Received: by 2002:ac0:a581:0:0:0:0:0 with SMTP id m1-v6csp1545973imm; Wed, 20 Jun 2018 21:30:35 -0700 (PDT) X-Google-Smtp-Source: ADUXVKKcWwrMCn2Jx4tq/0Ee0SeWy0YjCRz+JM+PDjuSx+OlrA3F2ahirEyq7hGpDn88LoD4Wg1g X-Received: by 2002:a17:902:46e:: with SMTP id 101-v6mr27123107ple.39.1529555435259; Wed, 20 Jun 2018 21:30:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1529555435; cv=none; d=google.com; s=arc-20160816; b=SkGIOPHBgIxCDgIk0/ZNw9UnFW5UdzYxSj0C+6HyGA/4BWP5upy2WC3BgcHm9SBHd2 RIhswuJLWH0hAw/SBuNXTjFDnbMBMmlHH3A99m5EFprkwDqJvIAWLwcE/m84rPf69WAG UU9S3T80d3YfDGItzvFb/YE7Od7GXB6rt1gNtCBAmfFcSV1QIPHYsMEvrBxEmYDcq6ob Ql34eZaO0ar597WcshfhZ3pUTq3KevbHyMHte+ilXN33neOyO4WZl2Ts+FaakcvGf08r /H8u0r/DQlbzZoEpu01E87659Y59+W12TVWsyVCUaj/DRFrFCm2ViF4sSleskrQ0+7Ar inXw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature:arc-authentication-results; bh=yVSnTnQiAF8OJWJf58lNpVHnsmyJYtCotiqMUOeJ0jo=; b=h4iEv+OSQ2s5097Q/bnnxNGu0n5c8rVUPVnVuz73gQoCqGQ1wpqwWEXwYoKXpC2Y5h yW6gI4NDknjOeg6AyMH5AMJFqsluzK1yeTK5tMLV/xrxnp19XbxGHXDUwTNgtDMpq6KH W3rSB8ashqBYg4PL9LZNCzEaA5VQWBQza+lRZy397HTxFZgJA/9pR3dqDVZIp9bcUgoC Aq8VhpkgJ2PoXkc8rIwvprLWyNDTLLZbx8cYCEcrW6fQ5TbG28dzqUihaH+40lLLuf74 sGRkShJW5hDZs/Og9IpzR7M3akVSQAtQhEFXVC0hiePGrrF5QSfcHqZ19VXG0MkOgEy8 CbLw== ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@infradead.org header.s=bombadil.20170209 header.b=EcqxQu7C; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x23-v6si3807835pfe.318.2018.06.20.21.30.21; Wed, 20 Jun 2018 21:30:35 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@infradead.org header.s=bombadil.20170209 header.b=EcqxQu7C; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932528AbeFUE3a (ORCPT + 99 others); Thu, 21 Jun 2018 00:29:30 -0400 Received: from bombadil.infradead.org ([198.137.202.133]:35180 "EHLO bombadil.infradead.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932173AbeFUE3R (ORCPT ); Thu, 21 Jun 2018 00:29:17 -0400 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=infradead.org; s=bombadil.20170209; h=In-Reply-To:Content-Type:MIME-Version :References:Message-ID:Subject:Cc:To:From:Date:Sender:Reply-To: Content-Transfer-Encoding:Content-ID:Content-Description:Resent-Date: Resent-From:Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:List-Id: List-Help:List-Unsubscribe:List-Subscribe:List-Post:List-Owner:List-Archive; bh=5PRqsDtSO9Z2tH/mokxu4giP6gBHx926LqV+oFeCIDk=; b=EcqxQu7Ch1UAM/QLEeYah/SQ8 0u3eiaPFK5+OG4OfOuINUc7lrOVau1Bz0oL8mmLUZQ1lByPgMPj4BMDe4QMaQXste/xusN1S8YLLN f4kwBmN5FFpxxX88KoQlQvBEVkvHrv38vnymV941diBWYrGMUi/VNUrD35PZvwpGEOI020x8Aaqcu YZ93VlD7lqu6Jh3J5BAmqYth0MoPSHZ1Ok5ByTw/fsm7n2Dja7bXkCq4O4FZ/2wN7nCAFwCkppOxH GMjAEz5RniJa5jbA30cmGRBzqSyjBHqgNd20vLBlD4O4a81XM7BEeAMwxrbtaRSKH6dSsdakZO3i/ aq8oCrAZA==; Received: from willy by bombadil.infradead.org with local (Exim 4.90_1 #2 (Red Hat Linux)) id 1fVrDc-0007h9-Co; Thu, 21 Jun 2018 04:29:12 +0000 Date: Wed, 20 Jun 2018 21:29:12 -0700 From: Matthew Wilcox To: Jia-Ju Bai Cc: paul@paul-moore.com, eparis@redhat.com, jack@suse.cz, amir73il@gmail.com, linux-audit@redhat.com, linux-kernel@vger.kernel.org, linux-fsdevel@vger.kernel.org Subject: Re: [PATCH] kernel: audit_tree: Fix a sleep-in-atomic-context bug Message-ID: <20180621042912.GA4967@bombadil.infradead.org> References: <20180621033245.10754-1-baijiaju1990@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20180621033245.10754-1-baijiaju1990@gmail.com> User-Agent: Mutt/1.9.2 (2017-12-15) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Jun 21, 2018 at 11:32:45AM +0800, Jia-Ju Bai wrote: > The kernel may sleep with holding a spinlock. > The function call paths (from bottom to top) in Linux-4.16.7 are: > > [FUNC] kmem_cache_alloc(GFP_KERNEL) > fs/notify/mark.c, 439: > kmem_cache_alloc in fsnotify_attach_connector_to_object > fs/notify/mark.c, 520: > fsnotify_attach_connector_to_object in fsnotify_add_mark_list > fs/notify/mark.c, 590: > fsnotify_add_mark_list in fsnotify_add_mark_locked > kernel/audit_tree.c, 437: > fsnotify_add_mark_locked in tag_chunk > kernel/audit_tree.c, 423: > spin_lock in tag_chunk There are several locks here; your report would be improved by saying which one is the problem. I'm assuming it's old_entry->lock. spin_lock(&old_entry->lock); ... if (fsnotify_add_inode_mark_locked(chunk_entry, old_entry->connector->inode, 1)) { ... return fsnotify_add_mark_locked(mark, inode, NULL, allow_dups); ... ret = fsnotify_add_mark_list(mark, inode, mnt, allow_dups); ... if (inode) connp = &inode->i_fsnotify_marks; conn = fsnotify_grab_connector(connp); if (!conn) { err = fsnotify_attach_connector_to_object(connp, inode, mnt); It seems to me that this is safe because old_entry is looked up from fsnotify_find_mark, and it can't be removed while its lock is held. Therefore there's always a 'conn' returned from fsnotify_grab_connector(), and so this path will never be taken. But this code path is confusing to me, and I could be wrong. Jan, please confirm my analysis is correct? > [FUNC] kmem_cache_alloc(GFP_KERNEL) > fs/notify/mark.c, 439: > kmem_cache_alloc in fsnotify_attach_connector_to_object > fs/notify/mark.c, 520: > fsnotify_attach_connector_to_object in fsnotify_add_mark_list > fs/notify/mark.c, 590: > fsnotify_add_mark_list in fsnotify_add_mark_locked > kernel/audit_tree.c, 291: > fsnotify_add_mark_locked in untag_chunk > kernel/audit_tree.c, 258: > spin_lock in untag_chunk I'm just going to assume this one is the same.