Received: by 2002:a05:6a10:f3d0:0:0:0:0 with SMTP id a16csp5274027pxv; Tue, 6 Jul 2021 23:08:50 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyBJKdyuefylvPtDDDj5KuWw5TP3QZMFSZqRDuAFgRCW07E9T9vW4U3PF9LJzIAX608WTKi X-Received: by 2002:a17:906:3ed4:: with SMTP id d20mr22946365ejj.515.1625638130347; Tue, 06 Jul 2021 23:08:50 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1625638130; cv=none; d=google.com; s=arc-20160816; b=LlMRnQS6UkrQdY0Bm/Fz9bBJnPyDkQt9AGOXkzWgVTzvyTCLYKNsJUSoriYYxS48MT YCY0MGIvZSU4IOIV1DcalbIcqLTGH+CizAZfEZTmkNiFJYxVzZLEQX/p2z79L8pT04yn nBBaUz1sYkhYI9GvAtwX73WOOxPy3m639s18gblcCeMwJ/v/XRzl0q1DYkcfzQjTI1FY Vri+Ajr2A74MmctTr2b2iovqCgaKxrXEc/wvav68QCSVHkxcfgBpWZuBeQeyJR3uCc4r 7Gg8g9qKCbBurfCiNBAq36xpdKPTfBvtyOjW0ab3k/GAt1Mi4OkT1ft1iuGVAduR1HL6 kQKw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date:dkim-signature; bh=7Y5RcB5qfbnfk5aXrt/5mKwoqtUegCWDdiyKmuodk6M=; b=C9aLNovDcxLuVel+rySuKHPYwe16HbJ6H6yKeMx+U+D7/qFoYJQqKpnYEgSE41bSdZ nIVoCE+pDcJU3zQknxWlSNTaTHzAAJRtvAyPKAZX2rkWsj7XAL9NXr2omlpIZUQrdd6/ T1E26RFk51GtfVX379Zh18mMw8kJ7TU7RqKMn0T+fGcVVd27KYQGiFbRbRlXW7O4A1kX H6yN3Y2mD90cSYptWwGUSHVTlZIk2pgN6L2ovabMFIpVMgBv8/86Gn4dTHsEOPAt+vt3 ZZxLNtYbfr1r9q+h3MAWapombmfHASlvpc97WteGrDtknxWWoNHFa3pKB0ljXuiotCcH jk2g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=rxHRds6k; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id kj20si2929683ejc.213.2021.07.06.23.08.26; Tue, 06 Jul 2021 23:08:50 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=rxHRds6k; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230291AbhGGGI1 (ORCPT + 99 others); Wed, 7 Jul 2021 02:08:27 -0400 Received: from mail.kernel.org ([198.145.29.99]:38334 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230235AbhGGGI0 (ORCPT ); Wed, 7 Jul 2021 02:08:26 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 823E661C84; Wed, 7 Jul 2021 06:05:45 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1625637946; bh=YuttRsFslnO6zMeDLZoiEywP0tDcwd9vflEFA2RQoTQ=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=rxHRds6kXesSsBVKJ9st+0mm8fSfwZ/EtjqyU6dX4trTAUZAqWEIlMtj5qEig6PMm 2QQhAuno+AkuY9JrLCcNwKP5bRKNxg/4+/MqUu02s3zSDMYjRX8NghaULMSKmq4UuG 7o8MNlQ+1pK+tcs93pUBS//rCg3uCKLxmu1mq3hw= Date: Wed, 7 Jul 2021 08:05:41 +0200 From: Greg KH To: Desmond Cheong Zhi Xi Cc: jlayton@kernel.org, bfields@fieldses.org, viro@zeniv.linux.org.uk, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, skhan@linuxfoundation.org, linux-kernel-mentees@lists.linuxfoundation.org, syzbot+e6d5398a02c516ce5e70@syzkaller.appspotmail.com Subject: Re: [PATCH v2 1/2] fcntl: fix potential deadlocks for &fown_struct.lock Message-ID: References: <20210707023548.15872-1-desmondcheongzx@gmail.com> <20210707023548.15872-2-desmondcheongzx@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20210707023548.15872-2-desmondcheongzx@gmail.com> Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Jul 07, 2021 at 10:35:47AM +0800, Desmond Cheong Zhi Xi wrote: > Syzbot reports a potential deadlock in do_fcntl: > > ======================================================== > WARNING: possible irq lock inversion dependency detected > 5.12.0-syzkaller #0 Not tainted > -------------------------------------------------------- > syz-executor132/8391 just changed the state of lock: > ffff888015967bf8 (&f->f_owner.lock){.