2022-01-22 00:30:55

by Ryan Cai

[permalink] [raw]
Subject: [PATCH] inet: missing lock releases in udp.c

From: Ryan Cai <[email protected]>

In method udp_get_first, the lock hslot->lock is not released when afinfo->family == AF_UNSPEC || sk->sk_family == afinfo->family is true. This patch fixes the problem by adding the unlock statement.

Signed-off-by: Ryan Cai <[email protected]>
---
net/ipv4/udp.c | 1 +
1 file changed, 1 insertion(+)

diff --git a/net/ipv4/udp.c b/net/ipv4/udp.c
index 23b05e28490b..f7d573ecaafb 100644
--- a/net/ipv4/udp.c
+++ b/net/ipv4/udp.c
@@ -2967,6 +2967,7 @@ static struct sock *udp_get_first(struct seq_file *seq, int start)
continue;
if (afinfo->family == AF_UNSPEC ||
sk->sk_family == afinfo->family)
+ spin_unlock_bh(&hslot->lock);
goto found;
}
spin_unlock_bh(&hslot->lock);
--
2.33.0


2022-01-24 07:13:09

by kernel test robot

[permalink] [raw]
Subject: [inet] 1b84613d30: WARNING:at_kernel/softirq.c:#__local_bh_enable_ip



Greeting,

FYI, we noticed the following commit (built with gcc-9):

commit: 1b84613d303e1496ea759aa171b7b36dfd8f26c3 ("[PATCH] inet: missing lock releases in udp.c")
url: https://github.com/0day-ci/linux/commits/ycaibb/inet-missing-lock-releases-in-udp-c/20220121-111922
base: https://git.kernel.org/cgit/linux/kernel/git/davem/net-next.git 8aaaf2f3af2ae212428f4db1af34214225f5cec3
patch link: https://lore.kernel.org/netdev/[email protected]

in testcase: trinity
version: trinity-i386-4d2343bd-1_20200320
with following parameters:

runtime: 300s
group: group-03

test-description: Trinity is a linux system call fuzz tester.
test-url: http://codemonkey.org.uk/projects/trinity/


on test machine: qemu-system-i386 -enable-kvm -cpu SandyBridge -smp 2 -m 4G

caused below changes (please refer to attached dmesg/kmsg for entire log/backtrace):



If you fix the issue, kindly add following tag
Reported-by: kernel test robot <[email protected]>


[ 205.786467][ C1] WARNING: CPU: 1 PID: 4066 at kernel/softirq.c:362 __local_bh_enable_ip (kernel/softirq.c:362 (discriminator 1))
[ 205.786560][ C1] Modules linked in: af_alg(E) fcrypt(E) pcbc(E) rxrpc(E) crypto_user(E) scsi_transport_iscsi(E) xfrm_user(E) xfrm_algo(E) llc2(E) llc(E) sctp(E) ip6_udp_tunnel(E) udp_tunnel(E) libcrc32c(E) crc32c_generic(E) intel_rapl_msr(E) intel_rapl_common(E) crc32_pclmul(E) crc32c_intel(E) bochs(E) drm_vram_helper(E) drm_ttm_helper(E) ppdev(E) ttm(E) drm_kms_helper(E) aesni_intel(E) crypto_simd(E) cryptd(E) rapl(E) syscopyarea(E) sysfillrect(E) sysimgblt(E) fb_sys_fops(E) cec(E) drm(E) ata_generic(E) ata_piix(E) psmouse(E) evdev(E) serio_raw(E) libata(E) parport_pc(E) floppy(E) i2c_piix4(E) parport(E) qemu_fw_cfg(E) button(E) autofs4(E)
[ 205.786814][ C1] CPU: 1 PID: 4066 Comm: trinity-c7 Tainted: G E 5.16.0-rc8-02291-g1b84613d303e #1
[ 205.786817][ C1] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014
[ 205.786823][ C1] EIP: __local_bh_enable_ip (kernel/softirq.c:362 (discriminator 1))
[ 205.786826][ C1] Code: ea 01 f7 da 64 01 15 d4 d6 20 d5 64 a1 d4 d6 20 d5 a9 00 ff ff 00 74 1a 5d 64 ff 0d d4 d6 20 d5 c3 8d b4 26 00 00 00 00 66 90 <0f> 0b eb d1 8d 74 26 00 64 66 a1 c0 64 21 d5 66 85 c0 74 da e8 27
All code
========
0: ea (bad)
1: 01 f7 add %esi,%edi
3: da 64 01 15 fisubl 0x15(%rcx,%rax,1)
7: d4 (bad)
8: d6 (bad)
9: 20 d5 and %dl,%ch
b: 64 a1 d4 d6 20 d5 a9 movabs %fs:0xffff00a9d520d6d4,%eax
12: 00 ff ff
15: 00 74 1a 5d add %dh,0x5d(%rdx,%rbx,1)
19: 64 ff 0d d4 d6 20 d5 decl %fs:-0x2adf292c(%rip) # 0xffffffffd520d6f4
20: c3 retq
21: 8d b4 26 00 00 00 00 lea 0x0(%rsi,%riz,1),%esi
28: 66 90 xchg %ax,%ax
2a:* 0f 0b ud2 <-- trapping instruction
2c: eb d1 jmp 0xffffffffffffffff
2e: 8d 74 26 00 lea 0x0(%rsi,%riz,1),%esi
32: 64 66 a1 c0 64 21 d5 movabs %fs:0x74c08566d52164c0,%ax
39: 66 85 c0 74
3d: da e8 (bad)
3f: 27 (bad)

