Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp2642221pxj; Mon, 14 Jun 2021 03:50:10 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzrY0zKh037Q5ba8LcoLPWBONzi+qddnclaBocUSfNtBg6kaz8Uk6hwNbUcYnc+EZxxHWyu X-Received: by 2002:a17:906:b19:: with SMTP id u25mr14348332ejg.238.1623667810503; Mon, 14 Jun 2021 03:50:10 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1623667810; cv=none; d=google.com; s=arc-20160816; b=WlmHKN4SXuAiFPtetQ/Cp+cxq4GixF+/Vuoo2IHN63rUM9X0Vgxs8u5flh/qhN6k/d 45/yN1Dhvc4Cny8UaXY6ufQPwTVrKADEz+mh344hLroCS2nGErVATXCn8pYK7ykumNhl 7s3OW0S3h598g8GDQWRfqXS1yfh8UEYi9+ruPC4QnWid3Cp81AlYcv9NH0XkRRx3AT7z Nb3eR+Zhb3MGOt6Fd+/n3bMEjoqhO2mi4J1+a9XOZTa1Nb9RBD3HouuXr8xCdySTxVD7 T1GQ0uLZ3MaiGF0NJG7Jey3dWORi36sLfwghjFDSMwXwTdf0VTQ5ReA9hn6ZxufwaV6a MYPQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=5KK8d8bRFzyQ4aZSGPz9f76fsgf8VmlEzPfIPqvHT4U=; b=RreBrxpreR/MTvfMtau5K1Xen+W1cvXZLXWOcuOrFcXh029SyF6TXEbpYJbC/OY6sH 86Pv7Fp2kOHcDbZ0vTgbBWpHpEU40LgjRxnLSpinW5eVv0uFbeaXiYUeyiUJh46OJtQq DfonnjmTu9A2lI2d3YXJmver4eOJrI/DQXtZ4Kgmx7vzcAfa+HwGuN01Y/rHPvFjaKx4 pBPuLDw0KAq+ntZ3LaxzVjym3fKvzwsJHjfd4qfUDtPowSU2xGbLW/hx+3l6CkL2P2cO wTVudEYASwitUfS/Zkosyt2UuveVicn3YNLXU1NOpdKHvdQ4lCglQSs9d2cPp040g2xW t5zA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=FCqasjTV; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id g12si11763200edp.364.2021.06.14.03.49.48; Mon, 14 Jun 2021 03:50:10 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=FCqasjTV; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233967AbhFNKt7 (ORCPT + 99 others); Mon, 14 Jun 2021 06:49:59 -0400 Received: from mail.kernel.org ([198.145.29.99]:46962 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233239AbhFNKnY (ORCPT ); Mon, 14 Jun 2021 06:43:24 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 40CD3613EE; Mon, 14 Jun 2021 10:35:56 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1623666956; bh=f2a0HndQRgm6ba+MJh1HP4RrugdLadnN5+YztHXIBz0=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=FCqasjTVnTmlNUtuQ1l1PX+6eoAjPNLpZlKtOUZ/K2+O/uATbBxNS5Fmivqv6ZwNk 1RYxYI22nHqKvACxVAgvHDr7FFscMiZP3chcF8CUUIreyXN38d70JBkDI6SboZrAWZ EYgZUFj7ZjXODZbyOEvzrN+G+i1HOsPnEx0Ue+Bk= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+69ff9dff50dcfe14ddd4@syzkaller.appspotmail.com, Johannes Berg , "David S. Miller" , Sasha Levin Subject: [PATCH 4.19 09/67] netlink: disable IRQs for netlink_lock_table() Date: Mon, 14 Jun 2021 12:26:52 +0200 Message-Id: <20210614102644.101265288@linuxfoundation.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20210614102643.797691914@linuxfoundation.org> References: <20210614102643.797691914@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Johannes Berg [ Upstream commit 1d482e666b8e74c7555dbdfbfb77205eeed3ff2d ] Syzbot reports that in mac80211 we have a potential deadlock between our "local->stop_queue_reasons_lock" (spinlock) and netlink's nl_table_lock (rwlock). This is because there's at least one situation in which we might try to send a netlink message with this spinlock held while it is also possible to take the spinlock from a hardirq context, resulting in the following deadlock scenario reported by lockdep: CPU0 CPU1 ---- ---- lock(nl_table_lock); local_irq_disable(); lock(&local->queue_stop_reason_lock); lock(nl_table_lock); lock(&local->queue_stop_reason_lock); This seems valid, we can take the queue_stop_reason_lock in any kind of context ("CPU0"), and call ieee80211_report_ack_skb() with the spinlock held and IRQs disabled ("CPU1") in some code path (ieee80211_do_stop() via ieee80211_free_txskb()). Short of disallowing netlink use in scenarios like these (which would be rather complex in mac80211's case due to the deep callchain), it seems the only fix for this is to disable IRQs while nl_table_lock is held to avoid hitting this scenario, this disallows the "CPU0" portion of the reported deadlock. Note that the writer side (netlink_table_grab()) already disables IRQs for this lock. Unfortunately though, this seems like a huge hammer, and maybe the whole netlink table locking should be reworked. Reported-by: syzbot+69ff9dff50dcfe14ddd4@syzkaller.appspotmail.com Signed-off-by: Johannes Berg Signed-off-by: David S. Miller Signed-off-by: Sasha Levin --- net/netlink/af_netlink.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/net/netlink/af_netlink.c b/net/netlink/af_netlink.c index 1bb9f219f07d..ac3fe507bc1c 100644 --- a/net/netlink/af_netlink.c +++ b/net/netlink/af_netlink.c @@ -461,11 +461,13 @@ void netlink_table_ungrab(void) static inline void netlink_lock_table(void) { + unsigned long flags; + /* read_lock() synchronizes us to netlink_table_grab */ - read_lock(&nl_table_lock); + read_lock_irqsave(&nl_table_lock, flags); atomic_inc(&nl_table_users); - read_unlock(&nl_table_lock); + read_unlock_irqrestore(&nl_table_lock, flags); } static inline void -- 2.30.2