lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Message-ID: <9a7462a4-9be8-c7f9-e9dd-d16e22f312c8@kernel.dk>
Date:   Thu, 8 Oct 2020 18:55:17 -0600
From:   Jens Axboe <axboe@...nel.dk>
To:     Matthew Wilcox <willy@...radead.org>,
        syzbot <syzbot+cdcbdc0bd42e559b52b9@...kaller.appspotmail.com>
Cc:     io-uring@...r.kernel.org, linux-fsdevel@...r.kernel.org,
        linux-kernel@...r.kernel.org, syzkaller-bugs@...glegroups.com,
        viro@...iv.linux.org.uk
Subject: Re: inconsistent lock state in xa_destroy

On 10/8/20 4:27 PM, Matthew Wilcox wrote:
> 
> If I understand the lockdep report here, this actually isn't an XArray
> issue, although I do think there is one.
> 
> On Thu, Oct 08, 2020 at 02:14:20PM -0700, syzbot wrote:
>> ================================
>> WARNING: inconsistent lock state
>> 5.9.0-rc8-next-20201008-syzkaller #0 Not tainted
>> --------------------------------
>> inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage.
>> swapper/0/0 [HC0[0]:SC1[1]:HE0:SE0] takes:
>> ffff888025f65018 (&xa->xa_lock#7){+.?.}-{2:2}, at: xa_destroy+0xaa/0x350 lib/xarray.c:2205
>> {SOFTIRQ-ON-W} state was registered at:
>>   lock_acquire+0x1f2/0xaa0 kernel/locking/lockdep.c:5419
>>   __raw_spin_lock include/linux/spinlock_api_smp.h:142 [inline]
>>   _raw_spin_lock+0x2a/0x40 kernel/locking/spinlock.c:151
>>   spin_lock include/linux/spinlock.h:354 [inline]
>>   io_uring_add_task_file fs/io_uring.c:8607 [inline]
> 
> You're using the XArray in a non-interrupt-disabling mode.
> 
>>  _raw_spin_lock_irqsave+0x94/0xd0 kernel/locking/spinlock.c:159
>>  xa_destroy+0xaa/0x350 lib/xarray.c:2205
>>  __io_uring_free+0x60/0xc0 fs/io_uring.c:7693
>>  io_uring_free include/linux/io_uring.h:40 [inline]
>>  __put_task_struct+0xff/0x3f0 kernel/fork.c:732
>>  put_task_struct include/linux/sched/task.h:111 [inline]
>>  delayed_put_task_struct+0x1f6/0x340 kernel/exit.c:172
>>  rcu_do_batch kernel/rcu/tree.c:2484 [inline]
> 
> But you're calling xa_destroy() from in-interrupt context.
> So (as far as lockdep is concerned), no matter what I do in
> xa_destroy(), this potential deadlock is there.  You'd need to be
> using xa_init_flags(XA_FLAGS_LOCK_IRQ) if you actually needed to call
> xa_destroy() here.

Yeah good point, I guess that last free is in softirq from RCU.

> Fortunately, it seems you don't need to call xa_destroy() at all, so
> that problem is solved, but the patch I have here wouldn't help.

Right, it wouldn't have helped this case.

-- 
Jens Axboe

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