From: Ryan Cai <[email protected]>
In methods listening_get_first and listening_get_first in tcp_ipv4.c, there are lock leaks when seq_sk_match returns true.
Signed-off-by: Ryan Cai <[email protected]>
---
net/ipv4/tcp_ipv4.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index 13d868c43284..714107766035 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -2329,6 +2329,7 @@ static void *listening_get_first(struct seq_file *seq)
inet_lhash2_for_each_icsk(icsk, &ilb2->head) {
sk = (struct sock *)icsk;
if (seq_sk_match(seq, sk))
+ spin_unlock(&ilb2->lock);
return sk;
}
spin_unlock(&ilb2->lock);
@@ -2407,6 +2408,7 @@ static void *established_get_first(struct seq_file *seq)
spin_lock_bh(lock);
sk_nulls_for_each(sk, node, &tcp_hashinfo.ehash[st->bucket].chain) {
if (seq_sk_match(seq, sk))
+ spin_unlock_bh(lock);
return sk;
}
spin_unlock_bh(lock);
--
2.33.0
On Fri, 21 Jan 2022 11:11:08 +0800 ycaibb wrote:
> if (seq_sk_match(seq, sk))
> + spin_unlock_bh(lock);
> return sk;
Heh, also you're missing brackets so this is patently buggy.
On Fri, 21 Jan 2022 11:11:08 +0800 ycaibb wrote:
> From: Ryan Cai <[email protected]>
>
> In methods listening_get_first and listening_get_first in tcp_ipv4.c,
> there are lock leaks when seq_sk_match returns true.
This is on purpose, please read the code carefully and try to test
your patches.
Sorry for reporting this false positive. Would be more careful next time. Thank you for your checking.
Best,
Ryan
On 21/1/2022, 11:47 AM, "Jakub Kicinski" <[email protected]> wrote:
On Fri, 21 Jan 2022 11:11:08 +0800 ycaibb wrote:
> if (seq_sk_match(seq, sk))
> + spin_unlock_bh(lock);
> return sk;
Heh, also you're missing brackets so this is patently buggy.
On Thu, Jan 20, 2022 at 8:06 PM Ryan Cai <[email protected]> wrote:
>
> Sorry for reporting this false positive. Would be more careful next time. Thank you for your checking.
In the past 3 weeks you've sent 4 subtly broken patches.
Not a single valid one.
Are you trying to test the maintainer's review skills?
Is this another "lets hack the kernel" research project?
Greeting,
FYI, we noticed the following commit (built with gcc-9):
commit: 604258c8f5a9792828f54e55769ca1673c4a34ee ("[PATCH] ipv4: fix lock leaks")
url: https://github.com/0day-ci/linux/commits/ycaibb/ipv4-fix-lock-leaks/20220121-111241
base: https://git.kernel.org/cgit/linux/kernel/git/davem/net-next.git 8aaaf2f3af2ae212428f4db1af34214225f5cec3
patch link: https://lore.kernel.org/netdev/[email protected]
in testcase: boot
on test machine: qemu-system-x86_64 -enable-kvm -cpu Icelake-Server -smp 4 -m 16G
caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):
+---------------------------------------------------------------------+------------+------------+
| | 8aaaf2f3af | 604258c8f5 |
+---------------------------------------------------------------------+------------+------------+
| BUG:sleeping_function_called_from_invalid_context_at_lib/iov_iter.c | 0 | 9 |
| WARNING:at_lib/iov_iter.c:#copyout | 0 | 9 |
| EIP:copyout | 0 | 9 |
