lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <2e87058c-839b-5b28-62e1-896d1e49fb57@broadcom.com>
Date:   Wed, 19 Jul 2023 11:17:14 -0700
From:   Scott Branden <scott.branden@...adcom.com>
To:     Ray Jui <ray.jui@...adcom.com>,
        Chengfeng Ye <dg573847474@...il.com>,
        bcm-kernel-feedback-list@...adcom.com, arnd@...db.de,
        gregkh@...uxfoundation.org
Cc:     linux-kernel@...r.kernel.org, desmond.yan@...adcom.com
Subject: Re: [PATCH v3] misc: bcm_vk: Fix potential deadlock on &vk->ctx_lock



On 2023-07-19 10:31, Ray Jui wrote:
> 
> 
> On 7/19/2023 10:07 AM, Scott Branden wrote:
>> Works fine - thanks.
> 
> So apparently the choice of using the timer previously was not due to
> performance reasons?
Correct - the heartbeat does not need high performance.

> 
> If performance is a concern by converting to use workqueue (now it runs
> in process/thread context than softirq), I assume you are aware of
> another easy way to fix this potential deadlock issue? :)
Performance not a concern.

>>
>> On 2023-06-29 11:29, Chengfeng Ye wrote:
>>> As &vk->ctx_lock is acquired by timer bcm_vk_hb_poll() under softirq
>>> context, other process context code should disable irq or bottom-half
>>> before acquire the same lock, otherwise deadlock could happen if the
>>> timer preempt the execution while the lock is held in process context
>>> on the same CPU.
>>>
>>> Possible deadlock scenario
>>> bcm_vk_open()
>>>       -> bcm_vk_get_ctx()
>>>       -> spin_lock(&vk->ctx_lock)
>>>      <timer iterrupt>
>>>      -> bcm_vk_hb_poll()
>>>      -> bcm_vk_blk_drv_access()
>>>      -> spin_lock_irqsave(&vk->ctx_lock, flags) (deadlock here)
>>>
>>> This flaw was found using an experimental static analysis tool we are
>>> developing for irq-related deadlock, which reported the following
>>> warning when analyzing the linux kernel 6.4-rc7 release.
>>>
>>> [Deadlock]: &vk->ctx_lock
>>>     [Interrupt]: bcm_vk_hb_poll
>>>       -->/root/linux/drivers/misc/bcm-vk/bcm_vk_msg.c:176
>>>       -->/root/linux/drivers/misc/bcm-vk/bcm_vk_dev.c:512
>>>     [Locking Unit]: bcm_vk_ioctl
>>>       -->/root/linux/drivers/misc/bcm-vk/bcm_vk_dev.c:1181
>>>       -->/root/linux/drivers/misc/bcm-vk/bcm_vk_dev.c:512
>>>
>>> [Deadlock]: &vk->ctx_lock
>>>     [Interrupt]: bcm_vk_hb_poll
>>>       -->/root/linux/drivers/misc/bcm-vk/bcm_vk_msg.c:176
>>>       -->/root/linux/drivers/misc/bcm-vk/bcm_vk_dev.c:512
>>>     [Locking Unit]: bcm_vk_ioctl
>>>       -->/root/linux/drivers/misc/bcm-vk/bcm_vk_dev.c:1169
>>>
>>> [Deadlock]: &vk->ctx_lock
>>>     [Interrupt]: bcm_vk_hb_poll
>>>       -->/root/linux/drivers/misc/bcm-vk/bcm_vk_msg.c:176
>>>       -->/root/linux/drivers/misc/bcm-vk/bcm_vk_dev.c:512
>>>     [Locking Unit]: bcm_vk_open
>>>       -->/root/linux/drivers/misc/bcm-vk/bcm_vk_msg.c:216
>>>
>>> [Deadlock]: &vk->ctx_lock
>>>     [Interrupt]: bcm_vk_hb_poll
>>>       -->/root/linux/drivers/misc/bcm-vk/bcm_vk_msg.c:176
>>>       -->/root/linux/drivers/misc/bcm-vk/bcm_vk_dev.c:512
>>>     [Locking Unit]: bcm_vk_release
>>>       -->/root/linux/drivers/misc/bcm-vk/bcm_vk_msg.c:306
