brd: fix sleeping function called from invalid context in brd_insert_page()

__xa_cmpxchg() is called with rcu_read_lock(), and it will allocate
memory if necessary.

Fix the problem by moving rcu_read_lock() after __xa_cmpxchg(), meanwhile,
it still should be held before xa_unlock(), prevent returned page to be
freed by concurrent discard.

Fixes: bbcacab2e8ee ("brd: avoid extra xarray lookups on first write")
Reported-by: syzbot+ea4c8fd177a47338881a@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/685ec4c9.a00a0220.129264.000c.GAE@google.com/
Signed-off-by: Yu Kuai <yukuai3@huawei.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Link: https://lore.kernel.org/r/20250630112828.421219-1-yukuai1@huaweicloud.com
Signed-off-by: Jens Axboe <axboe@kernel.dk>

diff --git a/drivers/block/brd.c b/drivers/block/brd.c
index b1be6c5103725fe89cbfe2b6b25a7a78f23f0728..0c2eabe14af3b923c1680b72c222b0b5f8feafeb 100644 (file)
--- a/drivers/block/brd.c
+++ b/drivers/block/brd.c
@@ -64,13 +64,15 @@ static struct page *brd_insert_page(struct brd_device *brd, sector_t sector,
 
        rcu_read_unlock();
        page = alloc_page(gfp | __GFP_ZERO | __GFP_HIGHMEM);
-       rcu_read_lock();
-       if (!page)
+       if (!page) {
+               rcu_read_lock();
                return ERR_PTR(-ENOMEM);
+       }
 
        xa_lock(&brd->brd_pages);
        ret = __xa_cmpxchg(&brd->brd_pages, sector >> PAGE_SECTORS_SHIFT, NULL,
                        page, gfp);
+       rcu_read_lock();
        if (ret) {
                xa_unlock(&brd->brd_pages);
                __free_page(page);