+..}-{2:2}, at: f_getown_ex fs/fcntl.c:211 [inline] > ffff888015967bf8 (&f->f_owner.lock){.+..}-{2:2}, at: do_fcntl+0x8b4/0x1200 fs/fcntl.c:395 > but this lock was taken by another, HARDIRQ-safe lock in the past: > (&dev->event_lock){-...}-{2:2} > > and interrupts could create inverse lock ordering between them. > > other info that might help us debug this: > Chain exists of: > &dev->event_lock --> &new->fa_lock --> &f->f_owner.lock > > Possible interrupt unsafe locking scenario: > > CPU0 CPU1 > ---- ---- > lock(&f->f_owner.lock); > local_irq_disable(); > lock(&dev->event_lock); > lock(&new->fa_lock); > > lock(&dev->event_lock); > > *** DEADLOCK *** > > This happens because there is a lock hierarchy of > &dev->event_lock --> &new->fa_lock --> &f->f_owner.lock > from the following call chain: > > input_inject_event(): > spin_lock_irqsave(&dev->event_lock,...); > input_handle_event(): > input_pass_values(): > input_to_handler(): > evdev_events(): > evdev_pass_values(): > spin_lock(&client->buffer_lock); > __pass_event(): > kill_fasync(): > kill_fasync_rcu(): > read_lock(&fa->fa_lock); > send_sigio(): > read_lock_irqsave(&fown->lock,...); > > However, since &dev->event_lock is HARDIRQ-safe, interrupts have to be > disabled while grabbing &f->f_owner.lock, otherwise we invert the lock > hierarchy. > > Hence, we replace calls to read_lock/read_unlock on &f->f_owner.lock, > with read_lock_irq/read_unlock_irq. > > Here read_lock_irq/read_unlock_irq should be safe to use because the > functions f_getown_ex and f_getowner_uids are only called from > do_fcntl, and f_getown is only called from do_fnctl and > sock_ioctl. do_fnctl itself is only called from syscalls. > > For sock_ioctl, the chain is > compat_sock_ioctl(): > compat_sock_ioctl_trans(): > sock_ioctl() > > And interrupts are not disabled on either path. We assert this > assumption with WARN_ON_ONCE(irqs_disabled()). This check is also > inserted into another use of write_lock_irq in f_modown. > > Reported-and-tested-by: syzbot+e6d5398a02c516ce5e70@syzkaller.appspotmail.com > Signed-off-by: Desmond Cheong Zhi Xi > --- > fs/fcntl.c | 17 +++++++++++------ > 1 file changed, 11 insertions(+), 6 deletions(-) > > diff --git a/fs/fcntl.c b/fs/fcntl.c > index dfc72f15be7f..262235e02c4b 100644 > --- a/fs/fcntl.c > +++ b/fs/fcntl.c > @@ -88,6 +88,7 @@ static int setfl(int fd, struct file * filp, unsigned long arg) > static void f_modown(struct file *filp, struct pid *pid, enum pid_type type, > int force) > { > + WARN_ON_ONCE(irqs_disabled()); If this triggers, you just rebooted the box :( Please never do this, either properly handle the problem and return an error, or do not check for this. It is not any type of "fix" at all, and at most, a debugging aid while you work on the root problem. thanks, greg k-h