Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp4887696rwd; Tue, 23 May 2023 14:17:57 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ6U4Rq81ISTtGklFfEw2tD9YLB/03ptz3o6Sr8kKUDjX/GClNqxKiKgBy/8LPxexJ8uG/h0 X-Received: by 2002:a05:6a00:21d2:b0:64d:2841:8380 with SMTP id t18-20020a056a0021d200b0064d28418380mr391034pfj.22.1684876676759; Tue, 23 May 2023 14:17:56 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1684876676; cv=none; d=google.com; s=arc-20160816; b=oP1RfF4QNyzqzpRI43TcqCNZawbirWkt8DeCxrDYoPWUyJKBnfVgzgkSIQCSlQ4vHW y1bS7a+ZdslT9BCrS2eQPT5roh46PBQp6k+erMelcxIB+0kYsGy3E/77p64wO4XTuvwD IoGOKSf3Dn+IC4wrKLjPtzRRaWSkzuDc21vbkR7/lQ272V7AxjP1KpqKBIQUnY7bMo+t oH9/VrjYgvmDzPrjuTPlytQSMQrkDBU67y7A8f9R2CDmNYm+04GjUaHJ1Omhva2a9t8F 78iQEk2UpCmycbLqiNEXRUTdaH9f/F81MbeicMqvS85E4Bx00tq9PSHJoebu2o5zJk+Y Nj+Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:cc:to:subject :message-id:date:from:in-reply-to:references:mime-version :dkim-signature; bh=cqYu2kG5xNu6n0LsPQ2y+Hn9CqO07QzD6a31cQFnFZg=; b=K5UCnZj+7KHHBQH2pVWF55Arb4+qSlb2twJDE4hOlusq777scY1Jr1MKkVjFTO/5yf n1znilOwhguTxrDYt9zX6P9A7Cp6QJSjKv75pYSBIsU07xO52uebrxDCfXM4j1xRd5lK QGZ7P6LAFkmRXLaECxrovf9t44S2/tE5wi8O8XVUeq75OAJijzjJHha2iKyYKdB5r5lU da+AsVcwrQjLmhf1zajz1Emn9WbrsamH2QGRZbKJT9TVxl5POq3kIGwhA3K7QBCcaSH0 e8mA+Bs8kGRaAOv2a4CapwDOf4BAGSYU9xO9Gi8BBevRcNxV54wN9RzP3WsRaDD3hO1D 3M8Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@paul-moore.com header.s=google header.b=RDGN8oh6; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=paul-moore.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id c193-20020a621cca000000b005a8b856ad47si2766255pfc.7.2023.05.23.14.17.44; Tue, 23 May 2023 14:17:56 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@paul-moore.com header.s=google header.b=RDGN8oh6; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=paul-moore.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238372AbjEWVCr (ORCPT + 99 others); Tue, 23 May 2023 17:02:47 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:50238 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238377AbjEWVCp (ORCPT ); Tue, 23 May 2023 17:02:45 -0400 Received: from mail-yw1-x1129.google.com (mail-yw1-x1129.google.com [IPv6:2607:f8b0:4864:20::1129]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4050212B for ; Tue, 23 May 2023 14:02:43 -0700 (PDT) Received: by mail-yw1-x1129.google.com with SMTP id 00721157ae682-5619032c026so2667597b3.1 for ; Tue, 23 May 2023 14:02:43 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=paul-moore.com; s=google; t=1684875762; x=1687467762; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=cqYu2kG5xNu6n0LsPQ2y+Hn9CqO07QzD6a31cQFnFZg=; b=RDGN8oh67okemzzbGB26nSaBtKdF1uA4bAnZXDDKRWTRvgpXw9siHajY2l5TldDPFK 8q17RZJdGq156wB2Y4vWX4zYnnQD08fHBVQdxdugUMSXzlH2nhXQ+nESzi7Z1GoRWzNY 7KGVgdgW4KhKhbAiVmWYy0h6jUKF67D3ivYKBiEz+Kzab+rzsg7pzQ3hcMIygr1Ys2W/ KBGqmW5ARTDL4gk72T7uJrky94iLJHHHPO2Pz9gDYBcQKUnSZZz800Xhz8bIssjEJtp0 DwKN0tfGaE5Go7Vus7W61LTrpciE+jusU07S/nc5Sn3pvw1nsgx+Rk5V1lCQltemqXzP k1tw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1684875762; x=1687467762; h=content-transfer-encoding:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=cqYu2kG5xNu6n0LsPQ2y+Hn9CqO07QzD6a31cQFnFZg=; b=XqzR4gWHAnGMJ0rRnVQ6nejrVXqLa24EB9ROEo0SSy9o8UC1qhQSj2PPtKZB3fvoFp