| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 12 Feb 2024 10:17:33 +0800
From: Pengfei Xu <pengfei.xu@...el.com>
To: Kuniyuki Iwashima <kuniyu@...zon.com>
CC: "David S. Miller" <davem@...emloft.net>, Eric Dumazet
<edumazet@...gle.com>, Jakub Kicinski <kuba@...nel.org>, Paolo Abeni
<pabeni@...hat.com>, Jens Axboe <axboe@...nel.dk>, Pavel Begunkov
<asml.silence@...il.com>, Kuniyuki Iwashima <kuni1840@...il.com>,
<netdev@...r.kernel.org>
Subject: Re: [PATCH v1 net-next 2/3] af_unix: Remove io_uring code for GC.
Hi,
On 2024-01-29 at 11:04:34 -0800, Kuniyuki Iwashima wrote:
> Since commit 705318a99a13 ("io_uring/af_unix: disable sending
> io_uring over sockets"), io_uring's unix socket cannot be passed
> via SCM_RIGHTS, so it does not contribute to cyclic reference and
> no longer be candidate for garbage collection.
>
> Also, commit 6e5e6d274956 ("io_uring: drop any code related to
> SCM_RIGHTS") cleaned up SCM_RIGHTS code in io_uring.
>
> Let's do it in AF_UNIX as well by reverting commit 0091bfc81741
> ("io_uring/af_unix: defer registered files gc to io_uring release")
> and commit 10369080454d ("net: reclaim skb->scm_io_uring bit").
>
> Signed-off-by: Kuniyuki Iwashima <kuniyu@...zon.com>
> ---
> include/net/af_unix.h | 1 -
> net/unix/garbage.c | 25 ++-----------------------
> net/unix/scm.c | 6 ------
> 3 files changed, 2 insertions(+), 30 deletions(-)
>
> diff --git a/include/net/af_unix.h b/include/net/af_unix.h
> index f045bbd9017d..9e39b2ec4524 100644
> --- a/include/net/af_unix.h
> +++ b/include/net/af_unix.h
> @@ -20,7 +20,6 @@ static inline struct unix_sock *unix_get_socket(struct file *filp)
> void unix_inflight(struct user_struct *user, struct file *fp);
> void unix_notinflight(struct user_struct *user, struct file *fp);
> void unix_destruct_scm(struct sk_buff *skb);
> -void io_uring_destruct_scm(struct sk_buff *skb);
> void unix_gc(void);
> void wait_for_unix_gc(struct scm_fp_list *fpl);
> struct sock *unix_peer_get(struct sock *sk);
> diff --git a/net/unix/garbage.c b/net/unix/garbage.c
> index af676bb8fb67..ce5b5f87b16e 100644
> --- a/net/unix/garbage.c
> +++ b/net/unix/garbage.c
> @@ -184,12 +184,10 @@ static bool gc_in_progress;
>
> static void __unix_gc(struct work_struct *work)
> {
> - struct sk_buff *next_skb, *skb;
> - struct unix_sock *u;
> - struct unix_sock *next;
> struct sk_buff_head hitlist;
> - struct list_head cursor;
> + struct unix_sock *u, *next;
> LIST_HEAD(not_cycle_list);
> + struct list_head cursor;
>
> spin_lock(&unix_gc_lock);
>
> @@ -269,30 +267,11 @@ static void __unix_gc(struct work_struct *work)
>
> spin_unlock(&unix_gc_lock);
>
> - /* We need io_uring to clean its registered files, ignore all io_uring
> - * originated skbs. It's fine as io_uring doesn't keep references to
> - * other io_uring instances and so killing all other files in the cycle
> - * will put all io_uring references forcing it to go through normal
> - * release.path eventually putting registered files.
> - */
> - skb_queue_walk_safe(&hitlist, skb, next_skb) {
> - if (skb->destructor == io_uring_destruct_scm) {
> - __skb_unlink(skb, &hitlist);
> - skb_queue_tail(&skb->sk->sk_receive_queue, skb);
> - }
> - }
> -
> /* Here we are. Hitlist is filled. Die. */
> __skb_queue_purge(&hitlist);
>
> spin_lock(&unix_gc_lock);
>
> - /* There could be io_uring registered files, just push them back to
> - * the inflight list
> - */
> - list_for_each_entry_safe(u, next, &gc_candidates, link)
> - list_move_tail(&u->link, &gc_inflight_list);
> -
> /* All candidates should have been detached by now. */
> WARN_ON_ONCE(!list_empty(&gc_candidates));
>
> diff --git a/net/unix/scm.c b/net/unix/scm.c
> index 505e56cf02a2..db65b0ab5947 100644
> --- a/net/unix/scm.c
> +++ b/net/unix/scm.c
> @@ -148,9 +148,3 @@ void unix_destruct_scm(struct sk_buff *skb)
> sock_wfree(skb);
> }
> EXPORT_SYMBOL(unix_destruct_scm);
> -
> -void io_uring_destruct_scm(struct sk_buff *skb)
> -{
> - unix_destruct_scm(skb);
> -}
> -EXPORT_SYMBOL(io_uring_destruct_scm);
Syzkaller found below issue.
There is WARNING in __unix_gc in v6.8-rc3_internal-devel_hourly-20240205-094544,
the kernel contains kernel-next patches.
Bisected and found first bad commit:
"
11498715f266 af_unix: Remove io_uring code for GC.
"
It's the same patch as above.
All detailed info: https://github.com/xupengfe/syzkaller_logs/tree/main/240211_144134___unix_gc
Syzkaller reproduced code: https://github.com/xupengfe/syzkaller_logs/blob/main/240211_144134___unix_gc/repro.c
Syzkaller repro syscall steps: https://github.com/xupengfe/syzkaller_logs/blob/main/240211_144134___unix_gc/repro.prog
Kconfig(make olddefconfig): https://github.com/xupengfe/syzkaller_logs/blob/main/240211_144134___unix_gc/kconfig_origin
Bisect info: https://github.com/xupengfe/syzkaller_logs/blob/main/240211_144134___unix_gc/bisect_info.log
Issue dmesg: https://github.com/xupengfe/syzkaller_logs/blob/main/240211_144134___unix_gc/3561c4956a5c9e7f995ae47d4ef703eb9c6a93cd_dmesg.log
bzImage: https://github.com/xupengfe/syzkaller_logs/raw/main/240211_144134___unix_gc/bzImage_3561c4956a5c.tar.gz
repro.report: https://github.com/xupengfe/syzkaller_logs/blob/main/240211_144134___unix_gc/repro.report
"
[ 27.629798] ------------[ cut here ]------------
[ 27.630447] WARNING: CPU: 0 PID: 52 at net/unix/garbage.c:345 __unix_gc+0x99e/0xb50
[ 27.631312] Modules linked in:
[ 27.631671] CPU: 0 PID: 52 Comm: kworker/u4:3 Not tainted 6.8.0-rc3-3561c4956a5c+ #1
[ 27.632787] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014
[ 27.634018] Workqueue: events_unbound __unix_gc
[ 27.634544] RIP: 0010:__unix_gc+0x99e/0xb50
[ 27.635026] Code: b2 4f fc 0f 0b e9 6c f8 ff ff e8 0d b2 4f fc 31 d2 48 c7 c6 e0 8f 12 85 4c 89 e7 e8 ec f1 ff ff e9 32 fb ff ff e8 f2 b1 4f fc <0f> 0b e9 7e fe ff ff 4c 89 e7 e8 c3 dd b0 fc e9 9c fa ff ff e8 b9
[ 27.637177] RSP: 0018:ffff88800c677b90 EFLAGS: 00010293
[ 27.637768] RAX: 0000000000000000 RBX: dffffc0000000000 RCX: ffffffff8140b3c2
[ 27.638544] RDX: ffff88800bfbca00 RSI: ffffffff8512a5be RDI: ffff88800c677af8
[ 27.639329] RBP: ffff88800c677cc8 R08: 0000000000000001 R09: ffffed10018cef5f
[ 27.640112] R10: 0000000000000003 R11: 0000000000000001 R12: ffff88800c677c00
[ 27.640992] R13: ffff88800c677c00 R14: ffff88800c677c00 R15: ffff88800c677c00
[ 27.641768] FS: 0000000000000000(0000) GS:ffff88806cc00000(0000) knlGS:0000000000000000
[ 27.642646] CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
[ 27.643285] CR2: 00007f6063373fa8 CR3: 0000000006a7e004 CR4: 0000000000770ef0
[ 27.644069] DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
[ 27.644876] DR3: 0000000000000000 DR6: 00000000ffff07f0 DR7: 0000000000000400
[ 27.645658] PKRU: 55555554
[ 27.645974] Call Trace:
[ 27.646266] <TASK>
[ 27.646524] ? show_regs+0xa9/0xc0
[ 27.646933] ? __warn+0xef/0x340
[ 27.647317] ? report_bug+0x25e/0x4b0
[ 27.647748] ? __unix_gc+0x99e/0xb50
[ 27.648190] ? report_bug+0x2cb/0x4b0
[ 27.648630] ? __unix_gc+0x99e/0xb50
[ 27.649049] ? handle_bug+0xa2/0x130
[ 27.649470] ? exc_invalid_op+0x3c/0x80
[ 27.649922] ? asm_exc_invalid_op+0x1f/0x30
[ 27.650416] ? do_raw_spin_lock+0x142/0x290
[ 27.650892] ? __unix_gc+0x99e/0xb50
[ 27.651315] ? __unix_gc+0x99e/0xb50
[ 27.651742] ? __pfx___unix_gc+0x10/0x10
[ 27.652209] ? __this_cpu_preempt_check+0x21/0x30
[ 27.652757] ? lock_acquire+0x1d9/0x530
[ 27.653219] ? __this_cpu_preempt_check+0x21/0x30
[ 27.653754] ? _raw_spin_unlock_irq+0x2c/0x60
[ 27.654267] process_one_work+0x813/0x15a0
[ 27.654757] ? __pfx_process_one_work+0x10/0x10
[ 27.655271] ? move_linked_works+0x1bf/0x2c0
[ 27.655767] ? __this_cpu_preempt_check+0x21/0x30
[ 27.656346] ? assign_work+0x19f/0x250
[ 27.656780] ? lock_is_held_type+0xf0/0x150
[ 27.657267] worker_thread+0x823/0x11a0
[ 27.657710] ? _raw_spin_unlock_irqrestore+0x35/0x70
[ 27.658269] ? trace_hardirqs_on+0x26/0x120
[ 27.658771] kthread+0x35f/0x470
[ 27.659153] ? __pfx_worker_thread+0x10/0x10
[ 27.659647] ? __pfx_kthread+0x10/0x10
[ 27.660089] ret_from_fork+0x56/0x90
[ 27.660535] ? __pfx_kthread+0x10/0x10
[ 27.660973] ret_from_fork_asm+0x1b/0x30
[ 27.661451] </TASK>
[ 27.661715] irq event stamp: 12659
[ 27.662104] hardirqs last enabled at (12667): [<ffffffff814359a5>] console_unlock+0x2d5/0x310
[ 27.663049] hardirqs last disabled at (12674): [<ffffffff8143598a>] console_unlock+0x2ba/0x310
[ 27.663991] softirqs last enabled at (12306): [<ffffffff8126fcf8>] __irq_exit_rcu+0xa8/0x110
[ 27.664946] softirqs last disabled at (12291): [<ffffffff8126fcf8>] __irq_exit_rcu+0xa8/0x110
[ 27.665878] ---[ end trace 0000000000000000 ]---
"
As above WARNING and bisect info, do you mind to take a look?
Thanks!
---
If you don't need the following environment to reproduce the problem or if you
already have one reproduced environment, please ignore the following information.
How to reproduce:
git clone https://gitlab.com/xupengfe/repro_vm_env.git
cd repro_vm_env
tar -xvf repro_vm_env.tar.gz
cd repro_vm_env; ./start3.sh // it needs qemu-system-x86_64 and I used v7.1.0
// start3.sh will load bzImage_2241ab53cbb5cdb08a6b2d4688feb13971058f65 v6.2-rc5 kernel
// You could change the bzImage_xxx as you want
// Maybe you need to remove line "-drive if=pflash,format=raw,readonly=on,file=./OVMF_CODE.fd \" for different qemu version
You could use below command to log in, there is no password for root.
ssh -p 10023 root@...alhost
After login vm(virtual machine) successfully, you could transfer reproduced
binary to the vm by below way, and reproduce the problem in vm:
gcc -pthread -o repro repro.c
scp -P 10023 repro root@...alhost:/root/
Get the bzImage for target kernel:
Please use target kconfig and copy it to kernel_src/.config
make olddefconfig
make -jx bzImage //x should equal or less than cpu num your pc has
Fill the bzImage file into above start3.sh to load the target kernel in vm.
Tips:
If you already have qemu-system-x86_64, please ignore below info.
If you want to install qemu v7.1.0 version:
git clone https://github.com/qemu/qemu.git
cd qemu
git checkout -f v7.1.0
mkdir build
cd build
yum install -y ninja-build.x86_64
yum -y install libslirp-devel.x86_64
../configure --target-list=x86_64-softmmu --enable-kvm --enable-vnc --enable-gtk --enable-sdl --enable-usb-redir --enable-slirp
make
make install
Best Regards,
Thanks!
> --
> 2.30.2
>
Powered by blists - more mailing lists