linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
From: Greg KH <gregkh@linuxfoundation.org>
To: Jeff Layton <jlayton@kernel.org>
Cc: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>,
	bfields@fieldses.org, viro@zeniv.linux.org.uk,
	linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
	skhan@linuxfoundation.org,
	linux-kernel-mentees@lists.linuxfoundation.org,
	syzbot+e6d5398a02c516ce5e70@syzkaller.appspotmail.com
Subject: Re: [PATCH v2 1/2] fcntl: fix potential deadlocks for &fown_struct.lock
Date: Wed, 7 Jul 2021 12:51:22 +0200	[thread overview]
Message-ID: <YOWHKk6Nq8bazYjB@kroah.com> (raw)
In-Reply-To: <14633c3be87286d811263892375f2dfa9a8ed40a.camel@kernel.org>

On Wed, Jul 07, 2021 at 06:44:42AM -0400, Jeff Layton wrote:
> On Wed, 2021-07-07 at 08:05 +0200, Greg KH wrote:
> > On Wed, Jul 07, 2021 at 10:35:47AM +0800, Desmond Cheong Zhi Xi wrote:
> > > Syzbot reports a potential deadlock in do_fcntl:
> > > 
> > > ========================================================
> > > WARNING: possible irq lock inversion dependency detected
> > > 5.12.0-syzkaller #0 Not tainted
> > > --------------------------------------------------------
> > > syz-executor132/8391 just changed the state of lock:
> > > ffff888015967bf8 (&f->f_owner.lock){.+..}-{2:2}, at: f_getown_ex fs/fcntl.c:211 [inline]
> > > ffff888015967bf8 (&f->f_owner.lock){.+..}-{2:2}, at: do_fcntl+0x8b4/0x1200 fs/fcntl.c:395
> > > but this lock was taken by another, HARDIRQ-safe lock in the past:
> > >  (&dev->event_lock){-...}-{2:2}
> > > 
> > > and interrupts could create inverse lock ordering between them.
> > > 
> > > other info that might help us debug this:
> > > Chain exists of:
> > >   &dev->event_lock --> &new->fa_lock --> &f->f_owner.lock
> > > 
> > >  Possible interrupt unsafe locking scenario:
> > > 
> > >        CPU0                    CPU1
> > >        ----                    ----
> > >   lock(&f->f_owner.lock);
> > >                                local_irq_disable();
> > >                                lock(&dev->event_lock);
> > >                                lock(&new->fa_lock);
> > >   <Interrupt>
> > >     lock(&dev->event_lock);
> > > 
> > >  *** DEADLOCK ***
> > > 
> > > This happens because there is a lock hierarchy of
> > > &dev->event_lock --> &new->fa_lock --> &f->f_owner.lock
> > > from the following call chain:
> > > 
> > >   input_inject_event():
> > >     spin_lock_irqsave(&dev->event_lock,...);
> > >     input_handle_event():
> > >       input_pass_values():
> > >         input_to_handler():
> > >           evdev_events():
> > >             evdev_pass_values():
> > >               spin_lock(&client->buffer_lock);
> > >               __pass_event():
> > >                 kill_fasync():
> > >                   kill_fasync_rcu():
> > >                     read_lock(&fa->fa_lock);
> > >                     send_sigio():
> > >                       read_lock_irqsave(&fown->lock,...);
> > > 
> > > However, since &dev->event_lock is HARDIRQ-safe, interrupts have to be
> > > disabled while grabbing &f->f_owner.lock, otherwise we invert the lock
> > > hierarchy.
> > > 
> > > Hence, we replace calls to read_lock/read_unlock on &f->f_owner.lock,
> > > with read_lock_irq/read_unlock_irq.
> > > 
> > > Here read_lock_irq/read_unlock_irq should be safe to use because the
> > > functions f_getown_ex and f_getowner_uids are only called from
> > > do_fcntl, and f_getown is only called from do_fnctl and
> > > sock_ioctl. do_fnctl itself is only called from syscalls.
> > > 
> > > For sock_ioctl, the chain is
> > >   compat_sock_ioctl():
> > >     compat_sock_ioctl_trans():
> > >       sock_ioctl()
> > > 
> > > And interrupts are not disabled on either path. We assert this
> > > assumption with WARN_ON_ONCE(irqs_disabled()). This check is also
> > > inserted into another use of write_lock_irq in f_modown.
> > > 
> > > Reported-and-tested-by: syzbot+e6d5398a02c516ce5e70@syzkaller.appspotmail.com
> > > Signed-off-by: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
> > > ---
> > >  fs/fcntl.c | 17 +++++++++++------
> > >  1 file changed, 11 insertions(+), 6 deletions(-)
> > > 
> > > diff --git a/fs/fcntl.c b/fs/fcntl.c
> > > index dfc72f15be7f..262235e02c4b 100644
> > > --- a/fs/fcntl.c
> > > +++ b/fs/fcntl.c
> > > @@ -88,6 +88,7 @@ static int setfl(int fd, struct file * filp, unsigned long arg)
> > >  static void f_modown(struct file *filp, struct pid *pid, enum pid_type type,
> > >                       int force)
> > >  {
> > > +	WARN_ON_ONCE(irqs_disabled());
> > 
> > If this triggers, you just rebooted the box :(
> > 
> > Please never do this, either properly handle the problem and return an
> > error, or do not check for this.  It is not any type of "fix" at all,
> > and at most, a debugging aid while you work on the root problem.
> > 
> > thanks,
> > 
> > greg k-h
> 
> Wait, what? Why would testing for irqs being disabled and throwing a
> WARN_ON in that case crash the box?

If panic-on-warn is enabled, which is a common setting for systems these
days.

  reply	other threads:[~2021-07-07 10:51 UTC|newest]

Thread overview: 18+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-07-07  2:35 [PATCH v2 0/2] fcntl: fix potential deadlocks Desmond Cheong Zhi Xi
2021-07-07  2:35 ` [PATCH v2 1/2] fcntl: fix potential deadlocks for &fown_struct.lock Desmond Cheong Zhi Xi
2021-07-07  6:05   ` Greg KH
2021-07-07  6:54     ` Desmond Cheong Zhi Xi
2021-07-07 10:44     ` Jeff Layton
2021-07-07 10:51       ` Greg KH [this message]
2021-07-07 11:40         ` Jeff Layton
2021-07-07 13:51           ` J. Bruce Fields
2021-07-07 15:06             ` Greg KH
2021-07-07 15:19               ` J. Bruce Fields
2021-07-07 15:31                 ` Greg KH
2021-07-07 15:34                   ` J. Bruce Fields
2021-07-07 15:46                     ` Greg KH
2021-07-07 16:18                       ` Jeff Layton
2021-07-07 16:25                         ` Matthew Wilcox
2021-07-07 17:52                           ` Jeff Layton
2021-07-07 17:58                           ` Eric Biggers
2021-07-07  2:35 ` [PATCH v2 2/2] fcntl: fix potential deadlock for &fasync_struct.fa_lock Desmond Cheong Zhi Xi

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=YOWHKk6Nq8bazYjB@kroah.com \
    --to=gregkh@linuxfoundation.org \
    --cc=bfields@fieldses.org \
    --cc=desmondcheongzx@gmail.com \
    --cc=jlayton@kernel.org \
    --cc=linux-fsdevel@vger.kernel.org \
    --cc=linux-kernel-mentees@lists.linuxfoundation.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=skhan@linuxfoundation.org \
    --cc=syzbot+e6d5398a02c516ce5e70@syzkaller.appspotmail.com \
    --cc=viro@zeniv.linux.org.uk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).