v4lrZAVleyIHEUfSBhP4+gTZgzEW2lf0bFa3bPgz8SBlVzNjqneRc2O2+4Iyeqi8v4JQ THpz26K60Ix/HeT0v9Nqencoysd1TbgBuGulE2s63GVY+nPSxAEh+RKQ6nca2EeNmtCh PiDUlvGdHwK7X+7umLaGVnAZaaKnMTnIDTthwHbJlXjvyjMxdtva9ScxEzSOPkEVuy31 ZQtIv6psrtckN+fgwgvOMtJ5gJg3CRyDu8+uuytM0FoUaGLt2wXH9/d7CpVmugLWh8yI 9ucA== X-Gm-Message-State: AC+VfDzyxTzpwEZbnP+ZY9IBfUBG6ZpB4osxnI9XlWfV7HDU3u0OE1wn JUJKsar9d+qzjOk1IYAUIBcVSLXLg9ZVwAjiKLjS X-Received: by 2002:a0d:de81:0:b0:565:3da9:2bc1 with SMTP id h123-20020a0dde81000000b005653da92bc1mr3735984ywe.1.1684875762379; Tue, 23 May 2023 14:02:42 -0700 (PDT) MIME-Version: 1.0 References: <20230511052116.19452-5-eiichi.tsukata@nutanix.com> <1b4c3d51624547d0bda6dae93c5ae407.paul@paul-moore.com> <368B6D67-26A0-4A05-B404-395C5990A9A2@nutanix.com> In-Reply-To: <368B6D67-26A0-4A05-B404-395C5990A9A2@nutanix.com> From: Paul Moore Date: Tue, 23 May 2023 17:02:31 -0400 Message-ID: Subject: Re: [PATCH v2 4/5] audit: check if audit_queue is full after prepare_to_wait_exclusive() To: Eiichi Tsukata Cc: "eparis@redhat.com" , "linux-kernel@vger.kernel.org" , "audit@vger.kernel.org" Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, May 22, 2023 at 12:28=E2=80=AFAM Eiichi Tsukata wrote: > > On May 20, 2023, at 5:54, Paul Moore wrote: > > On May 11, 2023 Eiichi Tsukata wrote: > >> > >> Commit 7ffb8e317bae ("audit: we don't need to > >> __set_current_state(TASK_RUNNING)") accidentally moved queue full chec= k > >> before add_wait_queue_exclusive() which introduced the following race: > >> > >> CPU1 CPU2 > >> =3D=3D=3D=3D=3D=3D=3D=3D =3D=3D=3D=3D=3D=3D=3D= =3D > >> (in audit_log_start()) (in kauditd_thread()) > >> > >> @audit_queue is full > >> wake_up(&audit_backlog_wait) > >> wait_event_freezable() > >> add_wait_queue_exclusive() > >> ... > >> schedule_timeout() > >> > >> Once this happens, both audit_log_start() and kauditd_thread() can cau= se > >> deadlock for up to backlog_wait_time waiting for each other. To preven= t > >> the race, this patch adds @audit_queue full check after > >> prepare_to_wait_exclusive() and call schedule_timeout() only if the > >> queue is full. > >> > >> Fixes: 7ffb8e317bae ("audit: we don't need to __set_current_state(TASK= _RUNNING)") > >> Signed-off-by: Eiichi Tsukata > >> --- > >> kernel/audit.c | 12 ++++++++++-- > >> 1 file changed, 10 insertions(+), 2 deletions(-) > > > > I discussed my concerns with this patch in the last patchset, and I > > believe they still apply here. > > > > Please refer to the implementation of ___wait_event(). > It checks the condition *after* prepare_to_wait_event(). > > Another similar example in the kernel code is unix_wait_for_peer(). > It checks unix_recvq_full() after prepare_to_wait_exclusive(). > > I=E2=80=99m assuming this is a logical bug needs to be fixed. I disagree, see my previous comments. The fixes you've presented do not eliminate the possibility of rescheduling which could result in some of the issues you've described. The proper fix for systems which are sensitive to long scheduling delays such as this is to adjust your audit runtime configuration so that audit does not block userspace. Suggestions include removing the backlog limit and/or shortening the wait time. --=20 paul-moore.com