lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Thu, 13 Jun 2024 16:06:27 -0400
From: Jamal Hadi Salim <jhs@...atatu.com>
To: David Ruth <druth@...omium.org>
Cc: netdev@...r.kernel.org, xiyou.wangcong@...il.com, jiri@...nulli.us, 
	davem@...emloft.net, edumazet@...gle.com, kuba@...nel.org, pabeni@...hat.com, 
	marcelo.leitner@...il.com, vladbu@...dia.com, 
	syzbot+b87c222546179f4513a7@...kaller.appspotmail.com
Subject: Re: [PATCH v2 net] net/sched: cls_api: fix possible infinite loop in tcf_idr_check_alloc()

On Thu, Jun 13, 2024 at 3:10 AM David Ruth <druth@...omium.org> wrote:
>
> syzbot found hanging tasks waiting on rtnl_lock [1]
>
> A reproducer is available in the syzbot bug.
>
> When a request to add multiple actions with the same index is sent, the
> second request will block forever on the first request. This holds
> rtnl_lock, and causes tasks to hang.
>
> Return -EAGAIN to prevent infinite looping, while keeping documented
> behavior.
>
> [1]
>
> INFO: task kworker/1:0:5088 blocked for more than 143 seconds.
> Not tainted 6.9.0-rc4-syzkaller-00173-g3cdb45594619 #0
> "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message.
> task:kworker/1:0 state:D stack:23744 pid:5088 tgid:5088 ppid:2 flags:0x00004000
> Workqueue: events_power_efficient reg_check_chans_work
> Call Trace:
> <TASK>
> context_switch kernel/sched/core.c:5409 [inline]
> __schedule+0xf15/0x5d00 kernel/sched/core.c:6746
> __schedule_loop kernel/sched/core.c:6823 [inline]
> schedule+0xe7/0x350 kernel/sched/core.c:6838
> schedule_preempt_disabled+0x13/0x30 kernel/sched/core.c:6895
> __mutex_lock_common kernel/locking/mutex.c:684 [inline]
> __mutex_lock+0x5b8/0x9c0 kernel/locking/mutex.c:752
> wiphy_lock include/net/cfg80211.h:5953 [inline]
> reg_leave_invalid_chans net/wireless/reg.c:2466 [inline]
> reg_check_chans_work+0x10a/0x10e0 net/wireless/reg.c:2481
>
> Fixes: 0190c1d452a9 ("net: sched: atomically check-allocate action")
> Reported-by: syzbot+b87c222546179f4513a7@...kaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=b87c222546179f4513a7
> Signed-off-by: David Ruth <druth@...omium.org>

Reviewed-by: Jamal Hadi Salim <jhs@...atatu.com>

Small nit, should subject be:
net/sched: act_api: fix possible infinite loop in tcf_idr_check_alloc()

cheers,
jamal

> ---
> V1 -> V2: Moved from net-next to net, identified the change this fixes
>
>  net/sched/act_api.c | 3 +--
>  1 file changed, 1 insertion(+), 2 deletions(-)
>
> diff --git a/net/sched/act_api.c b/net/sched/act_api.c
> index 9ee622fb1160..2520708b06a1 100644
> --- a/net/sched/act_api.c
> +++ b/net/sched/act_api.c
> @@ -830,7 +830,6 @@ int tcf_idr_check_alloc(struct tc_action_net *tn, u32 *index,
>         u32 max;
>
>         if (*index) {
> -again:
>                 rcu_read_lock();
>                 p = idr_find(&idrinfo->action_idr, *index);
>
> @@ -839,7 +838,7 @@ int tcf_idr_check_alloc(struct tc_action_net *tn, u32 *index,
>                          * index but did not assign the pointer yet.
>                          */
>                         rcu_read_unlock();
> -                       goto again;
> +                       return -EAGAIN;
>                 }
>
>                 if (!p) {
> --
> 2.45.2.627.g7a2c4fd464-goog
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