Received: by 2002:ab2:60d1:0:b0:1f7:5705:b850 with SMTP id i17csp572024lqm; Wed, 1 May 2024 09:07:48 -0700 (PDT) X-Forwarded-Encrypted: i=3; AJvYcCUc3eGTRGn6uUy1FWmLbHblgEA6jaTB2FZfm0BOCXzEatX5SHPOeJ1bsCD4H6I5DUbGShA4GGzlhiRBUUyxr8Yw+0VTgNl69XFgTHD4Dw== X-Google-Smtp-Source: AGHT+IFdA7XJux9k1fI4APGGPJveyz4YaAg9RwS2QkGdktmgkXOCWgYChzDfAu5MOp/15d3A7dzt X-Received: by 2002:a05:6512:1315:b0:51d:5e78:17fa with SMTP id x21-20020a056512131500b0051d5e7817famr2307481lfu.4.1714579667992; Wed, 01 May 2024 09:07:47 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1714579667; cv=pass; d=google.com; s=arc-20160816; b=Pfu+YqprdjAjGo1MM+kExCpCJ4qGukjRyJP3XL61LIdxVCXmukgtekCAFQV3l5hxbw bu7/bu07R3giQy0x7dW9GaHOWEjsm/M/SBP+8xMCUCn//7JWhewImNGMkZmrzor9+rpA A2+NQRt27ta6+0d7jufQjuLH2aLeBZiUIsDHpZjcPjGSQz6AmJYo5EyVCDz0VcjSmMhe 1aw3d4BXdkpahNV7Xvte3FvFxjURsWxC7ojzhqsjdA3IQtljSZ/BKf6sKbWLxYswPgSw MlZ/8j+w21EkVfK3D6LM113BfS8xgEQasHFHxcXcTVS6EeJqiPJ5L/hDXh8MswfmlC5k 8vtQ== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=in-reply-to:content-disposition:mime-version:list-unsubscribe :list-subscribe:list-id:precedence:references:message-id:subject:cc :to:from:date:dkim-signature; bh=zCmyjOviXwLUhJllYlBi6gdtFcdjU43GquheYltQR2E=; fh=w8S2uJriQsqkQqPrICK0S3AXaIyMuVPeji3l+bPGo+E=; b=zdX3/pJK4iq0CxVYn8WPi7w653TTrkRiZbSg1/5ErBjSQrNun8P0REtSlok4hZfS/w nlBPP3i+bX/1oMLfs74bcONSoi0NpEHu2HYAa3pwWFnWyoOwj8mFMDoqK0EC4bI6VjoM T+MHFuXOajX6U4n7yOPXXS1cwgi/Ul8s3Ph0Z2ATO+w4mCQEbnnj6kqni1pVIfIvfUZX 0bw/MdCEXEBsd+89FuXhYxxA+m8Cbydd9056jINen+4QEfC1a98Y2+4+l3SBDPjjiTVE 3lYSvmxkAhB4Vdn77rNEiwbiZbgu2gO/FkFXvxM8jtV8aTLXiydXvrXb/jSpnZzxC22F uZnA==; dara=google.com ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=e+CYxHqt; arc=pass (i=1 spf=pass spfdomain=redhat.com dkim=pass dkdomain=redhat.com dmarc=pass fromdomain=redhat.com); spf=pass (google.com: domain of linux-kernel+bounces-165539-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-165539-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from am.mirrors.kernel.org (am.mirrors.kernel.org. [2604:1380:4601:e00::3]) by mx.google.com with ESMTPS id w9-20020a056402268900b00572a9b7fca5si1076500edd.19.2024.05.01.09.07.47 for (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 01 May 2024 09:07:47 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel+bounces-165539-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) client-ip=2604:1380:4601:e00::3; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b=e+CYxHqt; arc=pass (i=1 spf=pass spfdomain=redhat.com dkim=pass dkdomain=redhat.com dmarc=pass fromdomain=redhat.com); spf=pass (google.com: domain of linux-kernel+bounces-165539-linux.lists.archive=gmail.com@vger.kernel.org designates 2604:1380:4601:e00::3 as permitted sender) smtp.mailfrom="linux-kernel+bounces-165539-linux.lists.archive=gmail.com@vger.kernel.org"; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by am.mirrors.kernel.org (Postfix) with ESMTPS id 883451F21B67 for ; Wed, 1 May 2024 16:07:47 +0000 (UTC) Received: from localhost.localdomain (localhost.localdomain [127.0.0.1]) by smtp.subspace.kernel.org (Postfix) with ESMTP id EAE9012FB37; Wed, 1 May 2024 16:06:57 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b="e+CYxHqt" Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 6060412FB35 for ; Wed, 1 May 2024 16:06:55 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=170.10.129.124 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714579617; cv=none; b=cqe5oe1fvX8uDKdZ8Cp74Ne0R5ASCHCaXLf+qKc6ITPgiw7wHt+ehmwUgQT3WCeWPQQ6NTxg3Wybjuu6bawbBw0rIZrBSU0IH+c26rKJR+i/Hhtzi5IpviMwdAlD0iZOB7BOBjVp9lD2z4F2h4OCTrsNcpxw+Hd2wa8+67DWJpw= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1714579617; c=relaxed/simple; bh=Pa9w/V8mbigAhonO5FDBjI6AaOlVVJdP2CoC36lyTN8=; h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version: Content-Type:Content-Disposition:In-Reply-To; b=TrQhv9TYtpyApQ0fQfgRnqzpxbTShNj6AwHaipYT8KyXCADlM+5F9epIRxE2vN6npDKZitk7Lel55WCZj6ObWme4KeZn0EqHyzqVHurFT83AZkVENFuYQMMbVinIcVBheriLeLzTxl1IW3g5XtcEpRLFWzRiGcgtbKkL06gUKLo= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=redhat.com; spf=pass smtp.mailfrom=redhat.com; dkim=pass (1024-bit key) header.d=redhat.com header.i=@redhat.com header.b=e+CYxHqt; arc=none smtp.client-ip=170.10.129.124 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=redhat.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=redhat.com DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1714579614; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=zCmyjOviXwLUhJllYlBi6gdtFcdjU43GquheYltQR2E=; b=e+CYxHqtg4hphOqLjvcsrbHKFTbFetHouwAmEpQvAIgPU29MV9DIEfAuXVBo86rG7mqsDo BBEaS8Ge6MsPeTyDFgRCiHnzV/7vap2jP6d3OAh4QwAcSFz3i+PMHrZNstdlfSLl1hL683 9gVGYWxMWbLrBM56/+oUw9CuIeGfpBQ= Received: from mail-ej1-f70.google.com (mail-ej1-f70.google.com [209.85.218.70]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.3, cipher=TLS_AES_256_GCM_SHA384) id us-mta-567-bsSxNLTIMYWR1FuuMpulfA-1; Wed, 01 May 2024 12:06:52 -0400 X-MC-Unique: bsSxNLTIMYWR1FuuMpulfA-1 Received: by mail-ej1-f70.google.com with SMTP id a640c23a62f3a-a5190b1453fso451496366b.2 for ; Wed, 01 May 2024 09:06:52 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1714579611; x=1715184411; h=in-reply-to:content-disposition:mime-version:references:message-id :subject:cc:to:from:date:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=zCmyjOviXwLUhJllYlBi6gdtFcdjU43GquheYltQR2E=; b=YZZdxx6KB72R95NrTU8GOBCj3Nq12SWfeW/vpvcyc0K4lQ/fEBO6t06J9Ep2WU4C6O v5Wsn/dkQUs8uCOx/uhsA7qYdnAd7VMYBIxj3RM5M2vbYDOC0xFWqdnZ7GYVUTkZDCsk HLMvW48pBq3+NlqSpeXjkrJwtO0Hl045g1zsJrpt1UjgeQbn3LzoMy8PN8yd3ywVNSSZ qonbR7moMttbun7nBGoRDq2gQJAoTEiNAD4U1/sYez9OC6Xk3s/W+pblRkUw4vd2L9pt u5u/1MO0FDPEsU4u3oa/szEuOMBLBcLocjgSRgbeO+2dYVW9RPaS/r0V/ZyxSEc1g7ZY 9sdw== X-Gm-Message-State: AOJu0YxSbCvVgenzq0V1bxTdVpuJgbdOdv0SXvWycdJZqpy5TZvZw4Yx iJZS8nz2dokJC42wrXM6Lqq0UiU/qbtATBI6YWaxyBecdPJiDtcA0D/KLOHNvMcHNSaLDLx1A4b 6F6WgR8NE+FABNC6BIityawLdk90GJI65hHllEkeNTwOVW+l1fvH4HEUo4RWkB1GqJXqkxyuiIf GpoJTWLQIwBaoMF0d0+sioYDObmlTXjvXNbfDgCsA= X-Received: by 2002:a17:906:e219:b0:a55:6407:c0c7 with SMTP id gf25-20020a170906e21900b00a556407c0c7mr2220729ejb.17.1714579610627; Wed, 01 May 2024 09:06:50 -0700 (PDT) X-Received: by 2002:a17:906:e219:b0:a55:6407:c0c7 with SMTP id gf25-20020a170906e21900b00a556407c0c7mr2220710ejb.17.1714579610008; Wed, 01 May 2024 09:06:50 -0700 (PDT) Received: from redhat.com ([2a0d:6fc7:346:6a42:bb79:449b:3f0b:a228]) by smtp.gmail.com with ESMTPSA id jt17-20020a170906ca1100b00a5910978658sm2738310ejb.208.2024.05.01.09.06.48 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 01 May 2024 09:06:49 -0700 (PDT) Date: Wed, 1 May 2024 12:06:46 -0400 From: "Michael S. Tsirkin" To: linux-kernel@vger.kernel.org Cc: linux-tip-commits@vger.kernel.org, syzbot+dce04ed6d1438ad69656@syzkaller.appspotmail.com, Thomas Gleixner , Zqiang , x86@kernel.org, maz@kernel.org Subject: Re: [tip: irq/urgent] softirq: Fix suspicious RCU usage in __do_softirq() Message-ID: <20240501120501-mutt-send-email-mst@kernel.org> References: <20240427102808.29356-1-qiang.zhang1211@gmail.com> <171436008266.10875.5509449909240073046.tip-bot2@tip-bot2> Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <171436008266.10875.5509449909240073046.tip-bot2@tip-bot2> On Mon, Apr 29, 2024 at 03:08:02AM -0000, tip-bot2 