lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Mon, 19 Oct 2009 13:27:24 +0800 From: Xiaotian Feng <xtfeng@...il.com> To: Tilman Schmidt <tilman@...p.cc> Cc: LKML <linux-kernel@...r.kernel.org>, isdn4linux <isdn4linux@...tserv.isdn4linux.de>, Netdev <netdev@...r.kernel.org> Subject: Re: possible circular locking dependency in ISDN PPP ---> isdn_net_get_locked_lp --->lock &nd->queue_lock --->lock &nd->queue->xmit_lock ..................... ---->unlock &nd->queue_lock ---> isdn_net_writebuf_skb (called with &nd->queue->xmit_lock locked) ---->isdn_net_inc_frame_cnt ---->isdn_net_device_busy ----> lock &nd->queue_lock So there's a circular locking dependency.. Looking into isdn_net_get_locked_lp() static __inline__ isdn_net_local * isdn_net_get_locked_lp(isdn_net_dev *nd) { unsigned long flags; isdn_net_local *lp; spin_lock_irqsave(&nd->queue_lock, flags); lp = nd->queue; /* get lp on top of queue */ spin_lock(&nd->queue->xmit_lock); while (isdn_net_lp_busy(nd->queue)) { spin_unlock(&nd->queue->xmit_lock); nd->queue = nd->queue->next; if (nd->queue == lp) { /* not found -- should never happen */ lp = NULL; goto errout; } spin_lock(&nd->queue->xmit_lock); } lp = nd->queue; nd->queue = nd->queue->next; local_bh_disable(); errout: spin_unlock_irqrestore(&nd->queue_lock, flags); return lp; } Why do we need to hold xmit_lock while using isdn_net_lp_busy(nd->queue) ? Can following patch fix this bug? --- diff --git a/drivers/isdn/i4l/isdn_net.h b/drivers/isdn/i4l/isdn_net.h index 74032d0..7511f08 100644 --- a/drivers/isdn/i4l/isdn_net.h +++ b/drivers/isdn/i4l/isdn_net.h @@ -83,19 +83,19 @@ static __inline__ isdn_net_local * isdn_net_get_locked_lp(isdn_net_dev *nd) spin_lock_irqsave(&nd->queue_lock, flags); lp = nd->queue; /* get lp on top of queue */ - spin_lock(&nd->queue->xmit_lock); while (isdn_net_lp_busy(nd->queue)) { - spin_unlock(&nd->queue->xmit_lock); nd->queue = nd->queue->next; if (nd->queue == lp) { /* not found -- should never happen */ lp = NULL; goto errout; } - spin_lock(&nd->queue->xmit_lock); } lp = nd->queue; nd->queue = nd->queue->next; + spin_unlock_irqrestore(&nd->queue_lock, flags); + spin_lock(&lp->xmit_lock); local_bh_disable(); + return lp; errout: spin_unlock_irqrestore(&nd->queue_lock, flags); return lp; On Mon, Oct 19, 2009 at 6:16 AM, Tilman Schmidt <tilman@...p.cc> wrote: > A test of PPP over ISDN with ipppd, capidrv and the so far unmerged > CAPI port of the Gigaset driver produced the following lockdep > message: > > ======================================================= > [ INFO: possible circular locking dependency detected ] > 2.6.32-rc4-testing #7 > ------------------------------------------------------- > ipppd/28379 is trying to acquire lock: > (&netdev->queue_lock){......}, at: [<e62ad0fd>] isdn_net_device_busy+0x2c/0x74 [isdn] > > but task is already holding lock: > (&netdev->local->xmit_lock){+.....}, at: [<e62aefc2>] isdn_net_write_super+0x3f/0x6e [isdn] > > which lock already depends on the new lock. > > > the existing dependency chain (in reverse order) is: > > -> #1 (&netdev->local->xmit_lock){+.....}: > [<c0157e9c>] __lock_acquire+0xa12/0xb99 > [<c01580ac>] lock_acquire+0x89/0xa0 > [<c0373249>] _spin_lock+0x1b/0x2a > [<e62b9d1c>] isdn_ppp_xmit+0xf0/0x5b0 [isdn] > [<e62b03f0>] isdn_net_start_xmit+0x4c6/0x66b [isdn] > [<c0307e75>] dev_hard_start_xmit+0x251/0x2e4 > [<c0317bcc>] sch_direct_xmit+0x4f/0x122 > [<c030829c>] dev_queue_xmit+0x2ae/0x412 > [<c030d748>] neigh_resolve_output+0x1f2/0x23c > [<c0329b9c>] ip_finish_output2+0x1b1/0x1db > [<c0329c25>] ip_finish_output+0x5f/0x62 > [<c0329cb5>] ip_output+0x8d/0x92 > [<c03290c0>] ip_local_out+0x18/0x1b > [<c032932c>] ip_push_pending_frames+0x269/0x2c1 > [<c033fd78>] raw_sendmsg+0x618/0x6b0 > [<c0347ac9>] inet_sendmsg+0x3b/0x48 > [<c02fa5b5>] __sock_sendmsg+0x45/0x4e > [<c02fad4b>] sock_sendmsg+0xb8/0xce > [<c02faea0>] sys_sendmsg+0x13f/0x192 > [<c02fbeb2>] sys_socketcall+0x157/0x18e > [<c0102974>] sysenter_do_call+0x12/0x32 > > -> #0 (&netdev->queue_lock){......