net/dccp: warning in dccp_feat_clone_sp_val/__might_sleep

net/dccp: warning in dccp_feat_clone_sp_val/__might_sleep

[Andrey Konovalov]

[-- Attachment #1: Type: text/plain, Size: 2613 bytes --]

Hi,

I've got the following error report while running the syzkaller fuzzer:

------------[ cut here ]------------
WARNING: CPU: 0 PID: 4608 at kernel/sched/core.c:7724
__might_sleep+0x14c/0x1a0 kernel/sched/core.c:7719
do not call blocking ops when !TASK_RUNNING; state=1 set at
[<ffffffff811f5a5c>] prepare_to_wait+0xbc/0x210
kernel/sched/wait.c:178
Modules linked in:
CPU: 0 PID: 4608 Comm: syz-executor Not tainted 4.9.0-rc2+ #320
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
 ffff88006625f7a0 ffffffff81b46914 ffff88006625f818 0000000000000000
 ffffffff84052960 0000000000000000 ffff88006625f7e8 ffffffff81111237
 ffff88006aceac00 ffffffff00001e2c ffffed000cc4beff ffffffff84052960
Call Trace:
 [<     inline     >] __dump_stack lib/dump_stack.c:15
 [<ffffffff81b46914>] dump_stack+0xb3/0x10f lib/dump_stack.c:51
 [<ffffffff81111237>] __warn+0x1a7/0x1f0 kernel/panic.c:550
 [<ffffffff8111132c>] warn_slowpath_fmt+0xac/0xd0 kernel/panic.c:565
 [<ffffffff811922fc>] __might_sleep+0x14c/0x1a0 kernel/sched/core.c:7719
 [<     inline     >] slab_pre_alloc_hook mm/slab.h:393
 [<     inline     >] slab_alloc_node mm/slub.c:2634
 [<     inline     >] slab_alloc mm/slub.c:2716
 [<ffffffff81508da0>] __kmalloc_track_caller+0x150/0x2a0 mm/slub.c:4240
 [<ffffffff8146be14>] kmemdup+0x24/0x50 mm/util.c:113
 [<ffffffff8388b2cf>] dccp_feat_clone_sp_val.part.5+0x4f/0xe0
net/dccp/feat.c:374
 [<     inline     >] dccp_feat_clone_sp_val net/dccp/feat.c:1141
 [<     inline     >] dccp_feat_change_recv net/dccp/feat.c:1141
 [<ffffffff8388d491>] dccp_feat_parse_options+0xaa1/0x13d0 net/dccp/feat.c:1411
 [<ffffffff83894f01>] dccp_parse_options+0x721/0x1010 net/dccp/options.c:128
 [<ffffffff83891280>] dccp_rcv_state_process+0x200/0x15b0 net/dccp/input.c:644
 [<ffffffff838b8a94>] dccp_v4_do_rcv+0xf4/0x1a0 net/dccp/ipv4.c:681
 [<     inline     >] sk_backlog_rcv ./include/net/sock.h:872
 [<ffffffff82b7ceb6>] __release_sock+0x126/0x3a0 net/core/sock.c:2044
 [<ffffffff82b7d189>] release_sock+0x59/0x1c0 net/core/sock.c:2502
 [<     inline     >] inet_wait_for_connect net/ipv4/af_inet.c:547
 [<ffffffff8316b2a2>] __inet_stream_connect+0x5d2/0xbb0 net/ipv4/af_inet.c:617
 [<ffffffff8316b8d5>] inet_stream_connect+0x55/0xa0 net/ipv4/af_inet.c:656
 [<ffffffff82b705e4>] SYSC_connect+0x244/0x2f0 net/socket.c:1533
 [<ffffffff82b72dd4>] SyS_connect+0x24/0x30 net/socket.c:1514
 [<ffffffff83fbf701>] entry_SYSCALL_64_fastpath+0x1f/0xc2
arch/x86/entry/entry_64.S:209
---[ end trace 0dc4109d69f4e51e ]---

On commit 14970f204b1993af7459d5bd34aaff38dfee6670 (Oct 27).

A reproducer is attached.

[-- Attachment #2: dccp-feat-warn-poc.c --]
[-- Type: application/octet-stream, Size: 7760 bytes --]

// autogenerated by syzkaller (http://github.com/google/syzkaller)

#ifndef __NR_bind
#define __NR_bind 49
#endif
#ifndef __NR_listen
#define __NR_listen 50
#endif
#ifndef __NR_syz_open_pts
#define __NR_syz_open_pts 1000003
#endif
#ifndef __NR_syz_test
#define __NR_syz_test 1000001
#endif
#ifndef __NR_mmap
#define __NR_mmap 9
#endif
#ifndef __NR_socket
#define __NR_socket 41
#endif
#ifndef __NR_connect
#define __NR_connect 42
#endif
#ifndef __NR_syz_fuse_mount
#define __NR_syz_fuse_mount 1000004
#endif
#ifndef __NR_syz_fuseblk_mount
#define __NR_syz_fuseblk_mount 1000005
#endif
#ifndef __NR_syz_open_dev
#define __NR_syz_open_dev 1000002
#endif

#include <sys/ioctl.h>
#include <sys/socket.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/types.h>

#include <errno.h>
#include <error.h>
#include <fcntl.h>
#include <pthread.h>
#include <setjmp.h>
#include <signal.h>
#include <stddef.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

__thread int skip_segv;
__thread jmp_buf segv_env;

static void segv_handler(int sig, siginfo_t* info, void* uctx)
{
  if (__atomic_load_n(&skip_segv, __ATOMIC_RELAXED))
    _longjmp(segv_env, 1);
  exit(sig);
}

static void install_segv_handler()
{
  struct sigaction sa;
  memset(&sa, 0, sizeof(sa));
  sa.sa_sigaction = segv_handler;
  sa.sa_flags = SA_NODEFER | SA_SIGINFO;
  sigaction(SIGSEGV, &sa, NULL);
  sigaction(SIGBUS, &sa, NULL);
}

#define NONFAILING(...)                                                \
  {                                                                    \
    __atomic_fetch_add(&skip_segv, 1, __ATOMIC_SEQ_CST);               \
    if (_setjmp(segv_env) == 0) {                                      \
      __VA_ARGS__;                                                     \
    }                                                                  \
    __atomic_fetch_sub(&skip_segv, 1, __ATOMIC_SEQ_CST);               \
  }

static uintptr_t syz_open_dev(uintptr_t a0, uintptr_t a1, uintptr_t a2)
{
  if (a0 == 0xc || a0 == 0xb) {

    char buf[128];
    sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block",
            (uint8_t)a1, (uint8_t)a2);
    return open(buf, O_RDWR, 0);
  } else {

    char buf[1024];
    char* hash;
    strncpy(buf, (char*)a0, sizeof(buf));
    buf[sizeof(buf) - 1] = 0;
    while ((hash = strchr(buf, '#'))) {
      *hash = '0' + (char)(a1 % 10);
      a1 /= 10;
    }
    return open(buf, a2, 0);
  }
}

static uintptr_t syz_open_pts(uintptr_t a0, uintptr_t a1)
{

  int ptyno = 0;
  if (ioctl(a0, TIOCGPTN, &ptyno))
    return -1;
  char buf[128];
  sprintf(buf, "/dev/pts/%d", ptyno);
  return open(buf, a1, 0);
}

static uintptr_t syz_fuse_mount(uintptr_t a0, uintptr_t a1,
                                uintptr_t a2, uintptr_t a3,
                                uintptr_t a4, uintptr_t a5)
{

  uint64_t target = a0;
  uint64_t mode = a1;
  uint64_t uid = a2;
  uint64_t gid = a3;
  uint64_t maxread = a4;
  uint64_t flags = a5;

  int fd = open("/dev/fuse", O_RDWR);
  if (fd == -1)
    return fd;
  char buf[1024];
  sprintf(buf, "fd=%d,user_id=%ld,group_id=%ld,rootmode=0%o", fd,
          (long)uid, (long)gid, (unsigned)mode & ~3u);
  if (maxread != 0)
    sprintf(buf + strlen(buf), ",max_read=%ld", (long)maxread);
  if (mode & 1)
    strcat(buf, ",default_permissions");
  if (mode & 2)
    strcat(buf, ",allow_other");
  syscall(SYS_mount, "", target, "fuse", flags, buf);

  return fd;
}

static uintptr_t syz_fuseblk_mount(uintptr_t a0, uintptr_t a1,
                                   uintptr_t a2, uintptr_t a3,
                                   uintptr_t a4, uintptr_t a5,
                                   uintptr_t a6, uintptr_t a7)
{

  uint64_t target = a0;
  uint64_t blkdev = a1;
  uint64_t mode = a2;
  uint64_t uid = a3;
  uint64_t gid = a4;
  uint64_t maxread = a5;
  uint64_t blksize = a6;
  uint64_t flags = a7;

  int fd = open("/dev/fuse", O_RDWR);
  if (fd == -1)
    return fd;
  if (syscall(SYS_mknodat, AT_FDCWD, blkdev, S_IFBLK, makedev(7, 199)))
    return fd;
  char buf[256];
  sprintf(buf, "fd=%d,user_id=%ld,group_id=%ld,rootmode=0%o", fd,
          (long)uid, (long)gid, (unsigned)mode & ~3u);
  if (maxread != 0)
    sprintf(buf + strlen(buf), ",max_read=%ld", (long)maxread);
  if (blksize != 0)
    sprintf(buf + strlen(buf), ",blksize=%ld", (long)blksize);
  if (mode & 1)
    strcat(buf, ",default_permissions");
  if (mode & 2)
    strcat(buf, ",allow_other");
  syscall(SYS_mount, blkdev, target, "fuseblk", flags, buf);

  return fd;
}

static uintptr_t execute_syscall(int nr, uintptr_t a0, uintptr_t a1,
                                 uintptr_t a2, uintptr_t a3,
                                 uintptr_t a4, uintptr_t a5,
                                 uintptr_t a6, uintptr_t a7,
                                 uintptr_t a8)
{
  switch (nr) {
  default:
    return syscall(nr, a0, a1, a2, a3, a4, a5);
  case __NR_syz_test:
    return 0;
  case __NR_syz_open_dev:
    return syz_open_dev(a0, a1, a2);
  case __NR_syz_open_pts:
    return syz_open_pts(a0, a1);
  case __NR_syz_fuse_mount:
    return syz_fuse_mount(a0, a1, a2, a3, a4, a5);
  case __NR_syz_fuseblk_mount:
    return syz_fuseblk_mount(a0, a1, a2, a3, a4, a5, a6, a7);
  }
}