Code starting with the faulting instruction
===========================================
0: 0f 0b ud2
2: eb d1 jmp 0xffffffffffffffd5
4: 8d 74 26 00 lea 0x0(%rsi,%riz,1),%esi
8: 64 66 a1 c0 64 21 d5 movabs %fs:0x74c08566d52164c0,%ax
f: 66 85 c0 74
13: da e8 (bad)
15: 27 (bad)
[ 205.786829][ C1] EAX: 7ffffdff EBX: d50ccb40 ECX: d50d9df8 EDX: 00000201
[ 205.786851][ C1] ESI: c113af40 EDI: 0000000a EBP: f0c59e08 ESP: f0c59e08
[ 205.786853][ C1] DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068 EFLAGS: 00010206
[ 205.786858][ C1] CR0: 80050033 CR2: 00000004 CR3: 30c5a000 CR4: 000406f0
[ 205.786864][ C1] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000
[ 205.786866][ C1] DR6: fffe0ff0 DR7: 00000400
[ 205.786867][ C1] Call Trace:
[ 205.786894][ C1] _raw_spin_unlock_bh (kernel/locking/spinlock.c:211)
[ 205.786936][ C1] udp_get_next (include/linux/spinlock.h:394 net/ipv4/udp.c:3007)
[ 205.786980][ C1] ? udp_seq_start (net/ipv4/udp.c:3033)
[ 205.786983][ C1] udp_seq_next (net/ipv4/udp.c:3041)
[ 205.786987][ C1] seq_read_iter (fs/seq_file.c:263)
[ 205.787023][ C1] ? udp_seq_start (net/ipv4/udp.c:3033)
[ 205.787027][ C1] seq_read (fs/seq_file.c:163)
[ 205.787031][ C1] ? seq_read_iter (fs/seq_file.c:152)
[ 205.787034][ C1] proc_reg_read (fs/proc/inode.c:311 fs/proc/inode.c:323)
[ 205.787070][ C1] ? proc_reg_unlocked_ioctl (fs/proc/inode.c:316)
[ 205.787073][ C1] vfs_read (fs/read_write.c:479)
[ 205.787081][ C1] ? common_mmap+0x40/0x80
[ 205.787111][ C1] ? common_mmap+0x80/0x80
[ 205.787113][ C1] ? __might_sleep (kernel/sched/core.c:9468 (discriminator 14))
[ 205.787133][ C1] ? __cond_resched (kernel/sched/core.c:8149)
[ 205.787136][ C1] ksys_read (fs/read_write.c:620)
[ 205.787140][ C1] __ia32_sys_read (fs/read_write.c:627)
[ 205.787143][ C1] __do_fast_syscall_32 (arch/x86/entry/common.c:112 arch/x86/entry/common.c:178)
[ 205.787156][ C1] do_fast_syscall_32 (arch/x86/entry/common.c:203)
[ 205.787160][ C1] do_SYSENTER_32 (arch/x86/entry/common.c:247)
[ 205.787163][ C1] entry_SYSENTER_32 (arch/x86/entry/entry_32.S:872)
[ 205.787166][ C1] EIP: 0xb7f02589
[ 205.787175][ C1] Code: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 51 52 55 89 e5 0f 34 cd 80 <5d> 5a 59 c3 90 90 90 90 8d 76 00 58 b8 77 00 00 00 cd 80 90 8d 76
All code
========
...
20: 00 51 52 add %dl,0x52(%rcx)
23: 55 push %rbp
24: 89 e5 mov %esp,%ebp
26: 0f 34 sysenter
28: cd 80 int $0x80
2a:* 5d pop %rbp <-- trapping instruction
2b: 5a pop %rdx
2c: 59 pop %rcx
2d: c3 retq
2e: 90 nop
2f: 90 nop
30: 90 nop
31: 90 nop
32: 8d 76 00 lea 0x0(%rsi),%esi
35: 58 pop %rax
36: b8 77 00 00 00 mov $0x77,%eax
3b: cd 80 int $0x80
3d: 90 nop
3e: 8d .byte 0x8d
3f: 76 .byte 0x76

