From: Greg KH <gregkh@linuxfoundation.org>
To: Jeff Layton <jlayton@kernel.org>
Cc: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>,
bfields@fieldses.org, viro@zeniv.linux.org.uk,
linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
skhan@linuxfoundation.org,
linux-kernel-mentees@lists.linuxfoundation.org,
syzbot+e6d5398a02c516ce5e70@syzkaller.appspotmail.com
Subject: Re: [PATCH v2 1/2] fcntl: fix potential deadlocks for &fown_struct.lock
Date: Wed, 7 Jul 2021 12:51:22 +0200 [thread overview]
Message-ID: <YOWHKk6Nq8bazYjB@kroah.com> (raw)
In-Reply-To: <14633c3be87286d811263892375f2dfa9a8ed40a.camel@kernel.org>
On Wed, Jul 07, 2021 at 06:44:42AM -0400, Jeff Layton wrote:
> On Wed, 2021-07-07 at 08:05 +0200, Greg KH wrote:
> > On Wed, Jul 07, 2021 at 10:35:47AM +0800, Desmond Cheong Zhi Xi wrote:
> > > Syzbot reports a potential deadlock in do_fcntl:
> > >
> > > ========================================================
> > > WARNING: possible irq lock inversion dependency detected
> > > 5.12.0-syzkaller #0 Not tainted
> > > --------------------------------------------------------
> > > syz-executor132/8391 just changed the state of lock:
> > > ffff888015967bf8 (&f->f_owner.lock){.+..}-{2:2}, at: f_getown_ex fs/fcntl.c:211 [inline]
> > > ffff888015967bf8 (&f->f_owner.lock){.+..}-{2:2}, at: do_fcntl+0x8b4/0x1200 fs/fcntl.c:395
> > > but this lock was taken by another, HARDIRQ-safe lock in the past:
> > > (&dev->event_lock){-...}-{2:2}
> > >
> > > and interrupts could create inverse lock ordering between them.
> > >
> > > other info that might help us debug this:
> > > Chain exists of:
> > > &dev->event_lock --> &new->fa_lock --> &f->f_owner.lock
> > >
> > > Possible interrupt unsafe locking scenario:
> > >
> > > CPU0 CPU1
> > > ---- ----
> > > lock(&f->f_owner.lock);
> > > local_irq_disable();
> > > lock(&dev->event_lock);
> > > lock(&new->fa_lock);
> > > <Interrupt>
> > > lock(&dev->event_lock);
> > >
> > > *** DEADLOCK ***
> > >
> > > This happens because there is a lock hierarchy of
> > > &dev->event_lock --> &new->fa_lock --> &f->f_owner.lock
> > > from the following call chain:
> > >
> > > input_inject_event():
> > > spin_lock_irqsave(&dev->event_lock,...);
> > > input_handle_event():
> > > input_pass_values():
> > > input_to_handler():
> > > evdev_events():
> > > evdev_pass_values():
> > > spin_lock(&client->buffer_lock);
> > > __pass_event():
> > > kill_fasync():
> > > kill_fasync_rcu():
> > > read_lock(&fa->fa_lock);
> > > send_sigio():
> > > read_lock_irqsave(&fown->lock,...);
> > >
> > > However, since &dev->event_lock is HARDIRQ-safe, interrupts have to be
> > > disabled while grabbing &f->f_owner.lock, otherwise we invert the lock
> > > hierarchy.
> > >
> > > Hence, we replace calls to read_lock/read_unlock on &f->f_owner.lock,
> > > with read_lock_irq/read_unlock_irq.
> > >
> > > Here read_lock_irq/read_unlock_irq should be safe to use because the
> > > functions f_getown_ex and f_getowner_uids are only called from
> > > do_fcntl, and f_getown is only called from do_fnctl and
> > > sock_ioctl. do_fnctl itself is only called from syscalls.
> > >
> > > For sock_ioctl, the chain is
> > > compat_sock_ioctl():
> > > compat_sock_ioctl_trans():
> > > sock_ioctl()
> > >
> > > And interrupts are not disabled on either path. We assert this
> > > assumption with WARN_ON_ONCE(irqs_disabled()). This check is also
> > > inserted into another use of write_lock_irq in f_modown.
> > >
> > > Reported-and-tested-by: syzbot+e6d5398a02c516ce5e70@syzkaller.appspotmail.com
> > > Signed-off-by: Desmond Cheong Zhi Xi <desmondcheongzx@gmail.com>
> > > ---
> > > fs/fcntl.c | 17 +++++++++++------
> > > 1 file changed, 11 insertions(+), 6 deletions(-)
> > >
> > > diff --git a/fs/fcntl.c b/fs/fcntl.c
> > > index dfc72f15be7f..262235e02c4b 100644
> > > --- a/fs/fcntl.c
> > > +++ b/fs/fcntl.c
> > > @@ -88,6 +88,7 @@ static int setfl(int fd, struct file * filp, unsigned long arg)
> > > static void f_modown(struct file *filp, struct pid *pid, enum pid_type type,
> > > int force)
> > > {
> > > + WARN_ON_ONCE(irqs_disabled());
> >
> > If this triggers, you just rebooted the box :(
> >
> > Please never do this, either properly handle the problem and return an
> > error, or do not check for this. It is not any type of "fix" at all,
> > and at most, a debugging aid while you work on the root problem.
> >
> > thanks,
> >
> > greg k-h
>
> Wait, what? Why would testing for irqs being disabled and throwing a
> WARN_ON in that case crash the box?
If panic-on-warn is enabled, which is a common setting for systems these
days.
next prev parent reply other threads:[~2021-07-07 10:51 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-07-07 2:35 [PATCH v2 0/2] fcntl: fix potential deadlocks Desmond Cheong Zhi Xi
2021-07-07 2:35 ` [PATCH v2 1/2] fcntl: fix potential deadlocks for &fown_struct.lock Desmond Cheong Zhi Xi
2021-07-07 6:05 ` Greg KH
2021-07-07 6:54 ` Desmond Cheong Zhi Xi
2021-07-07 10:44 ` Jeff Layton
2021-07-07 10:51 ` Greg KH [this message]
2021-07-07 11:40 ` Jeff Layton
2021-07-07 13:51 ` J. Bruce Fields
2021-07-07 15:06 ` Greg KH
2021-07-07 15:19 ` J. Bruce Fields
2021-07-07 15:31 ` Greg KH
2021-07-07 15:34 ` J. Bruce Fields
2021-07-07 15:46 ` Greg KH
2021-07-07 16:18 ` Jeff Layton
2021-07-07 16:25 ` Matthew Wilcox
2021-07-07 17:52 ` Jeff Layton
2021-07-07 17:58 ` Eric Biggers
2021-07-07 2:35 ` [PATCH v2 2/2] fcntl: fix potential deadlock for &fasync_struct.fa_lock Desmond Cheong Zhi Xi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YOWHKk6Nq8bazYjB@kroah.com \
--to=gregkh@linuxfoundation.org \
--cc=bfields@fieldses.org \
--cc=desmondcheongzx@gmail.com \
--cc=jlayton@kernel.org \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel-mentees@lists.linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=skhan@linuxfoundation.org \
--cc=syzbot+e6d5398a02c516ce5e70@syzkaller.appspotmail.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).