| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <20241101195438.1658633-1-boqun.feng@gmail.com>
Date: Fri, 1 Nov 2024 12:54:38 -0700
From: Boqun Feng <boqun.feng@...il.com>
To: paulmck@...nel.org
Cc: Sebastian Andrzej Siewior <bigeasy@...utronix.de>,
Vlastimil Babka <vbabka@...e.cz>,
Marco Elver <elver@...gle.com>,
linux-next@...r.kernel.org,
linux-kernel@...r.kernel.org,
kasan-dev@...glegroups.com,
linux-mm@...ck.org,
sfr@...b.auug.org.au,
longman@...hat.com,
cl@...ux.com,
penberg@...nel.org,
rientjes@...gle.com,
iamjoonsoo.kim@....com,
akpm@...ux-foundation.org,
Thomas Gleixner <tglx@...utronix.de>,
Peter Zijlstra <peterz@...radead.org>,
Boqun Feng <boqun.feng@...il.com>
Subject: [PATCH] scftorture: Use workqueue to free scf_check
Paul reported an invalid wait context issue in scftorture catched by
lockdep, and the cause of the issue is because scf_handler() may call
kfree() to free the struct scf_check:
static void scf_handler(void *scfc_in)
{
[...]
} else {
kfree(scfcp);
}
}
(call chain anlysis from Marco Elver)
This is problematic because smp_call_function() uses non-threaded
interrupt and kfree() may acquire a local_lock which is a sleepable lock
on RT.
The general rule is: do not alloc or free memory in non-threaded
interrupt conntexts.
A quick fix is to use workqueue to defer the kfree(). However, this is
OK only because scftorture is test code. In general the users of
interrupts should avoid giving interrupt handlers the ownership of
objects, that is, users should handle the lifetime of objects outside
and interrupt handlers should only hold references to objects.
Reported-by: "Paul E. McKenney" <paulmck@...nel.org>
Link: https://lore.kernel.org/lkml/41619255-cdc2-4573-a360-7794fc3614f7@paulmck-laptop/
Signed-off-by: Boqun Feng <boqun.feng@...il.com>
---
kernel/scftorture.c | 14 +++++++++++++-
1 file changed, 13 insertions(+), 1 deletion(-)
diff --git a/kernel/scftorture.c b/kernel/scftorture.c
index 44e83a646264..ab6dcc7c0116 100644
--- a/kernel/scftorture.c
+++ b/kernel/scftorture.c
@@ -127,6 +127,7 @@ static unsigned long scf_sel_totweight;
// Communicate between caller and handler.
struct scf_check {
+ struct work_struct work;
bool scfc_in;
bool scfc_out;
int scfc_cpu; // -1 for not _single().
@@ -252,6 +253,13 @@ static struct scf_selector *scf_sel_rand(struct torture_random_state *trsp)
return &scf_sel_array[0];
}
+static void kfree_scf_check_work(struct work_struct *w)
+{
+ struct scf_check *scfcp = container_of(w, struct scf_check, work);
+
+ kfree(scfcp);
+}
+
// Update statistics and occasionally burn up mass quantities of CPU time,
// if told to do so via scftorture.longwait. Otherwise, occasionally burn
// a little bit.
@@ -296,7 +304,10 @@ static void scf_handler(void *scfc_in)
if (scfcp->scfc_rpc)
complete(&scfcp->scfc_completion);
} else {
- kfree(scfcp);
+ // Cannot call kfree() directly, pass it to workqueue. It's OK
+ // only because this is test code, avoid this in real world
+ // usage.
+ queue_work(system_wq, &scfcp->work);
}
}
@@ -335,6 +346,7 @@ static void scftorture_invoke_one(struct scf_statistics *scfp, struct torture_ra
scfcp->scfc_wait = scfsp->scfs_wait;
scfcp->scfc_out = false;
scfcp->scfc_rpc = false;
+ INIT_WORK(&scfcp->work, kfree_scf_check_work);
}
}
switch (scfsp->scfs_prim) {
--
2.45.2
Powered by blists - more mailing lists