>>>
>>> As suggested by Arnd, the tentative patch fix the potential deadlocks
>>> by replacing the timer with delay workqueue. x86_64 allyesconfig using
>>> GCC shows no new warning. Note that no runtime testing was performed
>>> due to no device on hand.
>>>
>>> Signed-off-by: Chengfeng Ye <dg573847474@...il.com>
>> Acked-by: Scott Branden <scott.branden@...adcom.com>
>> Tested-by: Desmond Yan <desmond.branden@...adcom.com>
>>
>>> ---
>>>    drivers/misc/bcm-vk/bcm_vk.h     |  2 +-
>>>    drivers/misc/bcm-vk/bcm_vk_msg.c | 14 +++++++-------
>>>    2 files changed, 8 insertions(+), 8 deletions(-)
>>>
>>> diff --git a/drivers/misc/bcm-vk/bcm_vk.h b/drivers/misc/bcm-vk/bcm_vk.h
>>> index 25d51222eedf..386884c2a263 100644
>>> --- a/drivers/misc/bcm-vk/bcm_vk.h
>>> +++ b/drivers/misc/bcm-vk/bcm_vk.h
>>> @@ -340,7 +340,7 @@ struct bcm_vk_proc_mon_info {
>>>    };
>>>      struct bcm_vk_hb_ctrl {
>>> -    struct timer_list timer;
>>> +    struct delayed_work work;
>>>        u32 last_uptime;
>>>        u32 lost_cnt;
>>>    };
>>> diff --git a/drivers/misc/bcm-vk/bcm_vk_msg.c
>>> b/drivers/misc/bcm-vk/bcm_vk_msg.c
>>> index 3c081504f38c..e17d81231ea6 100644
>>> --- a/drivers/misc/bcm-vk/bcm_vk_msg.c
>>> +++ b/drivers/misc/bcm-vk/bcm_vk_msg.c
>>> @@ -137,11 +137,11 @@ void bcm_vk_set_host_alert(struct bcm_vk *vk,
>>> u32 bit_mask)
>>>    #define BCM_VK_HB_TIMER_VALUE (BCM_VK_HB_TIMER_S * HZ)
>>>    #define BCM_VK_HB_LOST_MAX (27 / BCM_VK_HB_TIMER_S)
>>>    -static void bcm_vk_hb_poll(struct timer_list *t)
>>> +static void bcm_vk_hb_poll(struct work_struct *work)
>>>    {
>>>        u32 uptime_s;
>>> -    struct bcm_vk_hb_ctrl *hb = container_of(t, struct bcm_vk_hb_ctrl,
>>> -                         timer);
>>> +    struct bcm_vk_hb_ctrl *hb = container_of(to_delayed_work(work),
>>> struct bcm_vk_hb_ctrl,
>>> +                         work);
>>>        struct bcm_vk *vk = container_of(hb, struct bcm_vk, hb_ctrl);
>>>          if (bcm_vk_drv_access_ok(vk) && hb_mon_is_on()) {
>>> @@ -177,22 +177,22 @@ static void bcm_vk_hb_poll(struct timer_list *t)
>>>            bcm_vk_set_host_alert(vk, ERR_LOG_HOST_HB_FAIL);
>>>        }
>>>        /* re-arm timer */
>>> -    mod_timer(&hb->timer, jiffies + BCM_VK_HB_TIMER_VALUE);
>>> +    schedule_delayed_work(&hb->work, BCM_VK_HB_TIMER_VALUE);
>>>    }
>>>      void bcm_vk_hb_init(struct bcm_vk *vk)
>>>    {
>>>        struct bcm_vk_hb_ctrl *hb = &vk->hb_ctrl;
>>>    -    timer_setup(&hb->timer, bcm_vk_hb_poll, 0);
>>> -    mod_timer(&hb->timer, jiffies + BCM_VK_HB_TIMER_VALUE);
>>> +    INIT_DELAYED_WORK(&hb->work, bcm_vk_hb_poll);
>>> +    schedule_delayed_work(&hb->work, BCM_VK_HB_TIMER_VALUE);
>>>    }
>>>      void bcm_vk_hb_deinit(struct bcm_vk *vk)
>>>    {
>>>        struct bcm_vk_hb_ctrl *hb = &vk->hb_ctrl;
>>>    -    del_timer(&hb->timer);
>>> +    cancel_delayed_work_sync(&hb->work);
>>>    }
>>>      static void bcm_vk_msgid_bitmap_clear(struct bcm_vk *vk,

Download attachment "smime.p7s" of type "application/pkcs7-signature" (4212 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