2022-01-22 00:30:46

by Ryan Cai

[permalink] [raw]
Subject: [PATCH] ipv4: fix lock leaks

From: Ryan Cai <[email protected]>

In methods listening_get_first and listening_get_first in tcp_ipv4.c, there are lock leaks when seq_sk_match returns true.

Signed-off-by: Ryan Cai <[email protected]>
---
net/ipv4/tcp_ipv4.c | 2 ++
1 file changed, 2 insertions(+)

diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index 13d868c43284..714107766035 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -2329,6 +2329,7 @@ static void *listening_get_first(struct seq_file *seq)
inet_lhash2_for_each_icsk(icsk, &ilb2->head) {
sk = (struct sock *)icsk;
if (seq_sk_match(seq, sk))
+ spin_unlock(&ilb2->lock);
return sk;
}
spin_unlock(&ilb2->lock);
@@ -2407,6 +2408,7 @@ static void *established_get_first(struct seq_file *seq)
spin_lock_bh(lock);
sk_nulls_for_each(sk, node, &tcp_hashinfo.ehash[st->bucket].chain) {
if (seq_sk_match(seq, sk))
+ spin_unlock_bh(lock);
return sk;
}
spin_unlock_bh(lock);
--
2.33.0


2022-01-22 00:31:20

by Jakub Kicinski

[permalink] [raw]
Subject: Re: [PATCH] ipv4: fix lock leaks

On Fri, 21 Jan 2022 11:11:08 +0800 ycaibb wrote:
> if (seq_sk_match(seq, sk))
> + spin_unlock_bh(lock);
> return sk;

Heh, also you're missing brackets so this is patently buggy.

2022-01-22 00:32:24

by Jakub Kicinski

[permalink] [raw]
Subject: Re: [PATCH] ipv4: fix lock leaks

On Fri, 21 Jan 2022 11:11:08 +0800 ycaibb wrote:
> From: Ryan Cai <[email protected]>
>
> In methods listening_get_first and listening_get_first in tcp_ipv4.c,
> there are lock leaks when seq_sk_match returns true.

This is on purpose, please read the code carefully and try to test
your patches.

2022-01-22 00:32:59

by Ryan Cai

[permalink] [raw]
Subject: Re: [PATCH] ipv4: fix lock leaks

Sorry for reporting this false positive. Would be more careful next time. Thank you for your checking.

Best,
Ryan

On 21/1/2022, 11:47 AM, "Jakub Kicinski" <[email protected]> wrote:

On Fri, 21 Jan 2022 11:11:08 +0800 ycaibb wrote:
> if (seq_sk_match(seq, sk))
> + spin_unlock_bh(lock);
> return sk;

Heh, also you're missing brackets so this is patently buggy.


2022-01-22 00:33:09

by Alexei Starovoitov

[permalink] [raw]
Subject: Re: [PATCH] ipv4: fix lock leaks

On Thu, Jan 20, 2022 at 8:06 PM Ryan Cai <[email protected]> wrote:
>
> Sorry for reporting this false positive. Would be more careful next time. Thank you for your checking.

In the past 3 weeks you've sent 4 subtly broken patches.
Not a single valid one.
Are you trying to test the maintainer's review skills?
Is this another "lets hack the kernel" research project?

2022-01-24 06:35:13

by kernel test robot

[permalink] [raw]
Subject: [ipv4] 604258c8f5: BUG:sleeping_function_called_from_invalid_context_at_lib/iov_iter.c



Greeting,

FYI, we noticed the following commit (built with gcc-9):

commit: 604258c8f5a9792828f54e55769ca1673c4a34ee ("[PATCH] ipv4: fix lock leaks")
url: https://github.com/0day-ci/linux/commits/ycaibb/ipv4-fix-lock-leaks/20220121-111241
base: https://git.kernel.org/cgit/linux/kernel/git/davem/net-next.git 8aaaf2f3af2ae212428f4db1af34214225f5cec3
patch link: https://lore.kernel.org/netdev/[email protected]

in testcase: boot

on test machine: qemu-system-x86_64 -enable-kvm -cpu Icelake-Server -smp 4 -m 16G

caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):


+---------------------------------------------------------------------+------------+------------+
| | 8aaaf2f3af | 604258c8f5 |
+---------------------------------------------------------------------+------------+------------+
| BUG:sleeping_function_called_from_invalid_context_at_lib/iov_iter.c | 0 | 9 |
| WARNING:at_lib/iov_iter.c:#copyout | 0 | 9 |
| EIP:copyout | 0 | 9 |
| WARNING:at_lib/usercopy.c:#_copy_from_user | 0 | 9 |
| EIP:_copy_from_user | 0 | 9 |
| WARNING:at_lib/usercopy.c:#_copy_to_user | 0 | 9 |
| EIP:_copy_to_user | 0 | 9 |
| WARNING:at_fs/read_write.c:#vfs_read | 0 | 9 |
| EIP:vfs_read | 0 | 9 |
| WARNING:at_arch/x86/include/asm/uaccess.h:#strncpy_from_user | 0 | 9 |
| EIP:strncpy_from_user | 0 | 9 |
| Kernel_panic-not_syncing:Aiee,killing_interrupt_handler | 0 | 9 |
+---------------------------------------------------------------------+------------+------------+