Code starting with the faulting instruction
===========================================
0: 5d pop %rbp
1: 5a pop %rdx
2: 59 pop %rcx
3: c3 retq
4: 90 nop
5: 90 nop
6: 90 nop
7: 90 nop
8: 8d 76 00 lea 0x0(%rsi),%esi
b: 58 pop %rax
c: b8 77 00 00 00 mov $0x77,%eax
11: cd 80 int $0x80
13: 90 nop
14: 8d .byte 0x8d
15: 76 .byte 0x76
[ 205.787177][ C1] EAX: ffffffda EBX: 000000dd ECX: b6975000 EDX: 00000591
[ 205.787178][ C1] ESI: 00000000 EDI: 00000089 EBP: 000000ef ESP: bfabca5c
[ 205.787180][ C1] DS: 007b ES: 007b FS: 0000 GS: 0033 SS: 007b EFLAGS: 00000296
[ 205.787193][ C1] ---[ end trace 5d00563d8897f1ee ]---


To reproduce:

# build kernel
cd linux
cp config-5.16.0-rc8-02291-g1b84613d303e .config
make HOSTCC=gcc-9 CC=gcc-9 ARCH=i386 olddefconfig prepare modules_prepare bzImage modules
make HOSTCC=gcc-9 CC=gcc-9 ARCH=i386 INSTALL_MOD_PATH=<mod-install-dir> modules_install
cd <mod-install-dir>
find lib/ | cpio -o -H newc --quiet | gzip > modules.cgz


git clone https://github.com/intel/lkp-tests.git
cd lkp-tests
bin/lkp qemu -k <bzImage> -m modules.cgz job-script # job-script is attached in this email

# if come across any failure that blocks the test,
# please remove ~/.lkp and /lkp dir to run from a clean state.



---
0DAY/LKP+ Test Infrastructure Open Source Technology Center
https://lists.01.org/hyperkitty/list/[email protected] Intel Corporation

Thanks,
Oliver Sang


Attachments:
(No filename) (8.33 kB)
config-5.16.0-rc8-02291-g1b84613d303e (143.20 kB)
job-script (4.37 kB)
dmesg.xz (17.16 kB)
Download all attachments

2022-01-24 13:59:07

by Cong Wang

[permalink] [raw]
Subject: Re: [PATCH] inet: missing lock releases in udp.c

On Fri, Jan 21, 2022 at 11:15:53AM +0800, ycaibb wrote:
> From: Ryan Cai <[email protected]>
>
> In method udp_get_first, the lock hslot->lock is not released when afinfo->family == AF_UNSPEC || sk->sk_family == afinfo->family is true. This patch fixes the problem by adding the unlock statement.
>

It should be unlocked by udp_seq_stop(). Do you see any real lockdep
warning or bug report?

Thanks.