| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <07406ab9-fbb0-4f98-56b1-0c64b7e695e1@broadcom.com>
Date: Wed, 19 Jul 2023 10:31:22 -0700
From: Ray Jui <ray.jui@...adcom.com>
To: Scott Branden <scott.branden@...adcom.com>,
Chengfeng Ye <dg573847474@...il.com>,
bcm-kernel-feedback-list@...adcom.com, arnd@...db.de,
gregkh@...uxfoundation.org
Cc: linux-kernel@...r.kernel.org, desmond.yan@...adcom.com
Subject: Re: [PATCH v3] misc: bcm_vk: Fix potential deadlock on &vk->ctx_lock
On 7/19/2023 10:07 AM, Scott Branden wrote:
> Works fine - thanks.
So apparently the choice of using the timer previously was not due to
performance reasons?
If performance is a concern by converting to use workqueue (now it runs
in process/thread context than softirq), I assume you are aware of
another easy way to fix this potential deadlock issue? :)
>
> On 2023-06-29 11:29, Chengfeng Ye wrote:
>> As &vk->ctx_lock is acquired by timer bcm_vk_hb_poll() under softirq
>> context, other process context code should disable irq or bottom-half
>> before acquire the same lock, otherwise deadlock could happen if the
>> timer preempt the execution while the lock is held in process context
>> on the same CPU.
>>
>> Possible deadlock scenario
>> bcm_vk_open()
>> -> bcm_vk_get_ctx()
>> -> spin_lock(&vk->ctx_lock)
>> <timer iterrupt>
>> -> bcm_vk_hb_poll()
>> -> bcm_vk_blk_drv_access()
>> -> spin_lock_irqsave(&vk->ctx_lock, flags) (deadlock here)
>>
>> This flaw was found using an experimental static analysis tool we are
>> developing for irq-related deadlock, which reported the following
>> warning when analyzing the linux kernel 6.4-rc7 release.
>>
>> [Deadlock]: &vk->ctx_lock
>> [Interrupt]: bcm_vk_hb_poll
>> -->/root/linux/drivers/misc/bcm-vk/bcm_vk_msg.c:176
>> -->/root/linux/drivers/misc/bcm-vk/bcm_vk_dev.c:512
>> [Locking Unit]: bcm_vk_ioctl
>> -->/root/linux/drivers/misc/bcm-vk/bcm_vk_dev.c:1181
>> -->/root/linux/drivers/misc/bcm-vk/bcm_vk_dev.c:512
>>
>> [Deadlock]: &vk->ctx_lock
>> [Interrupt]: bcm_vk_hb_poll
>> -->/root/linux/drivers/misc/bcm-vk/bcm_vk_msg.c:176
>> -->/root/linux/drivers/misc/bcm-vk/bcm_vk_dev.c:512
>> [Locking Unit]: bcm_vk_ioctl
>> -->/root/linux/drivers/misc/bcm-vk/bcm_vk_dev.c:1169
>>
>> [Deadlock]: &vk->ctx_lock
>> [Interrupt]: bcm_vk_hb_poll
>> -->/root/linux/drivers/misc/bcm-vk/bcm_vk_msg.c:176
>> -->/root/linux/drivers/misc/bcm-vk/bcm_vk_dev.c:512
>> [Locking Unit]: bcm_vk_open
>> -->/root/linux/drivers/misc/bcm-vk/bcm_vk_msg.c:216
>>
>> [Deadlock]: &vk->ctx_lock
>> [Interrupt]: bcm_vk_hb_poll
>> -->/root/linux/drivers/misc/bcm-vk/bcm_vk_msg.c:176
>> -->/root/linux/drivers/misc/bcm-vk/bcm_vk_dev.c:512
>> [Locking Unit]: bcm_vk_release
>> -->/root/linux/drivers/misc/bcm-vk/bcm_vk_msg.c:306
>>
>> As suggested by Arnd, the tentative patch fix the potential deadlocks
>> by replacing the timer with delay workqueue. x86_64 allyesconfig using
>> GCC shows no new warning. Note that no runtime testing was performed
>> due to no device on hand.