If you fix the issue, kindly add following tag
Reported-by: kernel test robot <[email protected]>


[ 13.500024][ C1] BUG: sleeping function called from invalid context at lib/iov_iter.c:666
[ 13.500030][ C1] in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 335, name: dropbearkey
[ 13.500032][ C1] preempt_count: 7ffffffe, expected: 0
[ 13.500035][ C1] CPU: 1 PID: 335 Comm: dropbearkey Not tainted 5.16.0-rc8-02291-g604258c8f5a9 #1
[ 13.500038][ C1] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
[ 13.500040][ C1] Call Trace:
[ 13.500045][ C1] dump_stack_lvl (lib/dump_stack.c:107)
[ 13.500053][ C1] dump_stack (lib/dump_stack.c:114)
[ 13.500056][ C1] __might_resched.cold (kernel/sched/core.c:9539 kernel/sched/core.c:9492)
[ 13.500063][ C1] __might_sleep (kernel/sched/core.c:9468 (discriminator 14))
[ 13.500070][ C1] __might_fault (mm/memory.c:5255)
[ 13.500076][ C1] _copy_to_iter (lib/iov_iter.c:667)
[ 13.500081][ C1] ? __check_heap_object (mm/slub.c:4508)
[ 13.500087][ C1] ? __check_object_size (mm/usercopy.c:240 mm/usercopy.c:286 mm/usercopy.c:256)
[ 13.500092][ C1] seq_read_iter (include/linux/uio.h:155 fs/seq_file.c:281)
[ 13.500099][ C1] seq_read (fs/seq_file.c:163)
[ 13.500104][ C1] ? seq_read_iter (fs/seq_file.c:152)
[ 13.500108][ C1] proc_reg_read (fs/proc/inode.c:311 fs/proc/inode.c:323)
[ 13.500114][ C1] ? proc_reg_unlocked_ioctl (fs/proc/inode.c:316)
[ 13.500117][ C1] vfs_read (fs/read_write.c:479)
[ 13.500123][ C1] ? kern_select (fs/select.c:720)
[ 13.500128][ C1] ksys_read (fs/read_write.c:620)
[ 13.500132][ C1] __ia32_sys_read (fs/read_write.c:627)
[ 13.500135][ C1] do_int80_syscall_32 (arch/x86/entry/common.c:112 arch/x86/entry/common.c:132)
[ 13.500144][ C1] entry_INT80_32 (arch/x86/entry/entry_32.S:981)
[ 13.500148][ C1] EIP: 0xb7f3e07f
[ 13.500152][ C1] Code: 24 04 53 56 57 55 8b 01 85 c0 75 23 8b 44 24 18 8b 5c 24 1c 8b 4c 24 20 8b 54 24 24 8b 74 24 28 8b 7c 24 2c 8b 6c 24 30 cd 80 <5d> 5f 5e 5b c3 5d 5f 5e 5b e9 30 09 00 00 65 8b 15 04 00 00 00 8b
All code
========
0: 24 04 and $0x4,%al
2: 53 push %rbx
3: 56 push %rsi
4: 57 push %rdi
5: 55 push %rbp
6: 8b 01 mov (%rcx),%eax
8: 85 c0 test %eax,%eax
a: 75 23 jne 0x2f
c: 8b 44 24 18 mov 0x18(%rsp),%eax
10: 8b 5c 24 1c mov 0x1c(%rsp),%ebx
14: 8b 4c 24 20 mov 0x20(%rsp),%ecx
18: 8b 54 24 24 mov 0x24(%rsp),%edx
1c: 8b 74 24 28 mov 0x28(%rsp),%esi
20: 8b 7c 24 2c mov 0x2c(%rsp),%edi
24: 8b 6c 24 30 mov 0x30(%rsp),%ebp
28: cd 80 int $0x80
2a:* 5d pop %rbp <-- trapping instruction
2b: 5f pop %rdi
2c: 5e pop %rsi
2d: 5b pop %rbx
2e: c3 retq
2f: 5d pop %rbp
30: 5f pop %rdi
31: 5e pop %rsi
32: 5b pop %rbx
33: e9 30 09 00 00 jmpq 0x968
38: 65 8b 15 04 00 00 00 mov %gs:0x4(%rip),%edx # 0x43
3f: 8b .byte 0x8b

