lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20170209200936-mutt-send-email-mst@kernel.org>
Date:   Thu, 9 Feb 2017 20:10:05 +0200
From:   "Michael S. Tsirkin" <mst@...hat.com>
To:     Jason Wang <jasowang@...hat.com>
Cc:     Dmitry Vyukov <dvyukov@...gle.com>,
        David Miller <davem@...emloft.net>,
        Eric Dumazet <edumazet@...gle.com>,
        LKML <linux-kernel@...r.kernel.org>,
        Cong Wang <xiyou.wangcong@...il.com>,
        netdev <netdev@...r.kernel.org>,
        syzkaller <syzkaller@...glegroups.com>
Subject: Re: net: SOFTIRQ-safe -> SOFTIRQ-unsafe lock order detected in
 skb_array_produce

On Thu, Feb 09, 2017 at 05:02:31AM -0500, Jason Wang wrote:
> 
> 
> ----- Original Message -----
> > Hello,
> > 
> > I've got the following report while running syzkaller fuzzer on mmotm
> > (git://git.kernel.org/pub/scm/linux/kernel/git/mhocko/mm.git)
> > remotes/mmotm/auto-latest ee4ba7533626ba7bf2f8b992266467ac9fdc045e:
> > 
> 
> [...]
> 
> > 
> > other info that might help us debug this:
> > 
> >  Possible interrupt unsafe locking scenario:
> > 
> >        CPU0                    CPU1
> >        ----                    ----
> >   lock(&(&r->consumer_lock)->rlock);
> >                                local_irq_disable();
> >                                lock(&(&r->producer_lock)->rlock);
> >                                lock(&(&r->consumer_lock)->rlock);
> >   <Interrupt>
> >     lock(&(&r->producer_lock)->rlock);
> > 
> 
> Thanks a lot for the testing.
> 
> Looks like we could address this by using skb_array_consume_bh() instead.
> 
> Could you pls verify if the following patch works?

I think we should use _bh for the produce call as well,
since resizing takes the producer lock.


> diff --git a/drivers/net/tun.c b/drivers/net/tun.c
> index 8a7d6b9..a97c00d 100644
> --- a/drivers/net/tun.c
> +++ b/drivers/net/tun.c
> @@ -520,7 +520,7 @@ static void tun_queue_purge(struct tun_file *tfile)
>  {
>         struct sk_buff *skb;
>  
> -       while ((skb = skb_array_consume(&tfile->tx_array)) != NULL)
> +       while ((skb = skb_array_consume_bh(&tfile->tx_array)) != NULL)
>                 kfree_skb(skb);
>  
>         skb_queue_purge(&tfile->sk.sk_write_queue);
> @@ -1458,7 +1458,7 @@ static struct sk_buff *tun_ring_recv(struct tun_file *tfile, int noblock,
>         struct sk_buff *skb = NULL;
>         int error = 0;
>  
> -       skb = skb_array_consume(&tfile->tx_array);
> +       skb = skb_array_consume_bh(&tfile->tx_array);
>         if (skb)
>                 goto out;
>         if (noblock) {
> @@ -1470,7 +1470,7 @@ static struct sk_buff *tun_ring_recv(struct tun_file *tfile, int noblock,
>         current->state = TASK_INTERRUPTIBLE;
>  
>         while (1) {
> -               skb = skb_array_consume(&tfile->tx_array);
> +               skb = skb_array_consume_bh(&tfile->tx_array);
>                 if (skb)
>                         break;
>                 if (signal_pending(current)) {

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