long r[28];
void* thr(void* arg)
{
  switch ((long)arg) {
  case 0:
    r[0] =
        execute_syscall(__NR_mmap, 0x20000000ul, 0xe2b000ul, 0x3ul,
                        0x32ul, 0xfffffffffffffffful, 0x0ul, 0, 0, 0);
    break;
  case 1:
    r[1] = execute_syscall(__NR_socket, 0x2ul, 0x806ul, 0x0ul, 0, 0, 0,
                           0, 0, 0);
    break;
  case 2:
    NONFAILING(*(uint16_t*)0x204e8000 = (uint16_t)0x2);
    NONFAILING(*(uint16_t*)0x204e8002 = (uint16_t)0x4242);
    NONFAILING(*(uint32_t*)0x204e8004 = (uint32_t)0x0);
    NONFAILING(*(uint8_t*)0x204e8008 = (uint8_t)0x0);
    NONFAILING(*(uint8_t*)0x204e8009 = (uint8_t)0x0);
    NONFAILING(*(uint8_t*)0x204e800a = (uint8_t)0x0);
    NONFAILING(*(uint8_t*)0x204e800b = (uint8_t)0x0);
    NONFAILING(*(uint8_t*)0x204e800c = (uint8_t)0x0);
    NONFAILING(*(uint8_t*)0x204e800d = (uint8_t)0x0);
    NONFAILING(*(uint8_t*)0x204e800e = (uint8_t)0x0);
    NONFAILING(*(uint8_t*)0x204e800f = (uint8_t)0x0);
    r[13] = execute_syscall(__NR_bind, r[1], 0x204e8000ul, 0x10ul, 0, 0,
                            0, 0, 0, 0);
    break;
  case 3:
    r[14] =
        execute_syscall(__NR_listen, r[1], 0x1ul, 0, 0, 0, 0, 0, 0, 0);
    break;
  case 4:
    r[15] = execute_syscall(__NR_socket, 0x2ul, 0x6ul, 0x0ul, 0, 0, 0,
                            0, 0, 0);
    break;
  case 5:
    NONFAILING(*(uint16_t*)0x20e26000 = (uint16_t)0x2);
    NONFAILING(*(uint16_t*)0x20e26002 = (uint16_t)0x4242);
    NONFAILING(*(uint32_t*)0x20e26004 = (uint32_t)0x0);
    NONFAILING(*(uint8_t*)0x20e26008 = (uint8_t)0x0);
    NONFAILING(*(uint8_t*)0x20e26009 = (uint8_t)0x0);
    NONFAILING(*(uint8_t*)0x20e2600a = (uint8_t)0x0);
    NONFAILING(*(uint8_t*)0x20e2600b = (uint8_t)0x0);
    NONFAILING(*(uint8_t*)0x20e2600c = (uint8_t)0x0);
    NONFAILING(*(uint8_t*)0x20e2600d = (uint8_t)0x0);
    NONFAILING(*(uint8_t*)0x20e2600e = (uint8_t)0x0);
    NONFAILING(*(uint8_t*)0x20e2600f = (uint8_t)0x0);
    r[27] = execute_syscall(__NR_connect, r[15], 0x20e26000ul, 0x10ul,
                            0, 0, 0, 0, 0, 0);
    break;
  }
  return 0;
}

int main()
{
  long i;
  pthread_t th[12];

  install_segv_handler();
  memset(r, -1, sizeof(r));
  srand(getpid());
  for (i = 0; i < 6; i++) {
    pthread_create(&th[i], 0, thr, (void*)i);
    usleep(10000);
  }
  for (i = 0; i < 6; i++) {
    pthread_create(&th[6 + i], 0, thr, (void*)i);
    if (rand() % 2)
      usleep(rand() % 10000);
  }
  usleep(100000);
  return 0;
}

net/dccp: warning in dccp_feat_clone_sp_val/__might_sleep

[Andrey Konovalov]

[-- Attachment #1: Type: text/plain, Size: 2613 bytes --]

Hi,

I've got the following error report while running the syzkaller fuzzer:

------------[ cut here ]------------
WARNING: CPU: 0 PID: 4608 at kernel/sched/core.c:7724
__might_sleep+0x14c/0x1a0 kernel/sched/core.c:7719
do not call blocking ops when !TASK_RUNNING; state=1 set at
[<ffffffff811f5a5c>] prepare_to_wait+0xbc/0x210
kernel/sched/wait.c:178
Modules linked in:
CPU: 0 PID: 4608 Comm: syz-executor Not tainted 4.9.0-rc2+ #320
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
 ffff88006625f7a0 ffffffff81b46914 ffff88006625f818 0000000000000000
 ffffffff84052960 0000000000000000 ffff88006625f7e8 ffffffff81111237
 ffff88006aceac00 ffffffff00001e2c ffffed000cc4beff ffffffff84052960
Call Trace:
 [<     inline     >] __dump_stack lib/dump_stack.c:15
 [<ffffffff81b46914>] dump_stack+0xb3/0x10f lib/dump_stack.c:51
 [<ffffffff81111237>] __warn+0x1a7/0x1f0 kernel/panic.c:550
 [<ffffffff8111132c>] warn_slowpath_fmt+0xac/0xd0 kernel/panic.c:565
 [<ffffffff811922fc>] __might_sleep+0x14c/0x1a0 kernel/sched/core.c:7719
 [<     inline     >] slab_pre_alloc_hook mm/slab.h:393
 [<     inline     >] slab_alloc_node mm/slub.c:2634
 [<     inline     >] slab_alloc mm/slub.c:2716
 [<ffffffff81508da0>] __kmalloc_track_caller+0x150/0x2a0 mm/slub.c:4240
 [<ffffffff8146be14>] kmemdup+0x24/0x50 mm/util.c:113
 [<ffffffff8388b2cf>] dccp_feat_clone_sp_val.part.5+0x4f/0xe0
net/dccp/feat.c:374
 [<     inline     >] dccp_feat_clone_sp_val net/dccp/feat.c:1141
 [<     inline     >] dccp_feat_change_recv net/dccp/feat.c:1141
 [<ffffffff8388d491>] dccp_feat_parse_options+0xaa1/0x13d0 net/dccp/feat.c:1411
 [<ffffffff83894f01>] dccp_parse_options+0x721/0x1010 net/dccp/options.c:128
 [<ffffffff83891280>] dccp_rcv_state_process+0x200/0x15b0 net/dccp/input.c:644
 [<ffffffff838b8a94>] dccp_v4_do_rcv+0xf4/0x1a0 net/dccp/ipv4.c:681
 [<     inline     >] sk_backlog_rcv ./include/net/sock.h:872
 [<ffffffff82b7ceb6>] __release_sock+0x126/0x3a0 net/core/sock.c:2044
 [<ffffffff82b7d189>] release_sock+0x59/0x1c0 net/core/sock.c:2502
 [<     inline     >] inet_wait_for_connect net/ipv4/af_inet.c:547
 [<ffffffff8316b2a2>] __inet_stream_connect+0x5d2/0xbb0 net/ipv4/af_inet.c:617
 [<ffffffff8316b8d5>] inet_stream_connect+0x55/0xa0 net/ipv4/af_inet.c:656
 [<ffffffff82b705e4>] SYSC_connect+0x244/0x2f0 net/socket.c:1533
 [<ffffffff82b72dd4>] SyS_connect+0x24/0x30 net/socket.c:1514
 [<ffffffff83fbf701>] entry_SYSCALL_64_fastpath+0x1f/0xc2
arch/x86/entry/entry_64.S:209
---[ end trace 0dc4109d69f4e51e ]---

On commit 14970f204b1993af7459d5bd34aaff38dfee6670 (Oct 27).

A reproducer is attached.

[-- Attachment #2: dccp-feat-warn-poc.c --]
[-- Type: application/octet-stream, Size: 7760 bytes --]

// autogenerated by syzkaller (http://github.com/google/syzkaller)

#ifndef __NR_bind
#define __NR_bind 49
#endif
#ifndef __NR_listen
#define __NR_listen 50
#endif
#ifndef __NR_syz_open_pts
#define __NR_syz_open_pts 1000003
#endif
#ifndef __NR_syz_test
#define __NR_syz_test 1000001
#endif
#ifndef __NR_mmap
#define __NR_mmap 9
#endif
#ifndef __NR_socket
#define __NR_socket 41
#endif
#ifndef __NR_connect
#define __NR_connect 42
#endif
#ifndef __NR_syz_fuse_mount
#define __NR_syz_fuse_mount 1000004
#endif
#ifndef __NR_syz_fuseblk_mount
#define __NR_syz_fuseblk_mount 1000005
#endif
#ifndef __NR_syz_open_dev
#define __NR_syz_open_dev 1000002
#endif

#include <sys/ioctl.h>
#include <sys/socket.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/types.h>

#include <errno.h>
#include <error.h>
#include <fcntl.h>
#include <pthread.h>
#include <setjmp.h>
#include <signal.h>
#include <stddef.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>

__thread int skip_segv;
__thread jmp_buf segv_env;

static void segv_handler(int sig, siginfo_t* info, void* uctx)
{
  if (__atomic_load_n(&skip_segv, __ATOMIC_RELAXED))
    _longjmp(segv_env, 1);
  exit(sig);
}

static void install_segv_handler()
{
  struct sigaction sa;
  memset(&sa, 0, sizeof(sa));
  sa.sa_sigaction = segv_handler;
  sa.sa_flags = SA_NODEFER | SA_SIGINFO;
  sigaction(SIGSEGV, &sa, NULL);
  sigaction(SIGBUS, &sa, NULL);
}