Code starting with the faulting instruction
===========================================
0: 5d pop %rbp
1: 5f pop %rdi
2: 5e pop %rsi
3: 5b pop %rbx
4: c3 retq
5: 5d pop %rbp
6: 5f pop %rdi
7: 5e pop %rsi
8: 5b pop %rbx
9: e9 30 09 00 00 jmpq 0x93e
e: 65 8b 15 04 00 00 00 mov %gs:0x4(%rip),%edx # 0x19
15: 8b .byte 0x8b
[ 13.500155][ C1] EAX: ffffffda EBX: 00000001 ECX: bfde6b0c EDX: 00001000
[ 13.500158][ C1] ESI: 00000000 EDI: 00000000 EBP: 00000000 ESP: bfde69bc
[ 13.500160][ C1] DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 007b EFLAGS: 00000246
[ 13.500197][ C1] ------------[ cut here ]------------
[ 13.500198][ C1] WARNING: CPU: 1 PID: 335 at lib/iov_iter.c:155 copyout (lib/iov_iter.c:155)
[ 13.500206][ C1] Modules linked in:
[ 13.500209][ C1] CPU: 1 PID: 335 Comm: dropbearkey Tainted: G W 5.16.0-rc8-02291-g604258c8f5a9 #1
[ 13.500212][ C1] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
[ 13.500213][ C1] EIP: copyout (lib/iov_iter.c:155)
[ 13.500216][ C1] Code: 8b 89 a8 0f 00 00 85 c9 74 20 89 c1 01 d9 72 11 81 f9 00 00 00 c0 77 09 89 c1 89 d8 e8 41 d2 05 00 5b 5d c3 8d b6 00 00 00 00 <0f> 0b eb dc eb 32 8d b4 26 00 00 00 00 8d b4 26 00 00 00 00 8d b4
All code
========
0: 8b 89 a8 0f 00 00 mov 0xfa8(%rcx),%ecx
6: 85 c9 test %ecx,%ecx
8: 74 20 je 0x2a
a: 89 c1 mov %eax,%ecx
c: 01 d9 add %ebx,%ecx
e: 72 11 jb 0x21
10: 81 f9 00 00 00 c0 cmp $0xc0000000,%ecx
16: 77 09 ja 0x21
18: 89 c1 mov %eax,%ecx
1a: 89 d8 mov %ebx,%eax
1c: e8 41 d2 05 00 callq 0x5d262
21: 5b pop %rbx
22: 5d pop %rbp
23: c3 retq
24: 8d b6 00 00 00 00 lea 0x0(%rsi),%esi
2a:* 0f 0b ud2 <-- trapping instruction
2c: eb dc jmp 0xa
2e: eb 32 jmp 0x62
30: 8d b4 26 00 00 00 00 lea 0x0(%rsi,%riz,1),%esi
37: 8d b4 26 00 00 00 00 lea 0x0(%rsi,%riz,1),%esi
3e: 8d .byte 0x8d
3f: b4 .byte 0xb4