>>
>> Signed-off-by: Chengfeng Ye <dg573847474@...il.com>
> Acked-by: Scott Branden <scott.branden@...adcom.com>
> Tested-by: Desmond Yan <desmond.branden@...adcom.com>
>
>> ---
>> drivers/misc/bcm-vk/bcm_vk.h | 2 +-
>> drivers/misc/bcm-vk/bcm_vk_msg.c | 14 +++++++-------
>> 2 files changed, 8 insertions(+), 8 deletions(-)
>>
>> diff --git a/drivers/misc/bcm-vk/bcm_vk.h b/drivers/misc/bcm-vk/bcm_vk.h
>> index 25d51222eedf..386884c2a263 100644
>> --- a/drivers/misc/bcm-vk/bcm_vk.h
>> +++ b/drivers/misc/bcm-vk/bcm_vk.h
>> @@ -340,7 +340,7 @@ struct bcm_vk_proc_mon_info {
>> };
>> struct bcm_vk_hb_ctrl {
>> - struct timer_list timer;
>> + struct delayed_work work;
>> u32 last_uptime;
>> u32 lost_cnt;
>> };
>> diff --git a/drivers/misc/bcm-vk/bcm_vk_msg.c
>> b/drivers/misc/bcm-vk/bcm_vk_msg.c
>> index 3c081504f38c..e17d81231ea6 100644
>> --- a/drivers/misc/bcm-vk/bcm_vk_msg.c
>> +++ b/drivers/misc/bcm-vk/bcm_vk_msg.c
>> @@ -137,11 +137,11 @@ void bcm_vk_set_host_alert(struct bcm_vk *vk,
>> u32 bit_mask)
>> #define BCM_VK_HB_TIMER_VALUE (BCM_VK_HB_TIMER_S * HZ)
>> #define BCM_VK_HB_LOST_MAX (27 / BCM_VK_HB_TIMER_S)
>> -static void bcm_vk_hb_poll(struct timer_list *t)
>> +static void bcm_vk_hb_poll(struct work_struct *work)
>> {
>> u32 uptime_s;
>> - struct bcm_vk_hb_ctrl *hb = container_of(t, struct bcm_vk_hb_ctrl,
>> - timer);
>> + struct bcm_vk_hb_ctrl *hb = container_of(to_delayed_work(work),
>> struct bcm_vk_hb_ctrl,
>> + work);
>> struct bcm_vk *vk = container_of(hb, struct bcm_vk, hb_ctrl);
>> if (bcm_vk_drv_access_ok(vk) && hb_mon_is_on()) {
>> @@ -177,22 +177,22 @@ static void bcm_vk_hb_poll(struct timer_list *t)
>> bcm_vk_set_host_alert(vk, ERR_LOG_HOST_HB_FAIL);
>> }
>> /* re-arm timer */
>> - mod_timer(&hb->timer, jiffies + BCM_VK_HB_TIMER_VALUE);
>> + schedule_delayed_work(&hb->work, BCM_VK_HB_TIMER_VALUE);
>> }
>> void bcm_vk_hb_init(struct bcm_vk *vk)
>> {
>> struct bcm_vk_hb_ctrl *hb = &vk->hb_ctrl;
>> - timer_setup(&hb->timer, bcm_vk_hb_poll, 0);
>> - mod_timer(&hb->timer, jiffies + BCM_VK_HB_TIMER_VALUE);
>> + INIT_DELAYED_WORK(&hb->work, bcm_vk_hb_poll);
>> + schedule_delayed_work(&hb->work, BCM_VK_HB_TIMER_VALUE);
>> }
>> void bcm_vk_hb_deinit(struct bcm_vk *vk)
>> {
>> struct bcm_vk_hb_ctrl *hb = &vk->hb_ctrl;
>> - del_timer(&hb->timer);
>> + cancel_delayed_work_sync(&hb->work);
>> }
>> static void bcm_vk_msgid_bitmap_clear(struct bcm_vk *vk,
Download attachment "smime.p7s" of type "application/pkcs7-signature" (4194 bytes)
Powered by blists - more mailing lists