#define NONFAILING(...)                                                \
  {                                                                    \
    __atomic_fetch_add(&skip_segv, 1, __ATOMIC_SEQ_CST);               \
    if (_setjmp(segv_env) == 0) {                                      \
      __VA_ARGS__;                                                     \
    }                                                                  \
    __atomic_fetch_sub(&skip_segv, 1, __ATOMIC_SEQ_CST);               \
  }

static uintptr_t syz_open_dev(uintptr_t a0, uintptr_t a1, uintptr_t a2)
{
  if (a0 == 0xc || a0 == 0xb) {

    char buf[128];
    sprintf(buf, "/dev/%s/%d:%d", a0 == 0xc ? "char" : "block",
            (uint8_t)a1, (uint8_t)a2);
    return open(buf, O_RDWR, 0);
  } else {

    char buf[1024];
    char* hash;
    strncpy(buf, (char*)a0, sizeof(buf));
    buf[sizeof(buf) - 1] = 0;
    while ((hash = strchr(buf, '#'))) {
      *hash = '0' + (char)(a1 % 10);
      a1 /= 10;
    }
    return open(buf, a2, 0);
  }
}

static uintptr_t syz_open_pts(uintptr_t a0, uintptr_t a1)
{

  int ptyno = 0;
  if (ioctl(a0, TIOCGPTN, &ptyno))
    return -1;
  char buf[128];
  sprintf(buf, "/dev/pts/%d", ptyno);
  return open(buf, a1, 0);
}

static uintptr_t syz_fuse_mount(uintptr_t a0, uintptr_t a1,
                                uintptr_t a2, uintptr_t a3,
                                uintptr_t a4, uintptr_t a5)
{

  uint64_t target = a0;
  uint64_t mode = a1;
  uint64_t uid = a2;
  uint64_t gid = a3;
  uint64_t maxread = a4;
  uint64_t flags = a5;

  int fd = open("/dev/fuse", O_RDWR);
  if (fd == -1)
    return fd;
  char buf[1024];
  sprintf(buf, "fd=%d,user_id=%ld,group_id=%ld,rootmode=0%o", fd,
          (long)uid, (long)gid, (unsigned)mode & ~3u);
  if (maxread != 0)
    sprintf(buf + strlen(buf), ",max_read=%ld", (long)maxread);
  if (mode & 1)
    strcat(buf, ",default_permissions");
  if (mode & 2)
    strcat(buf, ",allow_other");
  syscall(SYS_mount, "", target, "fuse", flags, buf);

  return fd;
}

static uintptr_t syz_fuseblk_mount(uintptr_t a0, uintptr_t a1,
                                   uintptr_t a2, uintptr_t a3,
                                   uintptr_t a4, uintptr_t a5,
                                   uintptr_t a6, uintptr_t a7)
{

  uint64_t target = a0;
  uint64_t blkdev = a1;
  uint64_t mode = a2;
  uint64_t uid = a3;
  uint64_t gid = a4;
  uint64_t maxread = a5;
  uint64_t blksize = a6;
  uint64_t flags = a7;

  int fd = open("/dev/fuse", O_RDWR);
  if (fd == -1)
    return fd;
  if (syscall(SYS_mknodat, AT_FDCWD, blkdev, S_IFBLK, makedev(7, 199)))
    return fd;
  char buf[256];
  sprintf(buf, "fd=%d,user_id=%ld,group_id=%ld,rootmode=0%o", fd,
          (long)uid, (long)gid, (unsigned)mode & ~3u);
  if (maxread != 0)
    sprintf(buf + strlen(buf), ",max_read=%ld", (long)maxread);
  if (blksize != 0)
    sprintf(buf + strlen(buf), ",blksize=%ld", (long)blksize);
  if (mode & 1)
    strcat(buf, ",default_permissions");
  if (mode & 2)
    strcat(buf, ",allow_other");
  syscall(SYS_mount, blkdev, target, "fuseblk", flags, buf);

  return fd;
}

static uintptr_t execute_syscall(int nr, uintptr_t a0, uintptr_t a1,
                                 uintptr_t a2, uintptr_t a3,
                                 uintptr_t a4, uintptr_t a5,
                                 uintptr_t a6, uintptr_t a7,
                                 uintptr_t a8)
{
  switch (nr) {
  default:
    return syscall(nr, a0, a1, a2, a3, a4, a5);
  case __NR_syz_test:
    return 0;
  case __NR_syz_open_dev:
    return syz_open_dev(a0, a1, a2);
  case __NR_syz_open_pts:
    return syz_open_pts(a0, a1);
  case __NR_syz_fuse_mount:
    return syz_fuse_mount(a0, a1, a2, a3, a4, a5);
  case __NR_syz_fuseblk_mount:
    return syz_fuseblk_mount(a0, a1, a2, a3, a4, a5, a6, a7);
  }
}

long r[28];
void* thr(void* arg)
{
  switch ((long)arg) {
  case 0:
    r[0] =
        execute_syscall(__NR_mmap, 0x20000000ul, 0xe2b000ul, 0x3ul,
                        0x32ul, 0xfffffffffffffffful, 0x0ul, 0, 0, 0);
    break;
  case 1:
    r[1] = execute_syscall(__NR_socket, 0x2ul, 0x806ul, 0x0ul, 0, 0, 0,
                           0, 0, 0);
    break;
  case 2:
    NONFAILING(*(uint16_t*)0x204e8000 = (uint16_t)0x2);
    NONFAILING(*(uint16_t*)0x204e8002 = (uint16_t)0x4242);
    NONFAILING(*(uint32_t*)0x204e8004 = (uint32_t)0x0);
    NONFAILING(*(uint8_t*)0x204e8008 = (uint8_t)0x0);
    NONFAILING(*(uint8_t*)0x204e8009 = (uint8_t)0x0);
    NONFAILING(*(uint8_t*)0x204e800a = (uint8_t)0x0);
    NONFAILING(*(uint8_t*)0x204e800b = (uint8_t)0x0);
    NONFAILING(*(uint8_t*)0x204e800c = (uint8_t)0x0);
    NONFAILING(*(uint8_t*)0x204e800d = (uint8_t)0x0);
    NONFAILING(*(uint8_t*)0x204e800e = (uint8_t)0x0);
    NONFAILING(*(uint8_t*)0x204e800f = (uint8_t)0x0);
    r[13] = execute_syscall(__NR_bind, r[1], 0x204e8000ul, 0x10ul, 0, 0,
                            0, 0, 0, 0);
    break;
  case 3:
    r[14] =
        execute_syscall(__NR_listen, r[1], 0x1ul, 0, 0, 0, 0, 0, 0, 0);
    break;
  case 4:
    r[15] = execute_syscall(__NR_socket, 0x2ul, 0x6ul, 0x0ul, 0, 0, 0,
                            0, 0, 0);
    break;
  case 5:
    NONFAILING(*(uint16_t*)0x20e26000 = (uint16_t)0x2);
    NONFAILING(*(uint16_t*)0x20e26002 = (uint16_t)0x4242);
    NONFAILING(*(uint32_t*)0x20e26004 = (uint32_t)0x0);
    NONFAILING(*(uint8_t*)0x20e26008 = (uint8_t)0x0);
    NONFAILING(*(uint8_t*)0x20e26009 = (uint8_t)0x0);
    NONFAILING(*(uint8_t*)0x20e2600a = (uint8_t)0x0);
    NONFAILING(*(uint8_t*)0x20e2600b = (uint8_t)0x0);
    NONFAILING(*(uint8_t*)0x20e2600c = (uint8_t)0x0);
    NONFAILING(*(uint8_t*)0x20e2600d = (uint8_t)0x0);
    NONFAILING(*(uint8_t*)0x20e2600e = (uint8_t)0x0);
    NONFAILING(*(uint8_t*)0x20e2600f = (uint8_t)0x0);
    r[27] = execute_syscall(__NR_connect, r[15], 0x20e26000ul, 0x10ul,
                            0, 0, 0, 0, 0, 0);
    break;
  }
  return 0;
}

int main()
{
  long i;
  pthread_t th[12];

  install_segv_handler();
  memset(r, -1, sizeof(r));
  srand(getpid());
  for (i = 0; i < 6; i++) {
    pthread_create(&th[i], 0, thr, (void*)i);
    usleep(10000);
  }
  for (i = 0; i < 6; i++) {
    pthread_create(&th[6 + i], 0, thr, (void*)i);
    if (rand() % 2)
      usleep(rand() % 10000);
  }
  usleep(100000);
  return 0;
}

Re: net/dccp: warning in dccp_feat_clone_sp_val/__might_sleep

[Cong Wang]

[-- Attachment #1: Type: text/plain, Size: 2750 bytes --]

On Fri, Oct 28, 2016 at 5:40 PM, Andrey Konovalov <andreyknvl@google.com> wrote:
> Hi,
>
> I've got the following error report while running the syzkaller fuzzer:
>
> ------------[ cut here ]------------
> WARNING: CPU: 0 PID: 4608 at kernel/sched/core.c:7724
> __might_sleep+0x14c/0x1a0 kernel/sched/core.c:7719
> do not call blocking ops when !TASK_RUNNING; state=1 set at
> [<ffffffff811f5a5c>] prepare_to_wait+0xbc/0x210
> kernel/sched/wait.c:178
> Modules linked in:
> CPU: 0 PID: 4608 Comm: syz-executor Not tainted 4.9.0-rc2+ #320
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
>  ffff88006625f7a0 ffffffff81b46914 ffff88006625f818 0000000000000000
>  ffffffff84052960 0000000000000000 ffff88006625f7e8 ffffffff81111237
>  ffff88006aceac00 ffffffff00001e2c ffffed000cc4beff ffffffff84052960
> Call Trace:
>  [<     inline     >] __dump_stack lib/dump_stack.c:15
>  [<ffffffff81b46914>] dump_stack+0xb3/0x10f lib/dump_stack.c:51
>  [<ffffffff81111237>] __warn+0x1a7/0x1f0 kernel/panic.c:550
>  [<ffffffff8111132c>] warn_slowpath_fmt+0xac/0xd0 kernel/panic.c:565
>  [<ffffffff811922fc>] __might_sleep+0x14c/0x1a0 kernel/sched/core.c:7719
>  [<     inline     >] slab_pre_alloc_hook mm/slab.h:393
>  [<     inline     >] slab_alloc_node mm/slub.c:2634
>  [<     inline     >] slab_alloc mm/slub.c:2716
>  [<ffffffff81508da0>] __kmalloc_track_caller+0x150/0x2a0 mm/slub.c:4240
>  [<ffffffff8146be14>] kmemdup+0x24/0x50 mm/util.c:113
>  [<ffffffff8388b2cf>] dccp_feat_clone_sp_val.part.5+0x4f/0xe0
> net/dccp/feat.c:374
>  [<     inline     >] dccp_feat_clone_sp_val net/dccp/feat.c:1141
>  [<     inline     >] dccp_feat_change_recv net/dccp/feat.c:1141
>  [<ffffffff8388d491>] dccp_feat_parse_options+0xaa1/0x13d0 net/dccp/feat.c:1411
>  [<ffffffff83894f01>] dccp_parse_options+0x721/0x1010 net/dccp/options.c:128
>  [<ffffffff83891280>] dccp_rcv_state_process+0x200/0x15b0 net/dccp/input.c:644
>  [<ffffffff838b8a94>] dccp_v4_do_rcv+0xf4/0x1a0 net/dccp/ipv4.c:681
>  [<     inline     >] sk_backlog_rcv ./include/net/sock.h:872
>  [<ffffffff82b7ceb6>] __release_sock+0x126/0x3a0 net/core/sock.c:2044
>  [<ffffffff82b7d189>] release_sock+0x59/0x1c0 net/core/sock.c:2502
>  [<     inline     >] inet_wait_for_connect net/ipv4/af_inet.c:547
>  [<ffffffff8316b2a2>] __inet_stream_connect+0x5d2/0xbb0 net/ipv4/af_inet.c:617
>  [<ffffffff8316b8d5>] inet_stream_connect+0x55/0xa0 net/ipv4/af_inet.c:656
>  [<ffffffff82b705e4>] SYSC_connect+0x244/0x2f0 net/socket.c:1533
>  [<ffffffff82b72dd4>] SyS_connect+0x24/0x30 net/socket.c:1514
>  [<ffffffff83fbf701>] entry_SYSCALL_64_fastpath+0x1f/0xc2
> arch/x86/entry/entry_64.S:209

Should be fixed the attached patch. I will verify it with your
reproducer tomorrow.

