Received: by 2002:a05:6a10:f3d0:0:0:0:0 with SMTP id a16csp102584pxv; Wed, 30 Jun 2021 00:44:47 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyjnMTQMmFwCIZjWIzcqtXf7+M/Frl+QCEchfsvIrfop07SF7ovB+O8cPNh03XhfgNtcvVE X-Received: by 2002:a92:ce12:: with SMTP id b18mr19487305ilo.96.1625039087462; Wed, 30 Jun 2021 00:44:47 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1625039087; cv=none; d=google.com; s=arc-20160816; b=WWsAFzTxUzCFxAC+ANOAbc7qbPnouMa7tOHC8nfEaWw2AVCBH2b/oYzYPrjgmgRiCW IzPD2erdClZ0c14Un/n0d3Q1Ec04kEVkAMxLxS4lTUKjMpPmJq27N85EU5ntkOVWEc6n T/RRtLlPFrSXjJlT/y6xtqAJGnCPErPiIWTtzsgZpyNHPlemfxy8Wxr6RZ1H2iBpQpw3 SFwIIOgVHB4KplVQZNnGMauTMO+zS93RN2Y4LNdhUD0geHxDbWw3S4lJTUMkvXa4llNl ky+DSbGpRVBFNlkTYvwjdDuGcaBLSuf2hseg5SjkkwZTM/GhePPvvvZC5112cDS2QhGe 33wg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=jlFTYovEyHJkP1Wm1Y/t3TYm3CieoAKNd1+hOh1Km10=; b=dB/FA4LdjVybg1H2+B9stSAognaM/QFw1yDzD9KeSvfwcGE/4mVDvgjX4tFfjmEt1T 2nTZz6XbMEeD+/2b3F+V+r7vdk8TROyKvyFNX2PMCRoO66IugyC2hkBy+GBgICUioiV5 hlnNVPEUiKeHRSXujLLPbcxp4jHamV/cYz5l1M8l0FN3mU5eHzrbWGYLN3XrMv4AKiLc YJx8eGfgciLt4u2wC/8/W4A/+7pUur9WQO8zNWCbyoz6cPfZIcqF0P8KFEkT59DELCQt KgJMQRuWtG1sJ36L59SDKydVFMWkcGg3t8C701UqVpHJtWL/9f7Xt1J1K7quDB2I1HlA pdyQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=E5KRwN9S; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id g7si2738850ilf.79.2021.06.30.00.44.35; Wed, 30 Jun 2021 00:44:47 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=E5KRwN9S; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232893AbhF3Hoy (ORCPT + 99 others); Wed, 30 Jun 2021 03:44:54 -0400 Received: from mail.kernel.org ([198.145.29.99]:57232 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232573AbhF3Hoy (ORCPT ); Wed, 30 Jun 2021 03:44:54 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id AEF7261D12 for ; Wed, 30 Jun 2021 07:42:25 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1625038945; bh=cjfMqlvm/KvJKzCzyRAA/75kkZfk7xbN6T0wJUzy51s=; h=References:In-Reply-To:From:Date:Subject:To:Cc:From; b=E5KRwN9STfJH5A6sSNQaFzPPlLC+HLEg0lJjVpB28QkbVTAXLoLB9lQ+Rh4aZ6OdX UZaVIFJ68amAxadPjraVw/StwsgUtqMZUsbGbt8+NB5EArQXbcAriAn4FE5BvXSbK+ L30wGnLk0e23RNZpPSWq8T88Vh9Ywb+5Am67eHUCfy8GoiiCv48F+6YgsGZOqP1kF/ XZeWmaQ8cTf8jfmVLsVIFH+Ucd7x9eKGaEr+jiQAtv6pXgWqmZGrbCaEnDzp8uGcuC nWTO3RKQVfkRUPqIfoNV0kzdex4e1svZg2lOZpSNWmo4fK21amPmpNMwA6xOlho/c7 vOrL+reeIvoqA== Received: by mail-oo1-f53.google.com with SMTP id v3-20020a4ac9030000b029024c9d0bff49so419238ooq.0 for ; Wed, 30 Jun 2021 00:42:25 -0700 (PDT) X-Gm-Message-State: AOAM530A+N5jkJZacCJGJmH7jgITe8Abcae2s0zEH6CwtV99cWEPshaq 8TA74kgVHLn2Wqa9XjAikpqihArrWjG5T/Y7Gz8= X-Received: by 2002:a4a:2f87:: with SMTP id p129mr7413740oop.41.1625038944910; Wed, 30 Jun 2021 00:42:24 -0700 (PDT) MIME-Version: 1.0 References: <000000000000f3e94a05c5d8686f@google.com> In-Reply-To: From: Ard Biesheuvel Date: Wed, 30 Jun 2021 09:42:14 +0200 X-Gmail-Original-Message-ID: Message-ID: Subject: Re: [syzbot] BUG: sleeping function called from invalid context in __fdget_pos To: Dave Hansen Cc: syzbot , Borislav Petkov , "H. Peter Anvin" , jpa@git.mail.kapsi.fi, kan.liang@linux.intel.com, Linux