Code starting with the faulting instruction
===========================================
0: 0f 0b ud2
2: eb dc jmp 0xffffffffffffffe0
4: eb 32 jmp 0x38
6: 8d b4 26 00 00 00 00 lea 0x0(%rsi,%riz,1),%esi
d: 8d b4 26 00 00 00 00 lea 0x0(%rsi,%riz,1),%esi
14: 8d .byte 0x8d
15: b4 .byte 0xb4
[ 13.500219][ C1] EAX: 00000384 EBX: bfde6b0c ECX: 00000000 EDX: f544b000
[ 13.500221][ C1] ESI: 00000000 EDI: 00000384 EBP: f5623dfc ESP: f5623df8
[ 13.500223][ C1] DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068 EFLAGS: 00010246
[ 13.500230][ C1] CR0: 80050033 CR2: 0805fff1 CR3: 3561a000 CR4: 00350ef0
[ 13.500233][ C1] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
[ 13.500235][ C1] DR6: fffe0ff0 DR7: 00000400
[ 13.500237][ C1] Call Trace:
[ 13.500239][ C1] _copy_to_iter (lib/iov_iter.c:667 (discriminator 8))
[ 13.500242][ C1] ? __check_heap_object (mm/slub.c:4508)
[ 13.500246][ C1] ? __check_object_size (mm/usercopy.c:240 mm/usercopy.c:286 mm/usercopy.c:256)
[ 13.500249][ C1] seq_read_iter (include/linux/uio.h:155 fs/seq_file.c:281)
[ 13.500253][ C1] seq_read (fs/seq_file.c:163)
[ 13.500257][ C1] ? seq_read_iter (fs/seq_file.c:152)
[ 13.500261][ C1] proc_reg_read (fs/proc/inode.c:311 fs/proc/inode.c:323)
[ 13.500264][ C1] ? proc_reg_unlocked_ioctl (fs/proc/inode.c:316)
[ 13.500268][ C1] vfs_read (fs/read_write.c:479)
[ 13.500272][ C1] ? kern_select (fs/select.c:720)
[ 13.500275][ C1] ksys_read (fs/read_write.c:620)
[ 13.500279][ C1] __ia32_sys_read (fs/read_write.c:627)
[ 13.500283][ C1] do_int80_syscall_32 (arch/x86/entry/common.c:112 arch/x86/entry/common.c:132)
[ 13.500287][ C1] entry_INT80_32 (arch/x86/entry/entry_32.S:981)
[ 13.500290][ C1] EIP: 0xb7f3e07f
[ 13.500292][ C1] Code: 24 04 53 56 57 55 8b 01 85 c0 75 23 8b 44 24 18 8b 5c 24 1c 8b 4c 24 20 8b 54 24 24 8b 74 24 28 8b 7c 24 2c 8b 6c 24 30 cd 80 <5d> 5f 5e 5b c3 5d 5f 5e 5b e9 30 09 00 00 65 8b 15 04 00 00 00 8b
All code
========
0: 24 04 and $0x4,%al
2: 53 push %rbx
3: 56 push %rsi
4: 57 push %rdi
5: 55 push %rbp
6: 8b 01 mov (%rcx),%eax
8: 85 c0 test %eax,%eax
a: 75 23 jne 0x2f
c: 8b 44 24 18 mov 0x18(%rsp),%eax
10: 8b 5c 24 1c mov 0x1c(%rsp),%ebx
14: 8b 4c 24 20 mov 0x20(%rsp),%ecx
18: 8b 54 24 24 mov 0x24(%rsp),%edx
1c: 8b 74 24 28 mov 0x28(%rsp),%esi
20: 8b 7c 24 2c mov 0x2c(%rsp),%edi
24: 8b 6c 24 30 mov 0x30(%rsp),%ebp
28: cd 80 int $0x80
2a:* 5d pop %rbp <-- trapping instruction
2b: 5f pop %rdi
2c: 5e pop %rsi
2d: 5b pop %rbx
2e: c3 retq
2f: 5d pop %rbp
30: 5f pop %rdi
31: 5e pop %rsi
32: 5b pop %rbx
33: e9 30 09 00 00 jmpq 0x968
38: 65 8b 15 04 00 00 00 mov %gs:0x4(%rip),%edx # 0x43
3f: 8b .byte 0x8b

Code starting with the faulting instruction
===========================================
0: 5d pop %rbp
1: 5f pop %rdi
2: 5e pop %rsi
3: 5b pop %rbx
4: c3 retq
5: 5d pop %rbp
6: 5f pop %rdi
7: 5e pop %rsi
8: 5b pop %rbx
9: e9 30 09 00 00 jmpq 0x93e
e: 65 8b 15 04 00 00 00 mov %gs:0x4(%rip),%edx # 0x19
15: 8b .byte 0x8b
[ 13.500295][ C1] EAX: ffffffda EBX: 00000001 ECX: bfde6b0c EDX: 00001000
[ 13.500297][ C1] ESI: 00000000 EDI: 00000000 EBP: 00000000 ESP: bfde69bc
[ 13.500299][ C1] DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 007b EFLAGS: 00000246
[ 13.500303][ C1] ---[ end trace b04bb3a5693a52f3 ]---
[ 13.500330][ C1] ------------[ cut here ]------------


To reproduce:

# build kernel
cd linux
cp config-5.16.0-rc8-02291-g604258c8f5a9 .config
make HOSTCC=gcc-9 CC=gcc-9 ARCH=i386 olddefconfig prepare modules_prepare bzImage modules
make HOSTCC=gcc-9 CC=gcc-9 ARCH=i386 INSTALL_MOD_PATH=<mod-install-dir> modules_install
cd <mod-install-dir>
find lib/ | cpio -o -H newc --quiet | gzip > modules.cgz


git clone https://github.com/intel/lkp-tests.git
cd lkp-tests
bin/lkp qemu -k <bzImage> -m modules.cgz job-script # job-script is attached in this email

# if come across any failure that blocks the test,
# please remove ~/.lkp and /lkp dir to run from a clean state.



---
0DAY/LKP+ Test Infrastructure Open Source Technology Center
https://lists.01.org/hyperkitty/list/[email protected] Intel Corporation

Thanks,
Oliver Sang


Attachments:
(No filename) (13.22 kB)
config-5.16.0-rc8-02291-g604258c8f5a9 (143.20 kB)
job-script (4.65 kB)
dmesg.xz (13.21 kB)
Download all attachments