Thanks!

[-- Attachment #2: dccp.diff --]
[-- Type: text/plain, Size: 1775 bytes --]

diff --git a/net/dccp/feat.c b/net/dccp/feat.c
index 1704948..c90cb35 100644
--- a/net/dccp/feat.c
+++ b/net/dccp/feat.c
@@ -367,11 +367,11 @@ static inline int dccp_feat_must_be_understood(u8 feat_num)
 }
 
 /* copy constructor, fval must not already contain allocated memory */
-static int dccp_feat_clone_sp_val(dccp_feat_val *fval, u8 const *val, u8 len)
+static int dccp_feat_clone_sp_val(dccp_feat_val *fval, u8 const *val, u8 len, gfp_t flags)
 {
 	fval->sp.len = len;
 	if (fval->sp.len > 0) {
-		fval->sp.vec = kmemdup(val, len, gfp_any());
+		fval->sp.vec = kmemdup(val, len, flags);
 		if (fval->sp.vec == NULL) {
 			fval->sp.len = 0;
 			return -ENOBUFS;
@@ -404,7 +404,8 @@ static void dccp_feat_val_destructor(u8 feat_num, dccp_feat_val *val)
 
 	if (type == FEAT_SP && dccp_feat_clone_sp_val(&new->val,
 						      original->val.sp.vec,
-						      original->val.sp.len)) {
+						      original->val.sp.len,
+						      gfp_any())) {
 		kfree(new);
 		return NULL;
 	}
@@ -735,7 +736,7 @@ static int __feat_register_sp(struct list_head *fn, u8 feat, u8 is_local,
 	if (feat == DCCPF_CCID && !ccid_support_check(sp_val, sp_len))
 		return -EOPNOTSUPP;
 
-	if (dccp_feat_clone_sp_val(&fval, sp_val, sp_len))
+	if (dccp_feat_clone_sp_val(&fval, sp_val, sp_len, gfp_any()))
 		return -ENOMEM;
 
 	return dccp_feat_push_change(fn, feat, is_local, mandatory, &fval);
@@ -1138,7 +1139,7 @@ static u8 dccp_feat_change_recv(struct list_head *fn, u8 is_mandatory, u8 opt,
 		 *   otherwise we accept the preferred value;
 		 * - else if we are the client, we use the first list element.
 		 */
-		if (dccp_feat_clone_sp_val(&fval, val, 1))
+		if (dccp_feat_clone_sp_val(&fval, val, 1, GFP_ATOMIC))
 			return DCCP_RESET_CODE_TOO_BUSY;
 
 		if (len > 1 && server) {

Re: net/dccp: warning in dccp_feat_clone_sp_val/__might_sleep

[Cong Wang]

[-- Attachment #1: Type: text/plain, Size: 2750 bytes --]

On Fri, Oct 28, 2016 at 5:40 PM, Andrey Konovalov <andreyknvl@google.com> wrote:
> Hi,
>
> I've got the following error report while running the syzkaller fuzzer:
>
> ------------[ cut here ]------------
> WARNING: CPU: 0 PID: 4608 at kernel/sched/core.c:7724
> __might_sleep+0x14c/0x1a0 kernel/sched/core.c:7719
> do not call blocking ops when !TASK_RUNNING; state=1 set at
> [<ffffffff811f5a5c>] prepare_to_wait+0xbc/0x210
> kernel/sched/wait.c:178
> Modules linked in:
> CPU: 0 PID: 4608 Comm: syz-executor Not tainted 4.9.0-rc2+ #320
> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
>  ffff88006625f7a0 ffffffff81b46914 ffff88006625f818 0000000000000000
>  ffffffff84052960 0000000000000000 ffff88006625f7e8 ffffffff81111237
>  ffff88006aceac00 ffffffff00001e2c ffffed000cc4beff ffffffff84052960
> Call Trace:
>  [<     inline     >] __dump_stack lib/dump_stack.c:15
>  [<ffffffff81b46914>] dump_stack+0xb3/0x10f lib/dump_stack.c:51
>  [<ffffffff81111237>] __warn+0x1a7/0x1f0 kernel/panic.c:550
>  [<ffffffff8111132c>] warn_slowpath_fmt+0xac/0xd0 kernel/panic.c:565
>  [<ffffffff811922fc>] __might_sleep+0x14c/0x1a0 kernel/sched/core.c:7719
>  [<     inline     >] slab_pre_alloc_hook mm/slab.h:393
>  [<     inline     >] slab_alloc_node mm/slub.c:2634
>  [<     inline     >] slab_alloc mm/slub.c:2716
>  [<ffffffff81508da0>] __kmalloc_track_caller+0x150/0x2a0 mm/slub.c:4240
>  [<ffffffff8146be14>] kmemdup+0x24/0x50 mm/util.c:113
>  [<ffffffff8388b2cf>] dccp_feat_clone_sp_val.part.5+0x4f/0xe0
> net/dccp/feat.c:374
>  [<     inline     >] dccp_feat_clone_sp_val net/dccp/feat.c:1141
>  [<     inline     >] dccp_feat_change_recv net/dccp/feat.c:1141
>  [<ffffffff8388d491>] dccp_feat_parse_options+0xaa1/0x13d0 net/dccp/feat.c:1411
>  [<ffffffff83894f01>] dccp_parse_options+0x721/0x1010 net/dccp/options.c:128
>  [<ffffffff83891280>] dccp_rcv_state_process+0x200/0x15b0 net/dccp/input.c:644
>  [<ffffffff838b8a94>] dccp_v4_do_rcv+0xf4/0x1a0 net/dccp/ipv4.c:681
>  [<     inline     >] sk_backlog_rcv ./include/net/sock.h:872
>  [<ffffffff82b7ceb6>] __release_sock+0x126/0x3a0 net/core/sock.c:2044
>  [<ffffffff82b7d189>] release_sock+0x59/0x1c0 net/core/sock.c:2502
>  [<     inline     >] inet_wait_for_connect net/ipv4/af_inet.c:547
>  [<ffffffff8316b2a2>] __inet_stream_connect+0x5d2/0xbb0 net/ipv4/af_inet.c:617
>  [<ffffffff8316b8d5>] inet_stream_connect+0x55/0xa0 net/ipv4/af_inet.c:656
>  [<ffffffff82b705e4>] SYSC_connect+0x244/0x2f0 net/socket.c:1533
>  [<ffffffff82b72dd4>] SyS_connect+0x24/0x30 net/socket.c:1514
>  [<ffffffff83fbf701>] entry_SYSCALL_64_fastpath+0x1f/0xc2
> arch/x86/entry/entry_64.S:209

Should be fixed the attached patch. I will verify it with your
reproducer tomorrow.

Thanks!

[-- Attachment #2: dccp.diff --]
[-- Type: text/plain, Size: 1775 bytes --]

diff --git a/net/dccp/feat.c b/net/dccp/feat.c
index 1704948..c90cb35 100644
--- a/net/dccp/feat.c
+++ b/net/dccp/feat.c
@@ -367,11 +367,11 @@ static inline int dccp_feat_must_be_understood(u8 feat_num)
 }
 
 /* copy constructor, fval must not already contain allocated memory */
-static int dccp_feat_clone_sp_val(dccp_feat_val *fval, u8 const *val, u8 len)
+static int dccp_feat_clone_sp_val(dccp_feat_val *fval, u8 const *val, u8 len, gfp_t flags)
 {
 	fval->sp.len = len;
 	if (fval->sp.len > 0) {
-		fval->sp.vec = kmemdup(val, len, gfp_any());
+		fval->sp.vec = kmemdup(val, len, flags);
 		if (fval->sp.vec == NULL) {
 			fval->sp.len = 0;
 			return -ENOBUFS;
@@ -404,7 +404,8 @@ static void dccp_feat_val_destructor(u8 feat_num, dccp_feat_val *val)
 
 	if (type == FEAT_SP && dccp_feat_clone_sp_val(&new->val,
 						      original->val.sp.vec,
-						      original->val.sp.len)) {
+						      original->val.sp.len,
+						      gfp_any())) {
 		kfree(new);
 		return NULL;
 	}
@@ -735,7 +736,7 @@ static int __feat_register_sp(struct list_head *fn, u8 feat, u8 is_local,
 	if (feat == DCCPF_CCID && !ccid_support_check(sp_val, sp_len))
 		return -EOPNOTSUPP;
 
-	if (dccp_feat_clone_sp_val(&fval, sp_val, sp_len))
+	if (dccp_feat_clone_sp_val(&fval, sp_val, sp_len, gfp_any()))
 		return -ENOMEM;
 
 	return dccp_feat_push_change(fn, feat, is_local, mandatory, &fval);
@@ -1138,7 +1139,7 @@ static u8 dccp_feat_change_recv(struct list_head *fn, u8 is_mandatory, u8 opt,
 		 *   otherwise we accept the preferred value;
 		 * - else if we are the client, we use the first list element.
 		 */
-		if (dccp_feat_clone_sp_val(&fval, val, 1))
+		if (dccp_feat_clone_sp_val(&fval, val, 1, GFP_ATOMIC))
 			return DCCP_RESET_CODE_TOO_BUSY;
 
 		if (len > 1 && server) {

Re: net/dccp: warning in dccp_feat_clone_sp_val/__might_sleep

[Andrey Konovalov]

Hi Cong,

Tested with your patch, still getting a warning, though it's a little different:

