blktrace.c
+++ b/kernel/trace/blktrace.c
@@ -617,8 +617,9 @@ err:
        return ret;
 }
 
-static int __blk_trace_setup(struct request_queue *q, char *name, dev_t dev,
-                            struct block_device *bdev, char __user *arg)
+int blk_trace_setup(struct request_queue *q, char *name, dev_t dev,
+                   struct block_device *bdev,
+                   char __user *arg)
 {
        struct blk_user_trace_setup buts;
        int ret;
@@ -627,26 +628,17 @@ static int __blk_trace_setup(struct request_queue *q, char *name, dev_t dev,
        if (ret)
                return -EFAULT;
 
+       mutex_lock(&q->debugfs_mutex);
        ret = do_blk_trace_setup(q, name, dev, bdev, &buts);
+       mutex_unlock(&q->debugfs_mutex);
        if (ret)
                return ret;
 
        if (copy_to_user(arg, &buts, sizeof(buts))) {
-               __blk_trace_remove(q);
+               blk_trace_remove(q);
                return -EFAULT;
        }
        return 0;
-}
-
-int blk_trace_setup(struct request_queue *q, char *name, dev_t dev,
-                   struct block_device *bdev,
-                   char __user *arg)
-{
-       int ret;
-
-       mutex_lock(&q->debugfs_mutex);
-       ret = __blk_trace_setup(q, name, dev, bdev, arg);
-       mutex_unlock(&q->debugfs_mutex);
 
        return ret;
 }
@@ -673,12 +665,14 @@ static int compat_blk_trace_setup(struct request_queue *q, char *name,
                .pid = cbuts.pid,
        };
 
+       mutex_lock(&q->debugfs_mutex);
        ret = do_blk_trace_setup(q, name, dev, bdev, &buts);
+       mutex_unlock(&q->debugfs_mutex);
        if (ret)
                return ret;
 
        if (copy_to_user(arg, &buts.name, ARRAY_SIZE(buts.name))) {
-               __blk_trace_remove(q);
+               blk_trace_remove(q);
                return -EFAULT;
        }
 
@@ -740,9 +734,7 @@ int blk_trace_ioctl(struct block_device *bdev, unsigned cmd, char __user *arg)
 #if defined(CONFIG_COMPAT) && defined(CONFIG_X86_64)
        case BLKTRACESETUP32:
                snprintf(b, sizeof(b), "%pg", bdev);
-               mutex_lock(&q->debugfs_mutex);
                ret = compat_blk_trace_setup(q, b, bdev->bd_dev, bdev, arg);
-               mutex_unlock(&q->debugfs_mutex);
                break;
 #endif
        case BLKTRACESTART: