From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <netdev-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 66790C433EF
	for <netdev@archiver.kernel.org>; Wed, 29 Jun 2022 16:20:14 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S231735AbiF2QUN (ORCPT <rfc822;netdev@archiver.kernel.org>);
        Wed, 29 Jun 2022 12:20:13 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:34454 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229699AbiF2QUM (ORCPT
        <rfc822;netdev@vger.kernel.org>); Wed, 29 Jun 2022 12:20:12 -0400
Received: from mail-yw1-x112c.google.com (mail-yw1-x112c.google.com [IPv6:2607:f8b0:4864:20::112c])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 08728344C7
        for <netdev@vger.kernel.org>; Wed, 29 Jun 2022 09:20:10 -0700 (PDT)
Received: by mail-yw1-x112c.google.com with SMTP id 00721157ae682-317741c86fdso153118367b3.2
        for <netdev@vger.kernel.org>; Wed, 29 Jun 2022 09:20:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=google.com; s=20210112;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=EMPWdq/I+lPKqNd/fDVbNzWWr2RoFlkpAnrXoeK2nUo=;
        b=NB4/yScx1TfL6ixPtfgy/J5tpPwta7VfoQ2jmjdwx9gIm2wCdug0MIP3ZpsXDsBDlj
         34Jm7SWPIZq9pbmMBbOA4ZMAVTeLtz9nKQU4EWl/Vr6tzTB3b7erIxunLKl591/AUk3y
         QGk9wbU/p7MVnCLrMBqSGFRShEwBBep+FZtauNgfwaxM8kiStUz1/yZzi55zIDkjlKwq
         WipptdWhAbFn3xr1OKNKUlUz6NZQHgYKAcqsmISLGPdH88zX/9NeqOls2EU3Lbj1sV32
         QjHJDfwtFXhkwluRt52y3VV5p0aGAx223ZI71613qK3obH7BYQSCa7w3f+YXBT6n+GYe
         5S2g==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20210112;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=EMPWdq/I+lPKqNd/fDVbNzWWr2RoFlkpAnrXoeK2nUo=;
        b=1vwWcEZkplOURFcX1xDNmTm94b5q1XvjhV0Iio/H654TRuSeMVpf01xlsVFM6EoV+W
         oWD5lxbWiNdPfPh9sTDLRQiuWgMlRnfv128n0prRr7uzSUWlNFGdyaXCioUGRiNKt3/f
         CQRsiqiwCAtiKzinVE/3U6JSZCvCNTARCvAoLwAwYIOo7sJWWpBT7AdrDHunxRCz9sms
         mM+dhf+E4bgph6lC+R3oc53DmPfW61EJG5vYn/LMBY5MowCB8FLbK7Q5v5bmNCfGlKLN
         HJBH7xfY66+vggiZYOju/xF3q3n2LQI1XESSJ9VrtBt9rgYTOpwaplJ+aZQBnKBgxD9g
         VWhg==
X-Gm-Message-State: AJIora8MhwXw7LFyLudNJdmpqmEFs4gkK8ZKsScFzpVcOE9/I8CocaEa
        0Q/DKQ5EylgXs1tcpRkZUySsAa35r+h+qyscYYUqNQ==
X-Google-Smtp-Source: AGRyM1sjfZI0HW3DtQnWfXaVj9Qvvy1yR0579oHZIZneFS4HpXPniV0tKqkxUln0qYFcOQiWfhxlB55fdK8whilV3vE=
X-Received: by 2002:a81:e93:0:b0:317:8db7:aa8e with SMTP id
 141-20020a810e93000000b003178db7aa8emr4860124ywo.55.1656519609796; Wed, 29
 Jun 2022 09:20:09 -0700 (PDT)
MIME-Version: 1.0
References: <20220629093752.1935215-1-edumazet@google.com> <20220629091750.1f0dc8ed@kernel.org>
In-Reply-To: <20220629091750.1f0dc8ed@kernel.org>
From:   Eric Dumazet <edumazet@google.com>
Date:   Wed, 29 Jun 2022 18:19:58 +0200
Message-ID: <CANn89iJxAL5v0FtkaRXjDH--PeTB7MoqV1Y16YQoOgDUCNXjmw@mail.gmail.com>
Subject: Re: [PATCH net] net: tun: do not call napi_disable() twice
To:     Jakub Kicinski <kuba@kernel.org>
Cc:     "David S . Miller" <davem@davemloft.net>,
        Paolo Abeni <pabeni@redhat.com>,
        netdev <netdev@vger.kernel.org>,
        Eric Dumazet <eric.dumazet@gmail.com>,
        syzbot <syzkaller@googlegroups.com>,
        Petar Penkov <ppenkov@aviatrix.com>
Content-Type: text/plain; charset="UTF-8"
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

On Wed, Jun 29, 2022 at 6:17 PM Jakub Kicinski <kuba@kernel.org> wrote:
>
> On Wed, 29 Jun 2022 09:37:52 +0000 Eric Dumazet wrote:
> > syzbot reported a hang in tun_napi_disable() while RTNL is held.
> >
> > Because tun.c logic is complicated, I chose to:
> >
> > 1) rename tun->napi_enabled to tun->napi_configured
> >
> > 2) Add a new boolean, tracking if tun->napi is enabled or not.
>
> Not a huge surprise TBH :S
>
> Is there a repro?