------------[ cut here ]------------
WARNING: CPU: 1 PID: 3876 at kernel/sched/core.c:7724
__might_sleep+0x14c/0x1a0 kernel/sched/core.c:7719
do not call blocking ops when !TASK_RUNNING; state=1 set at
[<ffffffff811f5a5c>] prepare_to_wait+0xbc/0x210
kernel/sched/wait.c:178
Modules linked in:
CPU: 1 PID: 3876 Comm: a.out Not tainted 4.9.0-rc2+ #325
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
 ffff88006c2d7770 ffffffff81b46914 ffff88006c2d77e8 0000000000000000
 ffffffff84052960 0000000000000000 ffff88006c2d77b8 ffffffff81111237
 0000000041b58ab3 ffffffff00001e2c ffffed000d85aef9 ffffffff84052960
Call Trace:
 [<     inline     >] __dump_stack lib/dump_stack.c:15
 [<ffffffff81b46914>] dump_stack+0xb3/0x10f lib/dump_stack.c:51
 [<ffffffff81111237>] __warn+0x1a7/0x1f0 kernel/panic.c:550
 [<ffffffff8111132c>] warn_slowpath_fmt+0xac/0xd0 kernel/panic.c:565
 [<ffffffff811922fc>] __might_sleep+0x14c/0x1a0 kernel/sched/core.c:7719
 [<     inline     >] slab_pre_alloc_hook mm/slab.h:393
 [<     inline     >] slab_alloc_node mm/slub.c:2634
 [<     inline     >] slab_alloc mm/slub.c:2716
 [<ffffffff815054fb>] kmem_cache_alloc_trace+0x1bb/0x270 mm/slub.c:2733
 [<     inline     >] kmalloc ./include/linux/slab.h:490
 [<ffffffff83889e62>] dccp_feat_entry_new+0x182/0x2a0 net/dccp/feat.c:468
 [<ffffffff8388a1ea>] dccp_feat_push_confirm+0x3a/0x270 net/dccp/feat.c:516
 [<     inline     >] dccp_feat_change_recv net/dccp/feat.c:1160
 [<ffffffff8388d587>] dccp_feat_parse_options+0xb37/0x13d0 net/dccp/feat.c:1412
 [<ffffffff83894f61>] dccp_parse_options+0x721/0x1010 net/dccp/options.c:128
 [<ffffffff838912e0>] dccp_rcv_state_process+0x200/0x15b0 net/dccp/input.c:644
 [<ffffffff838b8af4>] dccp_v4_do_rcv+0xf4/0x1a0 net/dccp/ipv4.c:681
 [<     inline     >] sk_backlog_rcv ./include/net/sock.h:872
 [<ffffffff82b7ceb6>] __release_sock+0x126/0x3a0 net/core/sock.c:2044
 [<ffffffff82b7d189>] release_sock+0x59/0x1c0 net/core/sock.c:2502
 [<     inline     >] inet_wait_for_connect net/ipv4/af_inet.c:547
 [<ffffffff8316b2a2>] __inet_stream_connect+0x5d2/0xbb0 net/ipv4/af_inet.c:617
 [<ffffffff8316b8d5>] inet_stream_connect+0x55/0xa0 net/ipv4/af_inet.c:656
 [<ffffffff82b705e4>] SYSC_connect+0x244/0x2f0 net/socket.c:1533
 [<ffffffff82b72dd4>] SyS_connect+0x24/0x30 net/socket.c:1514
 [<ffffffff83fbf781>] entry_SYSCALL_64_fastpath+0x1f/0xc2
arch/x86/entry/entry_64.S:209
---[ end trace c7e036cf4dc54077 ]---

Thanks!

On Sat, Oct 29, 2016 at 8:10 AM, Cong Wang <xiyou.wangcong@gmail.com> wrote:
> On Fri, Oct 28, 2016 at 5:40 PM, Andrey Konovalov <andreyknvl@google.com> wrote:
>> Hi,
>>
>> I've got the following error report while running the syzkaller fuzzer:
>>
>> ------------[ cut here ]------------
>> WARNING: CPU: 0 PID: 4608 at kernel/sched/core.c:7724
>> __might_sleep+0x14c/0x1a0 kernel/sched/core.c:7719
>> do not call blocking ops when !TASK_RUNNING; state=1 set at
>> [<ffffffff811f5a5c>] prepare_to_wait+0xbc/0x210
>> kernel/sched/wait.c:178
>> Modules linked in:
>> CPU: 0 PID: 4608 Comm: syz-executor Not tainted 4.9.0-rc2+ #320
>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
>>  ffff88006625f7a0 ffffffff81b46914 ffff88006625f818 0000000000000000
>>  ffffffff84052960 0000000000000000 ffff88006625f7e8 ffffffff81111237
>>  ffff88006aceac00 ffffffff00001e2c ffffed000cc4beff ffffffff84052960
>> Call Trace:
>>  [<     inline     >] __dump_stack lib/dump_stack.c:15
>>  [<ffffffff81b46914>] dump_stack+0xb3/0x10f lib/dump_stack.c:51
>>  [<ffffffff81111237>] __warn+0x1a7/0x1f0 kernel/panic.c:550
>>  [<ffffffff8111132c>] warn_slowpath_fmt+0xac/0xd0 kernel/panic.c:565
>>  [<ffffffff811922fc>] __might_sleep+0x14c/0x1a0 kernel/sched/core.c:7719
>>  [<     inline     >] slab_pre_alloc_hook mm/slab.h:393
>>  [<     inline     >] slab_alloc_node mm/slub.c:2634
>>  [<     inline     >] slab_alloc mm/slub.c:2716
>>  [<ffffffff81508da0>] __kmalloc_track_caller+0x150/0x2a0 mm/slub.c:4240
>>  [<ffffffff8146be14>] kmemdup+0x24/0x50 mm/util.c:113
>>  [<ffffffff8388b2cf>] dccp_feat_clone_sp_val.part.5+0x4f/0xe0
>> net/dccp/feat.c:374
>>  [<     inline     >] dccp_feat_clone_sp_val net/dccp/feat.c:1141
>>  [<     inline     >] dccp_feat_change_recv net/dccp/feat.c:1141
>>  [<ffffffff8388d491>] dccp_feat_parse_options+0xaa1/0x13d0 net/dccp/feat.c:1411
>>  [<ffffffff83894f01>] dccp_parse_options+0x721/0x1010 net/dccp/options.c:128
>>  [<ffffffff83891280>] dccp_rcv_state_process+0x200/0x15b0 net/dccp/input.c:644
>>  [<ffffffff838b8a94>] dccp_v4_do_rcv+0xf4/0x1a0 net/dccp/ipv4.c:681
>>  [<     inline     >] sk_backlog_rcv ./include/net/sock.h:872
>>  [<ffffffff82b7ceb6>] __release_sock+0x126/0x3a0 net/core/sock.c:2044
>>  [<ffffffff82b7d189>] release_sock+0x59/0x1c0 net/core/sock.c:2502
>>  [<     inline     >] inet_wait_for_connect net/ipv4/af_inet.c:547
>>  [<ffffffff8316b2a2>] __inet_stream_connect+0x5d2/0xbb0 net/ipv4/af_inet.c:617
>>  [<ffffffff8316b8d5>] inet_stream_connect+0x55/0xa0 net/ipv4/af_inet.c:656
>>  [<ffffffff82b705e4>] SYSC_connect+0x244/0x2f0 net/socket.c:1533
>>  [<ffffffff82b72dd4>] SyS_connect+0x24/0x30 net/socket.c:1514
>>  [<ffffffff83fbf701>] entry_SYSCALL_64_fastpath+0x1f/0xc2
>> arch/x86/entry/entry_64.S:209
>
> Should be fixed the attached patch. I will verify it with your
> reproducer tomorrow.
>
> Thanks!

Re: net/dccp: warning in dccp_feat_clone_sp_val/__might_sleep

[Andrey Konovalov]

Hi Cong,

Tested with your patch, still getting a warning, though it's a little different:

------------[ cut here ]------------
WARNING: CPU: 1 PID: 3876 at kernel/sched/core.c:7724
__might_sleep+0x14c/0x1a0 kernel/sched/core.c:7719
do not call blocking ops when !TASK_RUNNING; state=1 set at
[<ffffffff811f5a5c>] prepare_to_wait+0xbc/0x210
kernel/sched/wait.c:178
Modules linked in:
CPU: 1 PID: 3876 Comm: a.out Not tainted 4.9.0-rc2+ #325
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
 ffff88006c2d7770 ffffffff81b46914 ffff88006c2d77e8 0000000000000000
 ffffffff84052960 0000000000000000 ffff88006c2d77b8 ffffffff81111237
 0000000041b58ab3 ffffffff00001e2c ffffed000d85aef9 ffffffff84052960
Call Trace:
 [<     inline     >] __dump_stack lib/dump_stack.c:15
 [<ffffffff81b46914>] dump_stack+0xb3/0x10f lib/dump_stack.c:51
 [<ffffffff81111237>] __warn+0x1a7/0x1f0 kernel/panic.c:550
 [<ffffffff8111132c>] warn_slowpath_fmt+0xac/0xd0 kernel/panic.c:565
 [<ffffffff811922fc>] __might_sleep+0x14c/0x1a0 kernel/sched/core.c:7719
 [<     inline     >] slab_pre_alloc_hook mm/slab.h:393
 [<     inline     >] slab_alloc_node mm/slub.c:2634
 [<     inline     >] slab_alloc mm/slub.c:2716
 [<ffffffff815054fb>] kmem_cache_alloc_trace+0x1bb/0x270 mm/slub.c:2733
 [<     inline     >] kmalloc ./include/linux/slab.h:490
 [<ffffffff83889e62>] dccp_feat_entry_new+0x182/0x2a0 net/dccp/feat.c:468
 [<ffffffff8388a1ea>] dccp_feat_push_confirm+0x3a/0x270 net/dccp/feat.c:516
 [<     inline     >] dccp_feat_change_recv net/dccp/feat.c:1160
 [<ffffffff8388d587>] dccp_feat_parse_options+0xb37/0x13d0 net/dccp/feat.c:1412
 [<ffffffff83894f61>] dccp_parse_options+0x721/0x1010 net/dccp/options.c:128
 [<ffffffff838912e0>] dccp_rcv_state_process+0x200/0x15b0 net/dccp/input.c:644
 [<ffffffff838b8af4>] dccp_v4_do_rcv+0xf4/0x1a0 net/dccp/ipv4.c:681
 [<     inline     >] sk_backlog_rcv ./include/net/sock.h:872
 [<ffffffff82b7ceb6>] __release_sock+0x126/0x3a0 net/core/sock.c:2044
 [<ffffffff82b7d189>] release_sock+0x59/0x1c0 net/core/sock.c:2502
 [<     inline     >] inet_wait_for_connect net/ipv4/af_inet.c:547
 [<ffffffff8316b2a2>] __inet_stream_connect+0x5d2/0xbb0 net/ipv4/af_inet.c:617
 [<ffffffff8316b8d5>] inet_stream_connect+0x55/0xa0 net/ipv4/af_inet.c:656
 [<ffffffff82b705e4>] SYSC_connect+0x244/0x2f0 net/socket.c:1533
 [<ffffffff82b72dd4>] SyS_connect+0x24/0x30 net/socket.c:1514
 [<ffffffff83fbf781>] entry_SYSCALL_64_fastpath+0x1f/0xc2
arch/x86/entry/entry_64.S:209
---[ end trace c7e036cf4dc54077 ]---

Thanks!

