Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp26374858rwd;
        Mon, 3 Jul 2023 08:52:20 -0700 (PDT)
X-Google-Smtp-Source: APBJJlGRdNz/Ye5t2+Gyf2U5EbaDAeZPV+ACmTnLBQXn8rgA1JDuHS75THirQXeAIuPzBoh7PNIi
X-Received: by 2002:a05:6a00:1a8b:b0:666:d78c:33ab with SMTP id e11-20020a056a001a8b00b00666d78c33abmr13420084pfv.21.1688399540460;
        Mon, 03 Jul 2023 08:52:20 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1688399540; cv=none;
        d=google.com; s=arc-20160816;
        b=aoE34H48elFCYKujv2YWxPKC0jo/gBYiNB9i7KsPIseANz8JoUjooblfS7Mld3McWI
         WdAWHFn3Nc6t6Ir4mK3ZBriRI1KP+MqdRr4/yei8uoVqONzEnYCwTTSA5b+8IFrkpTXp
         YeIRPPYgNo0mPExyVttjReihByCF/kWRzq/vZnWG4kZhFbP8eCOeqKTsEQB08czZI2Uz
         sYjOsk0l+YH35QI9pW5TU/GH4Hsr6KK+tgHRSA+IaCyaRtgBJdP01QIwOdJRzFy1VcvN
         I0Gva8KIFEmgVl4PeJ/wkPgcr1cXvXJ4K/9S78byBoygzBZkFcSXCJgRx6S7He+TIxJM
         2V3Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :message-id:subject:cc:to:from:date;
        bh=yJqfD0Z1yOzWpBvUxn/6riErZV1RqxYsuot4KrPqh4U=;
        fh=Tln/rNXvDYJswyhvoygm68spIJd6YNM3E/X4Ij2fA/g=;
        b=iVQ6kHQC66J/ZOn4iVLLNUyiLTSa/q8yf2/bZJqL4k9thyEHWI8nAMbldFPFLHSxOX
         GR2A7mf/S0IcZ4lw+tRInl+ua9hp2ua71Br24U6wzH9MNqMCCWtQlyoOUBu6OhGlEggz
         NMJbNHOqKDwAezIpaJ2XWvlnbzL8ZFmKF0/XCXtn4N3mhQQ6XIULjF8JiNNTNfNFnWOE
         ouAq6OjSt+2iVuFeT98YIhPHw3zqIf/6YG0771o6Ab3nAUfh5vu6Z3WhTOYuQmcs5enI
         0PNnnuPvvjr+4ee7iJ21yeZwbzE4HGAEiwtpm+t+oHI1/Y97TNlVG9TZxvQQOyonRNMh
         uKww==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id a7-20020a634d07000000b00557888b4eb9si19356979pgb.622.2023.07.03.08.52.05;
        Mon, 03 Jul 2023 08:52:20 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S230059AbjGCPnY (ORCPT <rfc822;alcock.james@gmail.com>
        + 99 others); Mon, 3 Jul 2023 11:43:24 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:35128 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229505AbjGCPnX (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 3 Jul 2023 11:43:23 -0400
Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2DD89C2
        for <linux-kernel@vger.kernel.org>; Mon,  3 Jul 2023 08:43:22 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
         key-exchange X25519 server-signature RSA-PSS (2048 bits))
        (No client certificate requested)
        by dfw.source.kernel.org (Postfix) with ESMTPS id C045860FAF
        for <linux-kernel@vger.kernel.org>; Mon,  3 Jul 2023 15:43:21 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 506F2C433C7;
        Mon,  3 Jul 2023 15:43:20 +0000 (UTC)
Date:   Mon, 3 Jul 2023 11:43:18 -0400
From:   Steven Rostedt <rostedt@goodmis.org>
To:     LKML <linux-kernel@vger.kernel.org>
Cc:     Dave Wysochanski <dwysocha@redhat.com>,
        Ronnie Sahlberg <lsahlber@redhat.com>,
        Pavel Shilovsky <pshilov@microsoft.com>,
        Linus Torvalds <torvalds@linux-foundation.org>,
        Peter Zijlstra <peterz@infradead.org>,
        Thomas Gleixner <tglx@linutronix.de>,
        Ajay Kaher <akaher@vmware.com>
Subject: Buggy rwsem locking code in fs/smb/client/file.c
Message-ID: <20230703114318.1576ea24@rorschach.local.home>
X-Mailer: Claws Mail 3.17.8 (GTK+ 2.24.33; x86_64-pc-linux-gnu)
MIME-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: 7bit
X-Spam-Status: No, score=-6.7 required=5.0 tests=BAYES_00,
        HEADER_FROM_DIFFERENT_DOMAINS,RCVD_IN_DNSWL_HI,SPF_HELO_NONE,SPF_PASS,
        T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

I just reviewed a patch that copied a solution from
fs/smb/client/file.c (original was fs/cifs/file.c), which is really
just hiding a bug. And because this code could have possibly caused
this buggy solution to be repeated, I believe it should be fixed,
before others use it as precedent in other areas of the kernel.

Commit d46b0da7a33dd ("cifs: Fix cifsInodeInfo lock_sem deadlock when
reconnect occurs") has in its change log:

    There's a deadlock that is possible and can easily be seen with
    a test where multiple readers open/read/close of the same file
    and a disruption occurs causing reconnect.  The deadlock is due
    a reader thread inside cifs_strict_readv calling down_read and
    obtaining lock_sem, and then after reconnect inside
    cifs_reopen_file calling down_read a second time.  If in
    between the two down_read calls, a down_write comes from
    another process, deadlock occurs.
    
            CPU0                    CPU1
            ----                    ----
    cifs_strict_readv()
     down_read(&cifsi->lock_sem);
                                   _cifsFileInfo_put
                                      OR
                                   cifs_new_fileinfo
                                    down_write(&cifsi->lock_sem);
    cifs_reopen_file()
     down_read(&cifsi->lock_sem);
    
    Fix the above by changing all down_write(lock_sem) calls to
    down_write_trylock(lock_sem)/msleep() loop, which in turn
    makes the second down_read call benign since it will never
    block behind the writer while holding lock_sem.

And hides the bug by wrapping the down_write() with:

+void
+cifs_down_write(struct rw_semaphore *sem)
+{
+       while (!down_write_trylock(sem))
+               msleep(10);
+}
+

The comment above down_read_nested() has:

/*
 * nested locking. NOTE: rwsems are not allowed to recurse
 * (which occurs if the same task tries to acquire the same
 * lock instance multiple times), but multiple locks of the
 * same lock class might be taken, if the order of the locks
 * is always the same. This ordering rule can be expressed
 * to lockdep via the _nested() APIs, but enumerating the
 * subclasses that are used. (If the nesting relationship is
 * static then another method for expressing nested locking is
 * the explicit definition of lock class keys and the use of
 * lockdep_set_class() at lock initialization time.
 * See Documentation/locking/lockdep-design.rst for more details.)
 */

As the NOTE above states, down_read() is not a recursive lock, which
appears to be what cifs is using it for. I wonder if it could be
converted to using RCU instead.

I'm just bringing this to everyone's attention because that code really
needs to be fixed.

-- Steve