| WARNING:at_lib/usercopy.c:#_copy_from_user | 0 | 9 |
| EIP:_copy_from_user | 0 | 9 |
| WARNING:at_lib/usercopy.c:#_copy_to_user | 0 | 9 |
| EIP:_copy_to_user | 0 | 9 |
| WARNING:at_fs/read_write.c:#vfs_read | 0 | 9 |
| EIP:vfs_read | 0 | 9 |
| WARNING:at_arch/x86/include/asm/uaccess.h:#strncpy_from_user | 0 | 9 |
| EIP:strncpy_from_user | 0 | 9 |
| Kernel_panic-not_syncing:Aiee,killing_interrupt_handler | 0 | 9 |
+---------------------------------------------------------------------+------------+------------+
If you fix the issue, kindly add following tag
Reported-by: kernel test robot <[email protected]>
[ 13.500024][ C1] BUG: sleeping function called from invalid context at lib/iov_iter.c:666
[ 13.500030][ C1] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 335, name: dropbearkey
[ 13.500032][ C1] preempt_count: 7ffffffe, expected: 0
[ 13.500035][ C1] CPU: 1 PID: 335 Comm: dropbearkey Not tainted 5.16.0-rc8-02291-g604258c8f5a9 #1
[ 13.500038][ C1] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
[ 13.500040][ C1] Call Trace:
[ 13.500045][ C1] dump_stack_lvl (lib/dump_stack.c:107)
[ 13.500053][ C1] dump_stack (lib/dump_stack.c:114)
[ 13.500056][ C1] __might_resched.cold (kernel/sched/core.c:9539 kernel/sched/core.c:9492)
[ 13.500063][ C1] __might_sleep (kernel/sched/core.c:9468 (discriminator 14))
[ 13.500070][ C1] __might_fault (mm/memory.c:5255)
[ 13.500076][ C1] _copy_to_iter (lib/iov_iter.c:667)
[ 13.500081][ C1] ? __check_heap_object (mm/slub.c:4508)
[ 13.500087][ C1] ? __check_object_size (mm/usercopy.c:240 mm/usercopy.c:286 mm/usercopy.c:256)
[ 13.500092][ C1] seq_read_iter (include/linux/uio.h:155 fs/seq_file.c:281)
[ 13.500099][ C1] seq_read (fs/seq_file.c:163)
[ 13.500104][ C1] ? seq_read_iter (fs/seq_file.c:152)
[ 13.500108][ C1] proc_reg_read (fs/proc/inode.c:311 fs/proc/inode.c:323)
[ 13.500114][ C1] ? proc_reg_unlocked_ioctl (fs/proc/inode.c:316)
[ 13.500117][ C1] vfs_read (fs/read_write.c:479)
[ 13.500123][ C1] ? kern_select (fs/select.c:720)
[ 13.500128][ C1] ksys_read (fs/read_write.c:620)
[ 13.500132][ C1] __ia32_sys_read (fs/read_write.c:627)
[ 13.500135][ C1] do_int80_syscall_32 (arch/x86/entry/common.c:112 arch/x86/entry/common.c:132)
[ 13.500144][ C1] entry_INT80_32 (arch/x86/entry/entry_32.S:981)
[ 13.500148][ C1] EIP: 0xb7f3e07f
[ 13.500152][ C1] Code: 24 04 53 56 57 55 8b 01 85 c0 75 23 8b 44 24 18 8b 5c 24 1c 8b 4c 24 20 8b 54 24 24 8b 74 24 28 8b 7c 24 2c 8b 6c 24 30 cd 80 <5d> 5f 5e 5b c3 5d 5f 5e 5b e9 30 09 00 00 65 8b 15 04 00 00 00 8b
All code
========
0: 24 04 and $0x4,%al
2: 53 push %rbx
3: 56 push %rsi
4: 57 push %rdi
5: 55 push %rbp
6: 8b 01 mov (%rcx),%eax
8: 85 c0 test %eax,%eax
a: 75 23 jne 0x2f
c: 8b 44 24 18 mov 0x18(%rsp),%eax
10: 8b 5c 24 1c mov 0x1c(%rsp),%ebx
14: 8b 4c 24 20 mov 0x20(%rsp),%ecx
18: 8b 54 24 24 mov 0x24(%rsp),%edx
1c: 8b 74 24 28 mov 0x28(%rsp),%esi
20: 8b 7c 24 2c mov 0x2c(%rsp),%edi
24: 8b 6c 24 30 mov 0x30(%rsp),%ebp
28: cd 80 int $0x80
2a:* 5d pop %rbp <-- trapping instruction
2b: 5f pop %rdi
2c: 5e pop %rsi