}: > [<c0157da9>] __lock_acquire+0x91f/0xb99 > [<c01580ac>] lock_acquire+0x89/0xa0 > [<c03732db>] _spin_lock_irqsave+0x24/0x34 > [<e62ad0fd>] isdn_net_device_busy+0x2c/0x74 [isdn] > [<e62aeee3>] isdn_net_writebuf_skb+0x6e/0xc2 [isdn] > [<e62aefd4>] isdn_net_write_super+0x51/0x6e [isdn] > [<e62bc26f>] isdn_ppp_write+0x3a8/0x3bc [isdn] > [<e62b785a>] isdn_write+0x1d9/0x1f9 [isdn] > [<c01c42c5>] vfs_write+0x84/0xdf > [<c01c43b9>] sys_write+0x3b/0x60 > [<c0102974>] sysenter_do_call+0x12/0x32 > > other info that might help us debug this: > > 1 lock held by ipppd/28379: > #0: (&netdev->local->xmit_lock){+.....}, at: [<e62aefc2>] isdn_net_write_super+0x3f/0x6e [isdn] > > stack backtrace: > Pid: 28379, comm: ipppd Not tainted 2.6.32-rc4-testing #7 > Call Trace: > [<c03710dc>] ? printk+0xf/0x13 > [<c015714d>] print_circular_bug+0x90/0x9c > [<c0157da9>] __lock_acquire+0x91f/0xb99 > [<c01580ac>] lock_acquire+0x89/0xa0 > [<e62ad0fd>] ? isdn_net_device_busy+0x2c/0x74 [isdn] > [<c03732db>] _spin_lock_irqsave+0x24/0x34 > [<e62ad0fd>] ? isdn_net_device_busy+0x2c/0x74 [isdn] > [<e62ad0fd>] isdn_net_device_busy+0x2c/0x74 [isdn] > [<e62aeee3>] isdn_net_writebuf_skb+0x6e/0xc2 [isdn] > [<e62aefd4>] isdn_net_write_super+0x51/0x6e [isdn] > [<e62bc26f>] isdn_ppp_write+0x3a8/0x3bc [isdn] > [<e62b785a>] isdn_write+0x1d9/0x1f9 [isdn] > [<c01c3b6c>] ? rw_verify_area+0x8a/0xad > [<e62b7681>] ? isdn_write+0x0/0x1f9 [isdn] > [<c01c42c5>] vfs_write+0x84/0xdf > [<c01c43b9>] sys_write+0x3b/0x60 > [<c0102974>] sysenter_do_call+0x12/0x32 > > The message appeared shortly after initiating the connection, > during the PPP negotiation, just when the IP address was assigned. > The system continued to run normally, and the connection was > successfully established. Full log showing the entire connection > (with capidrv and Gigaset driver debugging output enabled, 70 kB), > available at http://www.phoenixsoftware.de/~ts/ppp-lockprob-full.log > in case someone's interested. It shows the messages from ipppd > about the IP address assignment arriving in the middle of the > lockdep message. > > I cannot say whether this is a regression. My previous tests of > that scenario were done on a machine with an Nvidia graphics card > where the lockdep machinery would refuse to run because of the > kernel being tainted by the Nvidia driver, so I wouldn't have seen > anything one way or another. > > Btw, one of those "NOHZ: local_softirq_pending 08" messages is also > present in the log, but that's 28 seconds later so I'd be surprised > if the two were related. > > Any hints about the possible cause and seriousness of that > message would be welcome. I'm particularly interested, of course, > in finding out whether the Gigaset driver might somehow be causing > it, even though it doesn't appear anywhere in the backtraces. > > aTdHvAaNnKcSe > Tilman > > -- > Tilman Schmidt E-Mail: tilman@...p.cc > Bonn, Germany > Diese Nachricht besteht zu 100% aus wiederverwerteten Bits. > Ungeöffnet mindestens haltbar bis: (siehe Rückseite) > > -- To unsubscribe from this list: send the line "unsubscribe netdev" in the body of a message to majordomo@...r.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists