lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <5fdae342-05b5-481b-894d-3f296e8ea189@mojatatu.com>
Date: Wed, 12 Jun 2024 18:25:14 -0300
From: Pedro Tammela <pctammela@...atatu.com>
To: David Ruth <druth@...omium.org>, netdev@...r.kernel.org
Cc: jhs@...atatu.com, xiyou.wangcong@...il.com, jiri@...nulli.us,
 davem@...emloft.net, edumazet@...gle.com, kuba@...nel.org,
 pabeni@...hat.com, syzbot+b87c222546179f4513a7@...kaller.appspotmail.com
Subject: Re: [Patch net-next] net/sched: cls_api: fix possible infinite loop
 in tcf_idr_check_alloc()

On 12/06/2024 17:46, David Ruth wrote:
> syzbot found hanging tasks waiting on rtnl_lock [1]
> 
> When a request to add multiple actions with the same index is sent, the
> second request will block forever on the first request. This results in an
> infinite loop that holds rtnl_lock, and causes tasks to hang.
> 
> Return -EAGAIN to prevent infinite looping, while keeping documented
> behavior.
> 
> [1]
> 
> INFO: task kworker/1:0:5088 blocked for more than 143 seconds.
> Not tainted 6.9.0-rc4-syzkaller-00173-g3cdb45594619 #0
> "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
> task:kworker/1:0 state:D stack:23744 pid:5088 tgid:5088 ppid:2 flags:0x00004000
> Workqueue: events_power_efficient reg_check_chans_work
> Call Trace:
> <TASK>
> context_switch kernel/sched/core.c:5409 [inline]
> __schedule+0xf15/0x5d00 kernel/sched/core.c:6746
> __schedule_loop kernel/sched/core.c:6823 [inline]
> schedule+0xe7/0x350 kernel/sched/core.c:6838
> schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6895
> __mutex_lock_common kernel/locking/mutex.c:684 [inline]
> __mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752
> wiphy_lock include/net/cfg80211.h:5953 [inline]
> reg_leave_invalid_chans net/wireless/reg.c:2466 [inline]
> reg_check_chans_work+0x10a/0x10e0 net/wireless/reg.c:2481
> 
> Reported-by: syzbot+b87c222546179f4513a7@...kaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=b87c222546179f4513a7
> Signed-off-by: David Ruth <druth@...omium.org>

Hi,

Thanks for fixing it.

Syzbot is reproducing in net, so the patch should target the net tree.

Also missing the following tag:
Fixes: 4b55e86736d5 ("net/sched: act_api: rely on rcu in 
tcf_idr_check_alloc")

> ---
>   net/sched/act_api.c | 3 +--
>   1 file changed, 1 insertion(+), 2 deletions(-)
> 
> diff --git a/net/sched/act_api.c b/net/sched/act_api.c
> index 7458b3154426..2714c4ed928e 100644
> --- a/net/sched/act_api.c
> +++ b/net/sched/act_api.c
> @@ -830,7 +830,6 @@ int tcf_idr_check_alloc(struct tc_action_net *tn, u32 *index,
>   	u32 max;
>   
>   	if (*index) {
> -again:
>   		rcu_read_lock();
>   		p = idr_find(&idrinfo->action_idr, *index);
>   
> @@ -839,7 +838,7 @@ int tcf_idr_check_alloc(struct tc_action_net *tn, u32 *index,
>   			 * index but did not assign the pointer yet.
>   			 */
>   			rcu_read_unlock();
> -			goto again;
> +			return -EAGAIN;
>   		}
>   
>   		if (!p) {

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