2d: 5b pop %rbx
2e: c3 retq
2f: 5d pop %rbp
30: 5f pop %rdi
31: 5e pop %rsi
32: 5b pop %rbx
33: e9 30 09 00 00 jmpq 0x968
38: 65 8b 15 04 00 00 00 mov %gs:0x4(%rip),%edx # 0x43
3f: 8b .byte 0x8b
Code starting with the faulting instruction
===========================================
0: 5d pop %rbp
1: 5f pop %rdi
2: 5e pop %rsi
3: 5b pop %rbx
4: c3 retq
5: 5d pop %rbp
6: 5f pop %rdi
7: 5e pop %rsi
8: 5b pop %rbx
9: e9 30 09 00 00 jmpq 0x93e
e: 65 8b 15 04 00 00 00 mov %gs:0x4(%rip),%edx # 0x19
15: 8b .byte 0x8b
[ 13.500155][ C1] EAX: ffffffda EBX: 00000001 ECX: bfde6b0c EDX: 00001000
[ 13.500158][ C1] ESI: 00000000 EDI: 00000000 EBP: 00000000 ESP: bfde69bc
[ 13.500160][ C1] DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 007b EFLAGS: 00000246
[ 13.500197][ C1] ------------[ cut here ]------------
[ 13.500198][ C1] WARNING: CPU: 1 PID: 335 at lib/iov_iter.c:155 copyout (lib/iov_iter.c:155)
[ 13.500206][ C1] Modules linked in:
[ 13.500209][ C1] CPU: 1 PID: 335 Comm: dropbearkey Tainted: G W 5.16.0-rc8-02291-g604258c8f5a9 #1
[ 13.500212][ C1] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
[ 13.500213][ C1] EIP: copyout (lib/iov_iter.c:155)
[ 13.500216][ C1] Code: 8b 89 a8 0f 00 00 85 c9 74 20 89 c1 01 d9 72 11 81 f9 00 00 00 c0 77 09 89 c1 89 d8 e8 41 d2 05 00 5b 5d c3 8d b6 00 00 00 00 <0f> 0b eb dc eb 32 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00 8d b4
All code
========
0: 8b 89 a8 0f 00 00 mov 0xfa8(%rcx),%ecx
6: 85 c9 test %ecx,%ecx
8: 74 20 je 0x2a
a: 89 c1 mov %eax,%ecx
c: 01 d9 add %ebx,%ecx
e: 72 11 jb 0x21
10: 81 f9 00 00 00 c0 cmp $0xc0000000,%ecx
16: 77 09 ja 0x21
18: 89 c1 mov %eax,%ecx
1a: 89 d8 mov %ebx,%eax
1c: e8 41 d2 05 00 callq 0x5d262
21: 5b pop %rbx
22: 5d pop %rbp
23: c3 retq
24: 8d b6 00 00 00 00 lea 0x0(%rsi),%esi
2a:* 0f 0b ud2 <-- trapping instruction
2c: eb dc jmp 0xa
2e: eb 32 jmp 0x62
30: 8d b4 26 00 00 00 00 lea 0x0(%rsi,%riz,1),%esi
37: 8d b4 26 00 00 00 00 lea 0x0(%rsi,%riz,1),%esi
3e: 8d .byte 0x8d
3f: b4 .byte 0xb4
Code starting with the faulting instruction
===========================================
0: 0f 0b ud2
2: eb dc jmp 0xffffffffffffffe0
4: eb 32 jmp 0x38
6: 8d b4 26 00 00 00 00 lea 0x0(%rsi,%riz,1),%esi
d: 8d b4 26 00 00 00 00 lea 0x0(%rsi,%riz,1),%esi
14: 8d .byte 0x8d
15: b4 .byte 0xb4
[ 13.500219][ C1] EAX: 00000384 EBX: bfde6b0c ECX: 00000000 EDX: f544b000
[ 13.500221][ C1] ESI: 00000000 EDI: 00000384 EBP: f5623dfc ESP: f5623df8
[ 13.500223][ C1] DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068 EFLAGS: 00010246
[ 13.500230][ C1] CR0: 80050033 CR2: 0805fff1 CR3: 3561a000 CR4: 00350ef0
[ 13.500233][ C1] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
[ 13.500235][ C1] DR6: fffe0ff0 DR7: 00000400
[ 13.500237][ C1] Call Trace:
[ 13.500239][ C1] _copy_to_iter (lib/iov_iter.c:667 (discriminator 8))
[ 13.500242][ C1] ? __check_heap_object (mm/slub.c:4508)
[ 13.500246][ C1] ? __check_object_size (mm/usercopy.c:240 mm/usercopy.c:286 mm/usercopy.c:256)
[ 13.500249][ C1] seq_read_iter (include/linux/uio.h:155 fs/seq_file.c:281)