Yes, here it is:

// autogenerated by syzkaller (https://github.com/google/syzkaller)

#define _GNU_SOURCE

#include <dirent.h>
#include <endian.h>
#include <errno.h>
#include <fcntl.h>
#include <signal.h>
#include <stdarg.h>
#include <stdbool.h>
#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <sys/prctl.h>
#include <sys/stat.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <time.h>
#include <unistd.h>

static void sleep_ms(uint64_t ms)
{
  usleep(ms * 1000);
}

static uint64_t current_time_ms(void)
{
  struct timespec ts;
  if (clock_gettime(CLOCK_MONOTONIC, &ts))
    exit(1);
  return (uint64_t)ts.tv_sec * 1000 + (uint64_t)ts.tv_nsec / 1000000;
}

static bool write_file(const char* file, const char* what, ...)
{
  char buf[1024];
  va_list args;
  va_start(args, what);
  vsnprintf(buf, sizeof(buf), what, args);
  va_end(args);
  buf[sizeof(buf) - 1] = 0;
  int len = strlen(buf);
  int fd = open(file, O_WRONLY | O_CLOEXEC);
  if (fd == -1)
    return false;
  if (write(fd, buf, len) != len) {
    int err = errno;
    close(fd);
    errno = err;
    return false;
  }
  close(fd);
  return true;
}

static void kill_and_wait(int pid, int* status)
{
  kill(-pid, SIGKILL);
  kill(pid, SIGKILL);
  for (int i = 0; i < 100; i++) {
    if (waitpid(-1, status, WNOHANG | __WALL) == pid)
      return;
    usleep(1000);
  }
  DIR* dir = opendir("/sys/fs/fuse/connections");
  if (dir) {
    for (;;) {
      struct dirent* ent = readdir(dir);
      if (!ent)
        break;
      if (strcmp(ent->d_name, ".") == 0 || strcmp(ent->d_name, "..") == 0)
        continue;
      char abort[300];
      snprintf(abort, sizeof(abort), "/sys/fs/fuse/connections/%s/abort",
               ent->d_name);
      int fd = open(abort, O_WRONLY);
      if (fd == -1) {
        continue;
      }
      if (write(fd, abort, 1) < 0) {
      }
      close(fd);
    }
    closedir(dir);
  } else {
  }
  while (waitpid(-1, status, __WALL) != pid) {
  }
}

static void setup_test()
{
  prctl(PR_SET_PDEATHSIG, SIGKILL, 0, 0, 0);
  setpgrp();
  write_file("/proc/self/oom_score_adj", "1000");
}

static void execute_one(void);

#define WAIT_FLAGS __WALL

static void loop(void)
{
  int iter = 0;
  for (;; iter++) {
    int pid = fork();
    if (pid < 0)
      exit(1);
    if (pid == 0) {
      setup_test();
      execute_one();
      exit(0);
    }
    int status = 0;
    uint64_t start = current_time_ms();
    for (;;) {
      if (waitpid(-1, &status, WNOHANG | WAIT_FLAGS) == pid)
        break;
      sleep_ms(1);
      if (current_time_ms() - start < 5000)
        continue;
      kill_and_wait(pid, &status);
      break;
    }
  }
}

uint64_t r[1] = {0xffffffffffffffff};

void execute_one(void)
{
  intptr_t res = 0;
  memcpy((void*)0x20000100, "/dev/net/tun\000", 13);
  res = syscall(__NR_openat, 0xffffffffffffff9cul, 0x20000100ul, 0ul, 0ul);
  if (res != -1)
    r[0] = res;
  memcpy((void*)0x20000040, "netpci0\000\000\000\000\000\000\000\000\000", 16);
  *(uint16_t*)0x20000050 = 0x2512;
  syscall(__NR_ioctl, r[0], 0x400454ca, 0x20000040ul);
  memcpy((void*)0x200001c0, "caif0\000\000\000\000\000\000\000\000\000\000\000",
         16);
  *(uint16_t*)0x200001d0 = 0x400;
  syscall(__NR_ioctl, r[0], 0x400454d9, 0x200001c0ul);
  syscall(__NR_ioctl, r[0], 0x401054d5, 0ul);
}
int main(void)
{
  syscall(__NR_mmap, 0x1ffff000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul);
  syscall(__NR_mmap, 0x20000000ul, 0x1000000ul, 7ul, 0x32ul, -1, 0ul);
  syscall(__NR_mmap, 0x21000000ul, 0x1000ul, 0ul, 0x32ul, -1, 0ul);
  loop();
  return 0;
}