On Sat, Oct 29, 2016 at 8:10 AM, Cong Wang <xiyou.wangcong@gmail.com> wrote:
> On Fri, Oct 28, 2016 at 5:40 PM, Andrey Konovalov <andreyknvl@google.com> wrote:
>> Hi,
>>
>> I've got the following error report while running the syzkaller fuzzer:
>>
>> ------------[ cut here ]------------
>> WARNING: CPU: 0 PID: 4608 at kernel/sched/core.c:7724
>> __might_sleep+0x14c/0x1a0 kernel/sched/core.c:7719
>> do not call blocking ops when !TASK_RUNNING; state=1 set at
>> [<ffffffff811f5a5c>] prepare_to_wait+0xbc/0x210
>> kernel/sched/wait.c:178
>> Modules linked in:
>> CPU: 0 PID: 4608 Comm: syz-executor Not tainted 4.9.0-rc2+ #320
>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
>>  ffff88006625f7a0 ffffffff81b46914 ffff88006625f818 0000000000000000
>>  ffffffff84052960 0000000000000000 ffff88006625f7e8 ffffffff81111237
>>  ffff88006aceac00 ffffffff00001e2c ffffed000cc4beff ffffffff84052960
>> Call Trace:
>>  [<     inline     >] __dump_stack lib/dump_stack.c:15
>>  [<ffffffff81b46914>] dump_stack+0xb3/0x10f lib/dump_stack.c:51
>>  [<ffffffff81111237>] __warn+0x1a7/0x1f0 kernel/panic.c:550
>>  [<ffffffff8111132c>] warn_slowpath_fmt+0xac/0xd0 kernel/panic.c:565
>>  [<ffffffff811922fc>] __might_sleep+0x14c/0x1a0 kernel/sched/core.c:7719
>>  [<     inline     >] slab_pre_alloc_hook mm/slab.h:393
>>  [<     inline     >] slab_alloc_node mm/slub.c:2634
>>  [<     inline     >] slab_alloc mm/slub.c:2716
>>  [<ffffffff81508da0>] __kmalloc_track_caller+0x150/0x2a0 mm/slub.c:4240
>>  [<ffffffff8146be14>] kmemdup+0x24/0x50 mm/util.c:113
>>  [<ffffffff8388b2cf>] dccp_feat_clone_sp_val.part.5+0x4f/0xe0
>> net/dccp/feat.c:374
>>  [<     inline     >] dccp_feat_clone_sp_val net/dccp/feat.c:1141
>>  [<     inline     >] dccp_feat_change_recv net/dccp/feat.c:1141
>>  [<ffffffff8388d491>] dccp_feat_parse_options+0xaa1/0x13d0 net/dccp/feat.c:1411
>>  [<ffffffff83894f01>] dccp_parse_options+0x721/0x1010 net/dccp/options.c:128
>>  [<ffffffff83891280>] dccp_rcv_state_process+0x200/0x15b0 net/dccp/input.c:644
>>  [<ffffffff838b8a94>] dccp_v4_do_rcv+0xf4/0x1a0 net/dccp/ipv4.c:681
>>  [<     inline     >] sk_backlog_rcv ./include/net/sock.h:872
>>  [<ffffffff82b7ceb6>] __release_sock+0x126/0x3a0 net/core/sock.c:2044
>>  [<ffffffff82b7d189>] release_sock+0x59/0x1c0 net/core/sock.c:2502
>>  [<     inline     >] inet_wait_for_connect net/ipv4/af_inet.c:547
>>  [<ffffffff8316b2a2>] __inet_stream_connect+0x5d2/0xbb0 net/ipv4/af_inet.c:617
>>  [<ffffffff8316b8d5>] inet_stream_connect+0x55/0xa0 net/ipv4/af_inet.c:656
>>  [<ffffffff82b705e4>] SYSC_connect+0x244/0x2f0 net/socket.c:1533
>>  [<ffffffff82b72dd4>] SyS_connect+0x24/0x30 net/socket.c:1514
>>  [<ffffffff83fbf701>] entry_SYSCALL_64_fastpath+0x1f/0xc2
>> arch/x86/entry/entry_64.S:209
>
> Should be fixed the attached patch. I will verify it with your
> reproducer tomorrow.
>
> Thanks!

Re: net/dccp: warning in dccp_feat_clone_sp_val/__might_sleep

[Eric Dumazet]

On Sat, 2016-10-29 at 19:06 +0200, Andrey Konovalov wrote:
> Hi Cong,
> 
> Tested with your patch, still getting a warning, though it's a little different:
> 
> ------------[ cut here ]------------
> WARNING: CPU: 1 PID: 3876 at kernel/sched/core.c:7724
> __might_sleep+0x14c/0x1a0 kernel/sched/core.c:7719
> do not call blocking ops when !TASK_RUNNING; state=1 set at
> [<ffffffff811f5a5c>] prepare_to_wait+0xbc/0x210
> kernel/sched/wait.c:178
> Modules linked in:

This looks like the following patch is needed, can you test it ?
Thanks !

diff --git a/net/dccp/output.c b/net/dccp/output.c
index b66c84db0766..74d8583a0d52 100644
--- a/net/dccp/output.c
+++ b/net/dccp/output.c
@@ -228,6 +228,7 @@ static int dccp_wait_for_ccid(struct sock *sk, unsigned long delay)
 
 	remaining = schedule_timeout(delay);
 
+	sched_annotate_sleep();
 	lock_sock(sk);
 	sk->sk_write_pending--;
 	finish_wait(sk_sleep(sk), &wait);

Re: net/dccp: warning in dccp_feat_clone_sp_val/__might_sleep

[Eric Dumazet]

On Sat, 2016-10-29 at 19:06 +0200, Andrey Konovalov wrote:
> Hi Cong,
> 
> Tested with your patch, still getting a warning, though it's a little different:
> 
> ------------[ cut here ]------------
> WARNING: CPU: 1 PID: 3876 at kernel/sched/core.c:7724
> __might_sleep+0x14c/0x1a0 kernel/sched/core.c:7719
> do not call blocking ops when !TASK_RUNNING; state=1 set at
> [<ffffffff811f5a5c>] prepare_to_wait+0xbc/0x210
> kernel/sched/wait.c:178
> Modules linked in:

This looks like the following patch is needed, can you test it ?
Thanks !

diff --git a/net/dccp/output.c b/net/dccp/output.c
index b66c84db0766..74d8583a0d52 100644
--- a/net/dccp/output.c
+++ b/net/dccp/output.c
@@ -228,6 +228,7 @@ static int dccp_wait_for_ccid(struct sock *sk, unsigned long delay)
 
 	remaining = schedule_timeout(delay);
 
+	sched_annotate_sleep();
 	lock_sock(sk);
 	sk->sk_write_pending--;
 	finish_wait(sk_sleep(sk), &wait);

Re: net/dccp: warning in dccp_feat_clone_sp_val/__might_sleep

[Andrey Konovalov]

Hi Eric,

Tested with both patches applied, still seeing the warning.

Thanks!

On Sat, Oct 29, 2016 at 7:43 PM, Eric Dumazet <eric.dumazet@gmail.com> wrote:
> On Sat, 2016-10-29 at 19:06 +0200, Andrey Konovalov wrote:
>> Hi Cong,
>>
>> Tested with your patch, still getting a warning, though it's a little different:
>>
>> ------------[ cut here ]------------
>> WARNING: CPU: 1 PID: 3876 at kernel/sched/core.c:7724
>> __might_sleep+0x14c/0x1a0 kernel/sched/core.c:7719
>> do not call blocking ops when !TASK_RUNNING; state=1 set at
>> [<ffffffff811f5a5c>] prepare_to_wait+0xbc/0x210
>> kernel/sched/wait.c:178
>> Modules linked in:
>
> This looks like the following patch is needed, can you test it ?
> Thanks !
>
> diff --git a/net/dccp/output.c b/net/dccp/output.c
> index b66c84db0766..74d8583a0d52 100644
> --- a/net/dccp/output.c
> +++ b/net/dccp/output.c
> @@ -228,6 +228,7 @@ static int dccp_wait_for_ccid(struct sock *sk, unsigned long delay)
>
>         remaining = schedule_timeout(delay);
>
> +       sched_annotate_sleep();
>         lock_sock(sk);
>         sk->sk_write_pending--;
>         finish_wait(sk_sleep(sk), &wait);
>
>
>

Re: net/dccp: warning in dccp_feat_clone_sp_val/__might_sleep

[Andrey Konovalov]

Hi Eric,

Tested with both patches applied, still seeing the warning.

Thanks!

On Sat, Oct 29, 2016 at 7:43 PM, Eric Dumazet <eric.dumazet@gmail.com> wrote:
> On Sat, 2016-10-29 at 19:06 +0200, Andrey Konovalov wrote:
>> Hi Cong,
>>
>> Tested with your patch, still getting a warning, though it's a little different:
>>
>> ------------[ cut here ]------------
>> WARNING: CPU: 1 PID: 3876 at kernel/sched/core.c:7724
>> __might_sleep+0x14c/0x1a0 kernel/sched/core.c:7719
>> do not call blocking ops when !TASK_RUNNING; state=1 set at
>> [<ffffffff811f5a5c>] prepare_to_wait+0xbc/0x210
>> kernel/sched/wait.c:178
>> Modules linked in:
>
> This looks like the following patch is needed, can you test it ?
> Thanks !
>
> diff --git a/net/dccp/output.c b/net/dccp/output.c
> index b66c84db0766..74d8583a0d52 100644
> --- a/net/dccp/output.c
> +++ b/net/dccp/output.c
> @@ -228,6 +228,7 @@ static int dccp_wait_for_ccid(struct sock *sk, unsigned long delay)
>
>         remaining = schedule_timeout(delay);
>
> +       sched_annotate_sleep();
>         lock_sock(sk);
>         sk->sk_write_pending--;
>         finish_wait(sk_sleep(sk), &wait);
>
>
>

Re: net/dccp: warning in dccp_feat_clone_sp_val/__might_sleep

[Eric Dumazet]

On Sat, 2016-10-29 at 19:59 +0200, Andrey Konovalov wrote:
> Hi Eric,
> 
> Tested with both patches applied, still seeing the warning.
> 
> Thanks!

Arg, sorry, this was at the wrong place.

Thanks for testing !

diff --git a/net/dccp/output.c b/net/dccp/output.c
index b66c84db0766..2548edff86ff 100644
--- a/net/dccp/output.c
+++ b/net/dccp/output.c
@@ -224,6 +224,11 @@ static int dccp_wait_for_ccid(struct sock *sk, unsigned long delay)
 
 	prepare_to_wait(sk_sleep(sk), &wait, TASK_INTERRUPTIBLE);
 	sk->sk_write_pending++;
+
+	/* release_sock()/lock_sock() will process socket backlog
+	 * from process context. Be prepared to sleep !
+	 */
+	sched_annotate_sleep();
 	release_sock(sk);
 
 	remaining = schedule_timeout(delay);

Re: net/dccp: warning in dccp_feat_clone_sp_val/__might_sleep

[Eric Dumazet]

On Sat, 2016-10-29 at 19:59 +0200, Andrey Konovalov wrote:
> Hi Eric,
> 
> Tested with both patches applied, still seeing the warning.
> 
> Thanks!

Arg, sorry, this was at the wrong place.

