Re: [syzbot] BUG: sleeping function called from invalid context in smc_pnet_apply_ib

From: Fabio M. De Francesco
Date: Mon Feb 21 2022 - 05:54:06 EST

Next message: Aleksa Savic: "[PATCH] hwmon: add driver for Aquacomputer Farbwerk 360"
Previous message: Qiang Yu: "[PATCH] drm/amdgpu: check vm ready by evicting"
In reply to: Tony Lu: "Re: [syzbot] BUG: sleeping function called from invalid context in smc_pnet_apply_ib"
Next in thread: syzbot: "Re: [syzbot] BUG: sleeping function called from invalid context in smc_pnet_apply_ib"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On lunedì 21 febbraio 2022 10:18:59 CET Tony Lu wrote:
> On Thu, Feb 17, 2022 at 07:05:31PM +0100, Fabio M. De Francesco wrote:
> > On giovedì 17 febbraio 2022 17:41:22 CET syzbot wrote:
> > > Hello,
> > >
> > > syzbot found the following issue on:
> > >
> > > HEAD commit: c832962ac972 net: bridge: multicast: notify switchdev driv..
> > > git tree: net
> > > console output: https://syzkaller.appspot.com/x/log.txt?x=16b157bc700000
> > > kernel config: https://syzkaller.appspot.com/x/.config?x=266de9da75c71a45
> > > dashboard link: https://syzkaller.appspot.com/bug?extid=4f322a6d84e991c38775
> > > compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2
> > >
> > > Unfortunately, I don't have any reproducer for this issue yet.
> > >
> > > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > > Reported-by: syzbot+4f322a6d84e991c38775@xxxxxxxxxxxxxxxxxxxxxxxxx
> > >
> > > infiniband syz1: set down
> > > infiniband syz1: added lo
> > > RDS/IB: syz1: added
> > > smc: adding ib device syz1 with port count 1
> > > BUG: sleeping function called from invalid context at kernel/locking/mutex.c:577
> > > in_atomic(): 1, irqs_disabled(): 0, non_block: 0, pid: 17974, name: syz-executor.3
> > > preempt_count: 1, expected: 0
> > > RCU nest depth: 0, expected: 0
> > > 6 locks held by syz-executor.3/17974:
> > > #0: ffffffff90865838 (&rdma_nl_types[idx].sem){.+.+}-{3:3}, at: rdma_nl_rcv_msg+0x161/0x690 drivers/infiniband/core/netlink.c:164
> > > #1: ffffffff8d04edf0 (link_ops_rwsem){++++}-{3:3}, at: nldev_newlink+0x25d/0x560 drivers/infiniband/core/nldev.c:1707
> > > #2: ffffffff8d03e650 (devices_rwsem){++++}-{3:3}, at: enable_device_and_get+0xfc/0x3b0 drivers/infiniband/core/device.c:1321
> > > #3: ffffffff8d03e510 (clients_rwsem){++++}-{3:3}, at: enable_device_and_get+0x15b/0x3b0 drivers/infiniband/core/device.c:1329
> > > #4: ffff8880482c85c0 (&device->client_data_rwsem){++++}-{3:3}, at: add_client_context+0x3d0/0x5e0 drivers/infiniband/core/device.c:718
> > > #5: ffff8880230a4118 (&pnettable->lock){++++}-{2:2}, at: smc_pnetid_by_table_ib+0x18c/0x470 net/smc/smc_pnet.c:1159
> > > Preemption disabled at:
> > > [<0000000000000000>] 0x0
> > > CPU: 1 PID: 17974 Comm: syz-executor.3 Not tainted 5.17.0-rc3-syzkaller-00170-gc832962ac972 #0
> > > Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011
> > > Call Trace:
> > > <TASK>
> > > __dump_stack lib/dump_stack.c:88 [inline]
> > > dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106
> > > __might_resched.cold+0x222/0x26b kernel/sched/core.c:9576
> > > __mutex_lock_common kernel/locking/mutex.c:577 [inline]
> > > __mutex_lock+0x9f/0x12f0 kernel/locking/mutex.c:733
> > > smc_pnet_apply_ib+0x28/0x160 net/smc/smc_pnet.c:251
> > > smc_pnetid_by_table_ib+0x2ae/0x470 net/smc/smc_pnet.c:1164
> >
> > If I recall it well, read_lock() disables preemption.
> >
> > smc_pnetid_by_table_ib() uses read_lock() and then it calls smc_pnet_apply_ib()
> > which, in turn, calls mutex_lock(&smc_ib_devices.mutex). Therefore the code
> > acquires a mutex while in atomic and we get a SAC bug.
> >
> > Actually, even if my argument is correct(?), I don't know if the read_lock()
> > in smc_pnetid_by_table_ib() can be converted to a sleeping lock like a mutex or
> > a semaphore.
>
> Take the email above. I think it is safe to convert read_lock() to
> mutex, which is already used by smc_ib_devices.mutex.

Thanks for your reply.

I have noticed that the "pnettable->lock" rwlock is acquired several times
in different functions of net/smc/smc_pnet.c. smc_pnetid_by_table_ib() is just one
of many functions that acquire that rwlock.

Therefore, my question is... are you _really_ sure that "pnettable->lock" can be
safely converted to a mutex everywhere in net/smc?

I haven't read _all_ the path that lead to {write,read}_lock(&pnettable->lock) in
the net/smc code.

I think that before submitting that patch I should carefully read the code and check
_all_ the paths, unless you can confirm that the conversion is safe everywhere. If
you can answer my question, I can work on a patch by this evening (CET time zone)
and, obviously, give you proper credit.

Thank you,

Fabio M. De Francesco

>
> Thank you,
> Tony Lu

Next message: Aleksa Savic: "[PATCH] hwmon: add driver for Aquacomputer Farbwerk 360"
Previous message: Qiang Yu: "[PATCH] drm/amdgpu: check vm ready by evicting"
In reply to: Tony Lu: "Re: [syzbot] BUG: sleeping function called from invalid context in smc_pnet_apply_ib"
Next in thread: syzbot: "Re: [syzbot] BUG: sleeping function called from invalid context in smc_pnet_apply_ib"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]