Kernel Mailing List , Andy Lutomirski , Ingo Molnar , syzkaller-bugs , Thomas Gleixner , X86 ML , Herbert Xu Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, 29 Jun 2021 at 16:46, Dave Hansen wrote: > > ... adding Ard who was recently modifying some of the > kernel_fpu_begin/end() sites in the AESNI crypto code. > > On 6/28/21 12:22 PM, syzbot wrote: > > console output: https://syzkaller.appspot.com/x/log.txt?x=170e6c94300000 > > kernel config: https://syzkaller.appspot.com/x/.config?x=42ecca11b759d96c > > dashboard link: https://syzkaller.appspot.com/bug?extid=5d1bad8042a8f0e8117a > > > > Unfortunately, I don't have any reproducer for this issue yet. > ... > > BUG: sleeping function called from invalid context at kernel/locking/mutex.c:938 > > in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 29652, name: syz-executor.0 > > no locks held by syz-executor.0/29652. > > Preemption disabled at: > > [] kernel_fpu_begin_mask+0x64/0x260 arch/x86/kernel/fpu/core.c:126 > > CPU: 0 PID: 29652 Comm: syz-executor.0 Not tainted 5.13.0-rc7-syzkaller #0 > > There's a better backtrace in the log before the rather useless > backtrace from lockdep: > > > [ 1341.360547][T29635] FAULT_INJECTION: forcing a failure. > > [ 1341.360547][T29635] name failslab, interval 1, probability 0, space 0, times 0 > > [ 1341.374439][T29635] CPU: 1 PID: 29635 Comm: syz-executor.0 Not tainted 5.13.0-rc7-syzkaller #0 > > [ 1341.374712][T29630] FAT-fs (loop2): bogus number of reserved sectors > > [ 1341.383571][T29635] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 > > [ 1341.383591][T29635] Call Trace: > > [ 1341.383603][T29635] dump_stack+0x141/0x1d7 > > [ 1341.383630][T29635] should_fail.cold+0x5/0xa > > [ 1341.383651][T29635] ? skcipher_walk_next+0x6e2/0x1680 > > [ 1341.383673][T29635] should_failslab+0x5/0x10 > > [ 1341.383691][T29635] __kmalloc+0x72/0x330 > > [ 1341.383720][T29635] skcipher_walk_next+0x6e2/0x1680 > > [ 1341.383744][T29635] ? kfree+0xe5/0x7f0 > > [ 1341.383776][T29635] skcipher_walk_first+0xf8/0x3c0 > > [ 1341.383805][T29635] skcipher_walk_virt+0x523/0x760 > > [ 1341.445438][T29635] xts_crypt+0x137/0x7f0 > > [ 1341.449689][T29635] ? aesni_encrypt+0x80/0x80 > > There's one suspect-looking site in xts_crypt(): > > > kernel_fpu_begin(); > > > > /* calculate first value of T */ > > aesni_enc(aes_ctx(ctx->raw_tweak_ctx), walk.iv, walk.iv); > > > > while (walk.nbytes > 0) { > > int nbytes = walk.nbytes; > > > > ... > > > > err = skcipher_walk_done(&walk, walk.nbytes - nbytes); > > > > kernel_fpu_end(); > > > > if (walk.nbytes > 0) > > kernel_fpu_begin(); > > } > > I wonder if a slab allocation failure could leave us with walk.nbytes==0. The code is actually the other way around: kernel_fpu_end() comes before the call to skcipher_walk_done(). So IIUC, this code forces an allocation failure, and checks whether the code deals with this gracefully, right? The skcipher walk API guarantees that walk.nbytes == 0 if an error is returned, so the pairing of FPU begin/end looks correct to me. And skcipher_walk_next() should not invoke anything that might sleep from this particular context. Herbert, any ideas?