From: Shoaib Rao <rao.shoaib@oracle.com>
To: Al Viro <viro@zeniv.linux.org.uk>
Cc: Dmitry Vyukov <dvyukov@google.com>,
syzbot <syzbot+8760ca6c1ee783ac4abd@syzkaller.appspotmail.com>,
andrii@kernel.org, ast@kernel.org, bpf@vger.kernel.org,
christian.brauner@ubuntu.com, cong.wang@bytedance.com,
daniel@iogearbox.net, davem@davemloft.net, edumazet@google.com,
jamorris@linux.microsoft.com, john.fastabend@gmail.com,
kafai@fb.com, kpsingh@kernel.org, kuba@kernel.org,
linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org,
netdev@vger.kernel.org, shuah@kernel.org, songliubraving@fb.com,
syzkaller-bugs@googlegroups.com, yhs@fb.com
Subject: Re: [syzbot] BUG: sleeping function called from invalid context in _copy_to_iter
Date: Mon, 9 Aug 2021 13:18:17 -0700 [thread overview]
Message-ID: <0171777a-2f4b-2b0c-4887-86f6d8563bea@oracle.com> (raw)
In-Reply-To: <YRGIkv/dw+Bfq7BK@zeniv-ca.linux.org.uk>
On 8/9/21 12:57 PM, Al Viro wrote:
> On Mon, Aug 09, 2021 at 12:16:27PM -0700, Shoaib Rao wrote:
>> On 8/9/21 11:06 AM, Dmitry Vyukov wrote:
>>> On Mon, 9 Aug 2021 at 19:33, Shoaib Rao <rao.shoaib@oracle.com> wrote:
>>>> This seems like a false positive. 1) The function will not sleep because
>>>> it only calls copy routine if the byte is present. 2). There is no
>>>> difference between this new call and the older calls in
>>>> unix_stream_read_generic().
>>> Hi Shoaib,
>>>
>>> Thanks for looking into this.
>>> Do you have any ideas on how to fix this tool's false positive? Tools
>>> with false positives are order of magnitude less useful than tools w/o
>>> false positives. E.g. do we turn it off on syzbot? But I don't
>>> remember any other false positives from "sleeping function called from
>>> invalid context" checker...
>> Before we take any action I would like to understand why the tool does not
>> single out other calls to recv_actor in unix_stream_read_generic(). The
>> context in all cases is the same. I also do not understand why the code
>> would sleep, Let's assume the user provided address is bad, the code will
>> return EFAULT, it will never sleep, if the kernel provided address is bad
>> the system will panic. The only difference I see is that the new code holds
>> 2 locks while the previous code held one lock, but the locks are acquired
>> before the call to copy.
>>
>> So please help me understand how the tool works. Even though I have
>> evaluated the code carefully, there is always a possibility that the tool is
>> correct.
> Huh???
>
> What do you mean "address is bad"? "Address is inside an area mmapped from
> NFS file". And it bloody well will sleep on attempt to read the page.
That is exactly what I said :-). There are times when copying
thread/task may sleep when the page is not there and it does not have to
be an NFS file, Linux supports mmap without backing memory and page
faults occur with files all the time. With the bad address I meant that
the user passes in an incorrect address.
>
> You should never, ever do copy_{to,from}_user() or equivalents while holding
> a spinlock, period.
Yes spinlock should not be held if the process can sleep. In this case
it wont but there is no way to indicate that. Thanks for pointing that
out, as the second lock I am holding is indeed a spinlock (it is
accessed via unix_state_unlock so I missed the spinlock). I will modify
the code and resubmit. I am glad we found the root cause.
Shoaib
prev parent reply other threads:[~2021-08-09 20:19 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-08 23:38 [syzbot] BUG: sleeping function called from invalid context in _copy_to_iter syzbot
2021-08-09 17:32 ` Shoaib Rao
2021-08-09 18:06 ` Dmitry Vyukov
2021-08-09 19:16 ` Shoaib Rao
2021-08-09 19:21 ` Dmitry Vyukov
2021-08-09 19:40 ` Shoaib Rao
2021-08-09 20:02 ` Eric Dumazet
2021-08-09 20:09 ` Eric Dumazet
2021-08-09 20:31 ` Shoaib Rao
2021-08-10 9:19 ` Eric Dumazet
2021-08-10 17:50 ` Shoaib Rao
2021-08-10 18:02 ` Eric Dumazet
2021-08-10 18:29 ` Shoaib Rao
2021-08-09 20:04 ` Al Viro
2021-08-09 20:16 ` Al Viro
2021-08-09 20:30 ` Shoaib Rao
2021-08-09 20:37 ` Shoaib Rao
2021-08-09 21:41 ` Al Viro
2021-08-09 22:38 ` Shoaib Rao
2021-08-09 19:57 ` Al Viro
2021-08-09 20:18 ` Shoaib Rao [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=0171777a-2f4b-2b0c-4887-86f6d8563bea@oracle.com \
--to=rao.shoaib@oracle.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=bpf@vger.kernel.org \
--cc=christian.brauner@ubuntu.com \
--cc=cong.wang@bytedance.com \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=dvyukov@google.com \
--cc=edumazet@google.com \
--cc=jamorris@linux.microsoft.com \
--cc=john.fastabend@gmail.com \
--cc=kafai@fb.com \
--cc=kpsingh@kernel.org \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-kselftest@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=shuah@kernel.org \
--cc=songliubraving@fb.com \
--cc=syzbot+8760ca6c1ee783ac4abd@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=viro@zeniv.linux.org.uk \
--cc=yhs@fb.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.