for Zqiang wrote: > The following commit has been merged into the irq/urgent branch of tip: > > Commit-ID: 1dd1eff161bd55968d3d46bc36def62d71fb4785 > Gitweb: https://git.kernel.org/tip/1dd1eff161bd55968d3d46bc36def62d71fb4785 > Author: Zqiang > AuthorDate: Sat, 27 Apr 2024 18:28:08 +08:00 > Committer: Thomas Gleixner > CommitterDate: Mon, 29 Apr 2024 05:03:51 +02:00 > > softirq: Fix suspicious RCU usage in __do_softirq() > > Currently, the condition "__this_cpu_read(ksoftirqd) == current" is used to > invoke rcu_softirq_qs() in ksoftirqd tasks context for non-RT kernels. > > This works correctly as long as the context is actually task context but > this condition is wrong when: > > - the current task is ksoftirqd > - the task is interrupted in a RCU read side critical section > - __do_softirq() is invoked on return from interrupt > > Syzkaller triggered the following scenario: > > -> finish_task_switch() > -> put_task_struct_rcu_user() > -> call_rcu(&task->rcu, delayed_put_task_struct) > -> __kasan_record_aux_stack() > -> pfn_valid() > -> rcu_read_lock_sched() > > __irq_exit_rcu() > -> __do_softirq)() > -> if (!IS_ENABLED(CONFIG_PREEMPT_RT) && > __this_cpu_read(ksoftirqd) == current) > -> rcu_softirq_qs() > -> RCU_LOCKDEP_WARN(lock_is_held(&rcu_sched_lock_map)) > > The rcu quiescent state is reported in the rcu-read critical section, so > the lockdep warning is triggered. > > Fix this by splitting out the inner working of __do_softirq() into a helper > function which takes an argument to distinguish between ksoftirqd task > context and interrupted context and invoke it from the relevant call sites > with the proper context information and use that for the conditional > invocation of rcu_softirq_qs(). > > Reported-by: syzbot+dce04ed6d1438ad69656@syzkaller.appspotmail.com > Suggested-by: Thomas Gleixner > Signed-off-by: Zqiang > Signed-off-by: Thomas Gleixner > Link: https://lore.kernel.org/r/20240427102808.29356-1-qiang.zhang1211@gmail.com > Link: https://lore.kernel.org/lkml/8f281a10-b85a-4586-9586-5bbc12dc784f@paulmck-laptop/T/#mea8aba4abfcb97bbf499d169ce7f30c4cff1b0e3 I can add that this also fixes a UAF reported by syzbot (partially, another part of UAF is an unrelated bug): Reported-by: syzbot+98edc2df894917b3431f@syzkaller.appspotmail.com > --- > kernel/softirq.c | 12 ++++++++---- > 1 file changed, 8 insertions(+), 4 deletions(-) > > diff --git a/kernel/softirq.c b/kernel/softirq.c > index b315b21..0258201 100644 > --- a/kernel/softirq.c > +++ b/kernel/softirq.c > @@ -508,7 +508,7 @@ static inline bool lockdep_softirq_start(void) { return false; } > static inline void lockdep_softirq_end(bool in_hardirq) { } > #endif > > -asmlinkage __visible void __softirq_entry __do_softirq(void) > +static void handle_softirqs(bool ksirqd) > { > unsigned long end = jiffies + MAX_SOFTIRQ_TIME; > unsigned long old_flags = current->flags; > @@ -563,8 +563,7 @@ restart: > pending >>= softirq_bit; > } > > - if (!IS_ENABLED(CONFIG_PREEMPT_RT) && > - __this_cpu_read(ksoftirqd) == current) > + if (!IS_ENABLED(CONFIG_PREEMPT_RT) && ksirqd) > rcu_softirq_qs(); > > local_irq_disable(); > @@ -584,6 +583,11 @@ restart: > current_restore_flags(old_flags, PF_MEMALLOC); > } > > +asmlinkage __visible void __softirq_entry __do_softirq(void) > +{ > + handle_softirqs(false); > +} > + > /** > * irq_enter_rcu - Enter an interrupt context with RCU watching > */ > @@ -921,7 +925,7 @@ static void run_ksoftirqd(unsigned int cpu) > * We can safely run softirq on inline stack, as we are not deep > * in the task stack here. > */ > - __do_softirq(); > + handle_softirqs(true); > ksoftirqd_run_end(); > cond_resched(); > return;