[ 13.500253][ C1] seq_read (fs/seq_file.c:163)
[ 13.500257][ C1] ? seq_read_iter (fs/seq_file.c:152)
[ 13.500261][ C1] proc_reg_read (fs/proc/inode.c:311 fs/proc/inode.c:323)
[ 13.500264][ C1] ? proc_reg_unlocked_ioctl (fs/proc/inode.c:316)
[ 13.500268][ C1] vfs_read (fs/read_write.c:479)
[ 13.500272][ C1] ? kern_select (fs/select.c:720)
[ 13.500275][ C1] ksys_read (fs/read_write.c:620)
[ 13.500279][ C1] __ia32_sys_read (fs/read_write.c:627)
[ 13.500283][ C1] do_int80_syscall_32 (arch/x86/entry/common.c:112 arch/x86/entry/common.c:132)
[ 13.500287][ C1] entry_INT80_32 (arch/x86/entry/entry_32.S:981)
[ 13.500290][ C1] EIP: 0xb7f3e07f
[ 13.500292][ C1] Code: 24 04 53 56 57 55 8b 01 85 c0 75 23 8b 44 24 18 8b 5c 24 1c 8b 4c 24 20 8b 54 24 24 8b 74 24 28 8b 7c 24 2c 8b 6c 24 30 cd 80 <5d> 5f 5e 5b c3 5d 5f 5e 5b e9 30 09 00 00 65 8b 15 04 00 00 00 8b
All code
========
0: 24 04 and $0x4,%al
2: 53 push %rbx
3: 56 push %rsi
4: 57 push %rdi
5: 55 push %rbp
6: 8b 01 mov (%rcx),%eax
8: 85 c0 test %eax,%eax
a: 75 23 jne 0x2f
c: 8b 44 24 18 mov 0x18(%rsp),%eax
10: 8b 5c 24 1c mov 0x1c(%rsp),%ebx
14: 8b 4c 24 20 mov 0x20(%rsp),%ecx
18: 8b 54 24 24 mov 0x24(%rsp),%edx
1c: 8b 74 24 28 mov 0x28(%rsp),%esi
20: 8b 7c 24 2c mov 0x2c(%rsp),%edi
24: 8b 6c 24 30 mov 0x30(%rsp),%ebp
28: cd 80 int $0x80
2a:* 5d pop %rbp <-- trapping instruction
2b: 5f pop %rdi
2c: 5e pop %rsi
2d: 5b pop %rbx
2e: c3 retq
2f: 5d pop %rbp
30: 5f pop %rdi
31: 5e pop %rsi
32: 5b pop %rbx
33: e9 30 09 00 00 jmpq 0x968
38: 65 8b 15 04 00 00 00 mov %gs:0x4(%rip),%edx # 0x43
3f: 8b .byte 0x8b
Code starting with the faulting instruction
===========================================
0: 5d pop %rbp
1: 5f pop %rdi
2: 5e pop %rsi
3: 5b pop %rbx
4: c3 retq
5: 5d pop %rbp
6: 5f pop %rdi
7: 5e pop %rsi
8: 5b pop %rbx
9: e9 30 09 00 00 jmpq 0x93e
e: 65 8b 15 04 00 00 00 mov %gs:0x4(%rip),%edx # 0x19
15: 8b .byte 0x8b
[ 13.500295][ C1] EAX: ffffffda EBX: 00000001 ECX: bfde6b0c EDX: 00001000
[ 13.500297][ C1] ESI: 00000000 EDI: 00000000 EBP: 00000000 ESP: bfde69bc
[ 13.500299][ C1] DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 007b EFLAGS: 00000246
[ 13.500303][ C1] ---[ end trace b04bb3a5693a52f3 ]---
[ 13.500330][ C1] ------------[ cut here ]------------
To reproduce:
# build kernel
cd linux
cp config-5.16.0-rc8-02291-g604258c8f5a9 .config
make HOSTCC=gcc-9 CC=gcc-9 ARCH=i386 olddefconfig prepare modules_prepare bzImage modules
make HOSTCC=gcc-9 CC=gcc-9 ARCH=i386 INSTALL_MOD_PATH=<mod-install-dir> modules_install
cd <mod-install-dir>
find lib/ | cpio -o -H newc --quiet | gzip > modules.cgz
git clone https://github.com/intel/lkp-tests.git
cd lkp-tests
bin/lkp qemu -k <bzImage> -m modules.cgz job-script # job-script is attached in this email
# if come across any failure that blocks the test,
# please remove ~/.lkp and /lkp dir to run from a clean state.
---
0DAY/LKP+ Test Infrastructure Open Source Technology Center
https://lists.01.org/hyperkitty/list/[email protected] Intel Corporation
Thanks,
Oliver Sang