Thanks for testing !

diff --git a/net/dccp/output.c b/net/dccp/output.c
index b66c84db0766..2548edff86ff 100644
--- a/net/dccp/output.c
+++ b/net/dccp/output.c
@@ -224,6 +224,11 @@ static int dccp_wait_for_ccid(struct sock *sk, unsigned long delay)
 
 	prepare_to_wait(sk_sleep(sk), &wait, TASK_INTERRUPTIBLE);
 	sk->sk_write_pending++;
+
+	/* release_sock()/lock_sock() will process socket backlog
+	 * from process context. Be prepared to sleep !
+	 */
+	sched_annotate_sleep();
 	release_sock(sk);
 
 	remaining = schedule_timeout(delay);

Re: net/dccp: warning in dccp_feat_clone_sp_val/__might_sleep

[Andrey Konovalov]

Sorry, the warning is still there.

I'm not sure adding sched_annotate_sleep() does anything, since it's
defined as (in case CONFIG_DEBUG_ATOMIC_SLEEP is not set):
# define sched_annotate_sleep() do { } while (0)

On Sat, Oct 29, 2016 at 8:05 PM, Eric Dumazet <eric.dumazet@gmail.com> wrote:
> On Sat, 2016-10-29 at 19:59 +0200, Andrey Konovalov wrote:
>> Hi Eric,
>>
>> Tested with both patches applied, still seeing the warning.
>>
>> Thanks!
>
> Arg, sorry, this was at the wrong place.
>
> Thanks for testing !
>
> diff --git a/net/dccp/output.c b/net/dccp/output.c
> index b66c84db0766..2548edff86ff 100644
> --- a/net/dccp/output.c
> +++ b/net/dccp/output.c
> @@ -224,6 +224,11 @@ static int dccp_wait_for_ccid(struct sock *sk, unsigned long delay)
>
>         prepare_to_wait(sk_sleep(sk), &wait, TASK_INTERRUPTIBLE);
>         sk->sk_write_pending++;
> +
> +       /* release_sock()/lock_sock() will process socket backlog
> +        * from process context. Be prepared to sleep !
> +        */
> +       sched_annotate_sleep();
>         release_sock(sk);
>
>         remaining = schedule_timeout(delay);
>
>

Re: net/dccp: warning in dccp_feat_clone_sp_val/__might_sleep

[Andrey Konovalov]

Sorry, the warning is still there.

I'm not sure adding sched_annotate_sleep() does anything, since it's
defined as (in case CONFIG_DEBUG_ATOMIC_SLEEP is not set):
# define sched_annotate_sleep() do { } while (0)

On Sat, Oct 29, 2016 at 8:05 PM, Eric Dumazet <eric.dumazet@gmail.com> wrote:
> On Sat, 2016-10-29 at 19:59 +0200, Andrey Konovalov wrote:
>> Hi Eric,
>>
>> Tested with both patches applied, still seeing the warning.
>>
>> Thanks!
>
> Arg, sorry, this was at the wrong place.
>
> Thanks for testing !
>
> diff --git a/net/dccp/output.c b/net/dccp/output.c
> index b66c84db0766..2548edff86ff 100644
> --- a/net/dccp/output.c
> +++ b/net/dccp/output.c
> @@ -224,6 +224,11 @@ static int dccp_wait_for_ccid(struct sock *sk, unsigned long delay)
>
>         prepare_to_wait(sk_sleep(sk), &wait, TASK_INTERRUPTIBLE);
>         sk->sk_write_pending++;
> +
> +       /* release_sock()/lock_sock() will process socket backlog
> +        * from process context. Be prepared to sleep !
> +        */
> +       sched_annotate_sleep();
>         release_sock(sk);
>
>         remaining = schedule_timeout(delay);
>
>

Re: net/dccp: warning in dccp_feat_clone_sp_val/__might_sleep

[Eric Dumazet]

On Sun, 2016-10-30 at 05:41 +0100, Andrey Konovalov wrote:
> Sorry, the warning is still there.
> 
> I'm not sure adding sched_annotate_sleep() does anything, since it's
> defined as (in case CONFIG_DEBUG_ATOMIC_SLEEP is not set):
> # define sched_annotate_sleep() do { } while (0)

Thanks again for testing.

But you do have CONFIG_DEBUG_ATOMIC_SLEEP set, which triggers a check in
__might_sleep() :

WARN_ONCE(current->state != TASK_RUNNING && current->task_state_change,

Relevant commit is 00845eb968ead28007338b2bb852b8beef816583
("sched: don't cause task state changes in nested sleep debugging")

Another relevant commit was 26cabd31259ba43f68026ce3f62b78094124333f
("sched, net: Clean up sk_wait_event() vs. might_sleep()") 

Before release_sock() could process the backlog in process context, only
lock_sock() could trigger the issue, so my fix at that time was commit
cb7cf8a33ff73cf638481d1edf883d8968f934f8 ("inet: Clean up
inet_csk_wait_for_connect() vs. might_sleep()")

I guess we need something else now, because the following :

static int dccp_wait_for_ccid(struct sock *sk, unsigned long delay)
{
        DEFINE_WAIT(wait);
        long remaining;

        prepare_to_wait(sk_sleep(sk), &wait, TASK_INTERRUPTIBLE);
        sk->sk_write_pending++;
        release_sock(sk);
	...


can now process the socket backlog in process context from
release_sock(), so all GFP_KERNEL allocations might barf because of
TASK_INTERRUPTIBLE being used at that point.

sk_wait_event() probably also needs a fix.

Peter, any idea how this can be done ?

Thanks !

Re: net/dccp: warning in dccp_feat_clone_sp_val/__might_sleep

[Eric Dumazet]

On Sun, 2016-10-30 at 05:41 +0100, Andrey Konovalov wrote:
> Sorry, the warning is still there.
> 
> I'm not sure adding sched_annotate_sleep() does anything, since it's
> defined as (in case CONFIG_DEBUG_ATOMIC_SLEEP is not set):
> # define sched_annotate_sleep() do { } while (0)

Thanks again for testing.

But you do have CONFIG_DEBUG_ATOMIC_SLEEP set, which triggers a check in
__might_sleep() :

WARN_ONCE(current->state != TASK_RUNNING && current->task_state_change,

Relevant commit is 00845eb968ead28007338b2bb852b8beef816583
("sched: don't cause task state changes in nested sleep debugging")

Another relevant commit was 26cabd31259ba43f68026ce3f62b78094124333f
("sched, net: Clean up sk_wait_event() vs. might_sleep()") 

Before release_sock() could process the backlog in process context, only
lock_sock() could trigger the issue, so my fix at that time was commit
cb7cf8a33ff73cf638481d1edf883d8968f934f8 ("inet: Clean up
inet_csk_wait_for_connect() vs. might_sleep()")

I guess we need something else now, because the following :

static int dccp_wait_for_ccid(struct sock *sk, unsigned long delay)
{
        DEFINE_WAIT(wait);
        long remaining;

        prepare_to_wait(sk_sleep(sk), &wait, TASK_INTERRUPTIBLE);
        sk->sk_write_pending++;
        release_sock(sk);
	...


can now process the socket backlog in process context from
release_sock(), so all GFP_KERNEL allocations might barf because of
TASK_INTERRUPTIBLE being used at that point.

sk_wait_event() probably also needs a fix.

Peter, any idea how this can be done ?

Thanks !

Re: net/dccp: warning in dccp_feat_clone_sp_val/__might_sleep

[Cong Wang]

On Sun, Oct 30, 2016 at 6:20 AM, Eric Dumazet <eric.dumazet@gmail.com> wrote:
> On Sun, 2016-10-30 at 05:41 +0100, Andrey Konovalov wrote:
>> Sorry, the warning is still there.
>>
>> I'm not sure adding sched_annotate_sleep() does anything, since it's
>> defined as (in case CONFIG_DEBUG_ATOMIC_SLEEP is not set):
>> # define sched_annotate_sleep() do { } while (0)
>
> Thanks again for testing.
>
> But you do have CONFIG_DEBUG_ATOMIC_SLEEP set, which triggers a check in
> __might_sleep() :
>
> WARN_ONCE(current->state != TASK_RUNNING && current->task_state_change,
>
> Relevant commit is 00845eb968ead28007338b2bb852b8beef816583
> ("sched: don't cause task state changes in nested sleep debugging")
>
> Another relevant commit was 26cabd31259ba43f68026ce3f62b78094124333f
> ("sched, net: Clean up sk_wait_event() vs. might_sleep()")
>
> Before release_sock() could process the backlog in process context, only
> lock_sock() could trigger the issue, so my fix at that time was commit
> cb7cf8a33ff73cf638481d1edf883d8968f934f8 ("inet: Clean up
> inet_csk_wait_for_connect() vs. might_sleep()")
>

Thanks for the context, but isn't the original warning reported by Andrey is
from inet_wait_for_connect()? You seem only patch some dccp function
which is why it is still there?

It should be the following, no?


diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
index 9648c97..bbd8159 100644
--- a/net/ipv4/af_inet.c
+++ b/net/ipv4/af_inet.c
@@ -544,6 +544,7 @@ static long inet_wait_for_connect(struct sock *sk,
long timeo, int writebias)
         * without closing the socket.
         */
        while ((1 << sk->sk_state) & (TCPF_SYN_SENT | TCPF_SYN_RECV)) {
+               sched_annotate_sleep();
                release_sock(sk);
                timeo = schedule_timeout(timeo);
                lock_sock(sk);

Re: net/dccp: warning in dccp_feat_clone_sp_val/__might_sleep

[Cong Wang]

On Sun, Oct 30, 2016 at 6:20 AM, Eric Dumazet <eric.dumazet@gmail.com> wrote:
> On Sun, 2016-10-30 at 05:41 +0100, Andrey Konovalov wrote:
>> Sorry, the warning is still there.
>>
>> I'm not sure adding sched_annotate_sleep() does anything, since it's
>> defined as (in case CONFIG_DEBUG_ATOMIC_SLEEP is not set):
>> # define sched_annotate_sleep() do { } while (0)
>
> Thanks again for testing.
>
> But you do have CONFIG_DEBUG_ATOMIC_SLEEP set, which triggers a check in
> __might_sleep() :
>
> WARN_ONCE(current->state != TASK_RUNNING && current->task_state_change,
>
> Relevant commit is 00845eb968ead28007338b2bb852b8beef816583
> ("sched: don't cause task state changes in nested sleep debugging")
>
> Another relevant commit was 26cabd31259ba43f68026ce3f62b78094124333f
> ("sched, net: Clean up sk_wait_event() vs. might_sleep()")
>
> Before release_sock() could process the backlog in process context, only
> lock_sock() could trigger the issue, so my fix at that time was commit
> cb7cf8a33ff73cf638481d1edf883d8968f934f8 ("inet: Clean up
> inet_csk_wait_for_connect() vs. might_sleep()")
>

Thanks for the context, but isn't the original warning reported by Andrey is
from inet_wait_for_connect()? You seem only patch some dccp function
which is why it is still there?

It should be the following, no?


diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
index 9648c97..bbd8159 100644
--- a/net/ipv4/af_inet.c
+++ b/net/ipv4/af_inet.c
@@ -544,6 +544,7 @@ static long inet_wait_for_connect(struct sock *sk,
long timeo, int writebias)
         * without closing the socket.
         */
        while ((1 << sk->sk_state) & (TCPF_SYN_SENT | TCPF_SYN_RECV)) {
+               sched_annotate_sleep();
                release_sock(sk);
                timeo = schedule_timeout(timeo);
                lock_sock(sk);

Re: net/dccp: warning in dccp_feat_clone_sp_val/__might_sleep

[Eric Dumazet]

On Mon, 2016-10-31 at 11:00 -0700, Cong Wang wrote:
> On Sun, Oct 30, 2016 at 6:20 AM, Eric Dumazet <eric.dumazet@gmail.com> wrote:
> > On Sun, 2016-10-30 at 05:41 +0100, Andrey Konovalov wrote:
> >> Sorry, the warning is still there.
> >>
> >> I'm not sure adding sched_annotate_sleep() does anything, since it's
> >> defined as (in case CONFIG_DEBUG_ATOMIC_SLEEP is not set):
> >> # define sched_annotate_sleep() do { } while (0)
> >
> > Thanks again for testing.
> >
> > But you do have CONFIG_DEBUG_ATOMIC_SLEEP set, which triggers a check in
> > __might_sleep() :
> >
> > WARN_ONCE(current->state != TASK_RUNNING && current->task_state_change,
> >
> > Relevant commit is 00845eb968ead28007338b2bb852b8beef816583
> > ("sched: don't cause task state changes in nested sleep debugging")
> >
> > Another relevant commit was 26cabd31259ba43f68026ce3f62b78094124333f
> > ("sched, net: Clean up sk_wait_event() vs. might_sleep()")
> >
> > Before release_sock() could process the backlog in process context, only
> > lock_sock() could trigger the issue, so my fix at that time was commit
> > cb7cf8a33ff73cf638481d1edf883d8968f934f8 ("inet: Clean up
> > inet_csk_wait_for_connect() vs. might_sleep()")
> >
> 
> Thanks for the context, but isn't the original warning reported by Andrey is
> from inet_wait_for_connect()? You seem only patch some dccp function
> which is why it is still there?
> 
> It should be the following, no?
> 
> 
> diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
> index 9648c97..bbd8159 100644
> --- a/net/ipv4/af_inet.c
> +++ b/net/ipv4/af_inet.c
> @@ -544,6 +544,7 @@ static long inet_wait_for_connect(struct sock *sk,
> long timeo, int writebias)
>          * without closing the socket.
>          */
>         while ((1 << sk->sk_state) & (TCPF_SYN_SENT | TCPF_SYN_RECV)) {
> +               sched_annotate_sleep();
>                 release_sock(sk);
>                 timeo = schedule_timeout(timeo);
>                 lock_sock(sk);

Yes, this would be one of the locations needing this.

Re: net/dccp: warning in dccp_feat_clone_sp_val/__might_sleep

[Eric Dumazet]

On Mon, 2016-10-31 at 11:00 -0700, Cong Wang wrote:
> On Sun, Oct 30, 2016 at 6:20 AM, Eric Dumazet <eric.dumazet@gmail.com> wrote:
> > On Sun, 2016-10-30 at 05:41 +0100, Andrey Konovalov wrote:
> >> Sorry, the warning is still there.
> >>
> >> I'm not sure adding sched_annotate_sleep() does anything, since it's
> >> defined as (in case CONFIG_DEBUG_ATOMIC_SLEEP is not set):
> >> # define sched_annotate_sleep() do { } while (0)
> >
> > Thanks again for testing.
> >
> > But you do have CONFIG_DEBUG_ATOMIC_SLEEP set, which triggers a check in
> > __might_sleep() :
> >
> > WARN_ONCE(current->state != TASK_RUNNING && current->task_state_change,
> >
> > Relevant commit is 00845eb968ead28007338b2bb852b8beef816583
> > ("sched: don't cause task state changes in nested sleep debugging")
> >
> > Another relevant commit was 26cabd31259ba43f68026ce3f62b78094124333f
> > ("sched, net: Clean up sk_wait_event() vs. might_sleep()")
> >
> > Before release_sock() could process the backlog in process context, only
> > lock_sock() could trigger the issue, so my fix at that time was commit
> > cb7cf8a33ff73cf638481d1edf883d8968f934f8 ("inet: Clean up
> > inet_csk_wait_for_connect() vs. might_sleep()")
> >
> 
> Thanks for the context, but isn't the original warning reported by Andrey is
> from inet_wait_for_connect()? You seem only patch some dccp function
> which is why it is still there?
> 
> It should be the following, no?
> 
> 
> diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
> index 9648c97..bbd8159 100644
> --- a/net/ipv4/af_inet.c
> +++ b/net/ipv4/af_inet.c
> @@ -544,6 +544,7 @@ static long inet_wait_for_connect(struct sock *sk,
> long timeo, int writebias)
>          * without closing the socket.
>          */
>         while ((1 << sk->sk_state) & (TCPF_SYN_SENT | TCPF_SYN_RECV)) {
> +               sched_annotate_sleep();
>                 release_sock(sk);
>                 timeo = schedule_timeout(timeo);
>                 lock_sock(sk);

Yes, this would be one of the locations needing this.

Re: net/dccp: warning in dccp_feat_clone_sp_val/__might_sleep

[Andrey Konovalov]

Hi Cong,

Yes, your patches fix the warnings.

Tested-by: Andrey Konovalov <andreyknvl@google.com>

Thanks!

On Mon, Oct 31, 2016 at 7:40 PM, Eric Dumazet <eric.dumazet@gmail.com> wrote:
> On Mon, 2016-10-31 at 11:00 -0700, Cong Wang wrote:
>> On Sun, Oct 30, 2016 at 6:20 AM, Eric Dumazet <eric.dumazet@gmail.com> wrote:
>> > On Sun, 2016-10-30 at 05:41 +0100, Andrey Konovalov wrote:
>> >> Sorry, the warning is still there.
>> >>
>> >> I'm not sure adding sched_annotate_sleep() does anything, since it's
>> >> defined as (in case CONFIG_DEBUG_ATOMIC_SLEEP is not set):
>> >> # define sched_annotate_sleep() do { } while (0)
>> >
>> > Thanks again for testing.
>> >
>> > But you do have CONFIG_DEBUG_ATOMIC_SLEEP set, which triggers a check in
>> > __might_sleep() :
>> >
>> > WARN_ONCE(current->state != TASK_RUNNING && current->task_state_change,
>> >
>> > Relevant commit is 00845eb968ead28007338b2bb852b8beef816583
>> > ("sched: don't cause task state changes in nested sleep debugging")
>> >
>> > Another relevant commit was 26cabd31259ba43f68026ce3f62b78094124333f
>> > ("sched, net: Clean up sk_wait_event() vs. might_sleep()")
>> >
>> > Before release_sock() could process the backlog in process context, only
>> > lock_sock() could trigger the issue, so my fix at that time was commit
>> > cb7cf8a33ff73cf638481d1edf883d8968f934f8 ("inet: Clean up
>> > inet_csk_wait_for_connect() vs. might_sleep()")
>> >
>>
>> Thanks for the context, but isn't the original warning reported by Andrey is
>> from inet_wait_for_connect()? You seem only patch some dccp function
>> which is why it is still there?
>>
>> It should be the following, no?
>>
>>
>> diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
>> index 9648c97..bbd8159 100644
>> --- a/net/ipv4/af_inet.c
>> +++ b/net/ipv4/af_inet.c
>> @@ -544,6 +544,7 @@ static long inet_wait_for_connect(struct sock *sk,
>> long timeo, int writebias)
>>          * without closing the socket.
>>          */
>>         while ((1 << sk->sk_state) & (TCPF_SYN_SENT | TCPF_SYN_RECV)) {
>> +               sched_annotate_sleep();
>>                 release_sock(sk);
>>                 timeo = schedule_timeout(timeo);
>>                 lock_sock(sk);
>
> Yes, this would be one of the locations needing this.
>
>
>

Re: net/dccp: warning in dccp_feat_clone_sp_val/__might_sleep

[Andrey Konovalov]

Hi Cong,

Yes, your patches fix the warnings.

Tested-by: Andrey Konovalov <andreyknvl@google.com>

Thanks!

On Mon, Oct 31, 2016 at 7:40 PM, Eric Dumazet <eric.dumazet@gmail.com> wrote:
> On Mon, 2016-10-31 at 11:00 -0700, Cong Wang wrote:
>> On Sun, Oct 30, 2016 at 6:20 AM, Eric Dumazet <eric.dumazet@gmail.com> wrote:
>> > On Sun, 2016-10-30 at 05:41 +0100, Andrey Konovalov wrote:
>> >> Sorry, the warning is still there.
>> >>
>> >> I'm not sure adding sched_annotate_sleep() does anything, since it's
>> >> defined as (in case CONFIG_DEBUG_ATOMIC_SLEEP is not set):
>> >> # define sched_annotate_sleep() do { } while (0)
>> >
>> > Thanks again for testing.
>> >
>> > But you do have CONFIG_DEBUG_ATOMIC_SLEEP set, which triggers a check in
>> > __might_sleep() :
>> >
>> > WARN_ONCE(current->state != TASK_RUNNING && current->task_state_change,
>> >
>> > Relevant commit is 00845eb968ead28007338b2bb852b8beef816583
>> > ("sched: don't cause task state changes in nested sleep debugging")
>> >
>> > Another relevant commit was 26cabd31259ba43f68026ce3f62b78094124333f
>> > ("sched, net: Clean up sk_wait_event() vs. might_sleep()")
>> >
>> > Before release_sock() could process the backlog in process context, only
>> > lock_sock() could trigger the issue, so my fix at that time was commit
>> > cb7cf8a33ff73cf638481d1edf883d8968f934f8 ("inet: Clean up
>> > inet_csk_wait_for_connect() vs. might_sleep()")
>> >
>>
>> Thanks for the context, but isn't the original warning reported by Andrey is
>> from inet_wait_for_connect()? You seem only patch some dccp function
>> which is why it is still there?
>>
>> It should be the following, no?
>>
>>
>> diff --git a/net/ipv4/af_inet.c b/net/ipv4/af_inet.c
>> index 9648c97..bbd8159 100644
>> --- a/net/ipv4/af_inet.c
>> +++ b/net/ipv4/af_inet.c
>> @@ -544,6 +544,7 @@ static long inet_wait_for_connect(struct sock *sk,
>> long timeo, int writebias)
>>          * without closing the socket.
>>          */
>>         while ((1 << sk->sk_state) & (TCPF_SYN_SENT | TCPF_SYN_RECV)) {
>> +               sched_annotate_sleep();
>>                 release_sock(sk);
>>                 timeo = schedule_timeout(timeo);
>>                 lock_sock(sk);
>
> Yes, this would be one of the locations needing this.
>
>
>