Release XT925 KDA20.127 source Please. #18
Comments
|
Finally is here.. https://github.com/MotorolaMobilityLLC/kernel-msm/tree/kitkat-4.4.2-release-vanquish Thanks moto. |
DoctorStrange96
pushed a commit
to DoctorStrange96/KaminariKernel
that referenced
this issue
Nov 20, 2015
The cost of changing a cacheline from shared to exclusive state can be significant, especially when this is triggered by an exclusive store, since it may result in having to retry the transaction. This patch prefixes our atomic bitops implementation with prefetchw, to try and grab the line in exclusive state from the start. The testop macro is left alone, since the barrier semantics limit the usefulness of prefetching data. Acked-by: Nicolas Pitre <nico@linaro.org> Signed-off-by: Will Deacon <will.deacon@arm.com> ARM: 7907/1: lib: delay-loop: Add align directive to fix BogoMIPS calculation Currently mx53 (CortexA8) running at 1GHz reports: Calibrating delay loop... 663.55 BogoMIPS (lpj=3317760) Tom Evans verified that alignments of 0x0 and 0x8 run the two instructions of __loop_delay in one clock cycle (1 clock/loop), while alignments of 0x4 and 0xc take 3 clocks to run the loop twice. (1.5 clock/loop) The original object code looks like this: 00000010 <__loop_const_udelay>: 10: e3e01000 mvn r1, #0 14: e51f201c ldr r2, [pc, #-28] ; 0 <__loop_udelay-0x8> 18: e5922000 ldr r2, [r2] 1c: e0800921 add r0, r0, r1, lsr MotorolaMobilityLLC#18 20: e1a00720 lsr r0, r0, MotorolaMobilityLLC#14 24: e0822b21 add r2, r2, r1, lsr MotorolaMobilityLLC#22 28: e1a02522 lsr r2, r2, MotorolaMobilityLLC#10 2c: e0000092 mul r0, r2, r0 30: e0800d21 add r0, r0, r1, lsr MotorolaMobilityLLC#26 34: e1b00320 lsrs r0, r0, MotorolaMobilityLLC#6 38: 01a0f00e moveq pc, lr 0000003c <__loop_delay>: 3c: e2500001 subs r0, r0, #1 40: 8afffffe bhi 3c <__loop_delay> 44: e1a0f00e mov pc, lr After adding the 'align 3' directive to __loop_delay (align to 8 bytes): 00000010 <__loop_const_udelay>: 10: e3e01000 mvn r1, #0 14: e51f201c ldr r2, [pc, #-28] ; 0 <__loop_udelay-0x8> 18: e5922000 ldr r2, [r2] 1c: e0800921 add r0, r0, r1, lsr MotorolaMobilityLLC#18 20: e1a00720 lsr r0, r0, MotorolaMobilityLLC#14 24: e0822b21 add r2, r2, r1, lsr MotorolaMobilityLLC#22 28: e1a02522 lsr r2, r2, MotorolaMobilityLLC#10 2c: e0000092 mul r0, r2, r0 30: e0800d21 add r0, r0, r1, lsr MotorolaMobilityLLC#26 34: e1b00320 lsrs r0, r0, MotorolaMobilityLLC#6 38: 01a0f00e moveq pc, lr 3c: e320f000 nop {0} 00000040 <__loop_delay>: 40: e2500001 subs r0, r0, #1 44: 8afffffe bhi 40 <__loop_delay> 48: e1a0f00e mov pc, lr 4c: e320f000 nop {0} , which now reports: Calibrating delay loop... 996.14 BogoMIPS (lpj=4980736) Some more test results: On mx31 (ARM1136) running at 532 MHz, before the patch: Calibrating delay loop... 351.43 BogoMIPS (lpj=1757184) On mx31 (ARM1136) running at 532 MHz after the patch: Calibrating delay loop... 528.79 BogoMIPS (lpj=2643968) Also tested on mx6 (CortexA9) and on mx27 (ARM926), which shows the same BogoMIPS value before and after this patch. Reported-by: Tom Evans <tom_usenet@optusnet.com.au> Suggested-by: Tom Evans <tom_usenet@optusnet.com.au> Signed-off-by: Fabio Estevam <fabio.estevam@freescale.com> Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk> ARM: 7404/1: cmpxchg64: use atomic64 and local64 routines for cmpxchg64 The cmpxchg64 routines for ARMv6+ CPUs replicate inline assembly that already exists for atomic64 operations. Furthermore, the cmpxchg64 code uses the "memory" constraint in the clobber list rather than identifying the region of memory that is actually modified. This patch replaces the ARMv6+ cmpxchg64 code with macros that expand to the atomic64_ and local64_ variants, casting the pointer parameter to the appropriate container type. Cc: Nicolas Pitre <nico@linaro.org> Signed-off-by: Will Deacon <will.deacon@arm.com> Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk> ARM: 7720/1: ARM v6/v7 cmpxchg64 shouldn't clear upper 32 bits of the old/new value The implementation of cmpxchg64() for the ARM v6 and v7 architecture casts parameter 2 and 3 (the old and new 64bit values) to an unsigned long before calling the atomic_cmpxchg64() function. This clears the top 32 bits of the old and new values, resulting in the wrong values being compare-exchanged. Luckily, this only appears to be used for 64-bit sched_clock, which we don't (yet) have on ARM. This bug was introduced by commit 3e0f5a1 ("ARM: 7404/1: cmpxchg64: use atomic64 and local64 routines for cmpxchg64"). Cc: <stable@vger.kernel.org> Acked-by: Will Deacon <will.deacon@arm.com> Signed-off-by: Jaccon Bastiaansen <jaccon.bastiaansen@gmail.com> Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk> ARM: 7852/1: cmpxchg: implement barrier-less cmpxchg64_local Our cmpxchg64 macros are wrappers around atomic64_cmpxchg. Whilst this is great for code re-use, there is a case for barrier-less cmpxchg where it is known to be safe (for example cmpxchg64_local and cmpxchg-based lockrefs). This patch introduces a 64-bit cmpxchg implementation specifically for the cmpxchg64_* macros, so that it can be later used by the lockref code. Signed-off-by: Will Deacon <will.deacon@arm.com> Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk> ARM: 7853/1: cmpxchg: implement cmpxchg64_relaxed This patch introduces cmpxchg64_relaxed for arm, which performs a 64-bit cmpxchg operation without barrier semantics. cmpxchg64_local is updated to use the new operation. Signed-off-by: Will Deacon <will.deacon@arm.com> Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk> ARM: 7984/1: prefetch: add prefetchw invocations for barriered atomics After a bunch of benchmarking on the interaction between dmb and pldw, it turns out that issuing the pldw *after* the dmb instruction can give modest performance gains (~3% atomic_add_return improvement on a dual A15). This patch adds prefetchw invocations to our barriered atomic operations including cmpxchg, test_and_xxx and futexes. Change-Id: Id6ebfe82ff9578c27e2b745e2cce167200112606 Signed-off-by: Will Deacon <will.deacon@arm.com> Signed-off-by: Russell King <rmk+kernel@arm.linux.org.uk>
charleseb
pushed a commit
that referenced
this issue
Dec 29, 2015
While testing the pid namespace code I hit this nasty warning. [ 176.262617] ------------[ cut here ]------------ [ 176.263388] WARNING: at /home/eric/projects/linux/linux-userns-devel/kernel/softirq.c:160 local_bh_enable_ip+0x7a/0xa0() [ 176.265145] Hardware name: Bochs [ 176.265677] Modules linked in: [ 176.266341] Pid: 742, comm: bash Not tainted 3.7.0userns+ #18 [ 176.266564] Call Trace: [ 176.266564] [<ffffffff810a539f>] warn_slowpath_common+0x7f/0xc0 [ 176.266564] [<ffffffff810a53fa>] warn_slowpath_null+0x1a/0x20 [ 176.266564] [<ffffffff810ad9ea>] local_bh_enable_ip+0x7a/0xa0 [ 176.266564] [<ffffffff819308c9>] _raw_spin_unlock_bh+0x19/0x20 [ 176.266564] [<ffffffff8123dbda>] proc_free_inum+0x3a/0x50 [ 176.266564] [<ffffffff8111d0dc>] free_pid_ns+0x1c/0x80 [ 176.266564] [<ffffffff8111d195>] put_pid_ns+0x35/0x50 [ 176.266564] [<ffffffff810c608a>] put_pid+0x4a/0x60 [ 176.266564] [<ffffffff8146b177>] tty_ioctl+0x717/0xc10 [ 176.266564] [<ffffffff810aa4d5>] ? wait_consider_task+0x855/0xb90 [ 176.266564] [<ffffffff81086bf9>] ? default_spin_lock_flags+0x9/0x10 [ 176.266564] [<ffffffff810cab0a>] ? remove_wait_queue+0x5a/0x70 [ 176.266564] [<ffffffff811e37e8>] do_vfs_ioctl+0x98/0x550 [ 176.266564] [<ffffffff810b8a0f>] ? recalc_sigpending+0x1f/0x60 [ 176.266564] [<ffffffff810b9127>] ? __set_task_blocked+0x37/0x80 [ 176.266564] [<ffffffff810ab95b>] ? sys_wait4+0xab/0xf0 [ 176.266564] [<ffffffff811e3d31>] sys_ioctl+0x91/0xb0 [ 176.266564] [<ffffffff810a95f0>] ? task_stopped_code+0x50/0x50 [ 176.266564] [<ffffffff81939199>] system_call_fastpath+0x16/0x1b [ 176.266564] ---[ end trace 387af88219ad6143 ]--- It turns out that spin_unlock_bh(proc_inum_lock) is not safe when put_pid is called with another spinlock held and irqs disabled. For now take the easy path and use spin_lock_irqsave(proc_inum_lock) in proc_free_inum and spin_loc_irq in proc_alloc_inum(proc_inum_lock). Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com> Bug: 22173056 Backport: commits 1bb9bf4 to this one are backport of mnt namespace (cherry picked from commit dfb2ea4) Change-Id: I1bfca15df43e2e293cf725649e1815ec985ed891 Reviewed-on: http://gerrit.mot.com/778671 SLTApproved: Slta Waiver <sltawvr@motorola.com> SME-Granted: SME Approvals Granted Reviewed-by: Russell Knize <rknize@motorola.com> Submit-Approved: Jira Key <jirakey@motorola.com> Tested-by: Jira Key <jirakey@motorola.com> Reviewed-by: Abdul Salam <salamab@motorola.com> Reviewed-by: Sudharsan Yettapu <sudharsan.yettapu@motorola.com>
DoctorStrange96
pushed a commit
to DoctorStrange96/KaminariKernel
that referenced
this issue
Jul 31, 2016
While testing the pid namespace code I hit this nasty warning. [ 176.262617] ------------[ cut here ]------------ [ 176.263388] WARNING: at /home/eric/projects/linux/linux-userns-devel/kernel/softirq.c:160 local_bh_enable_ip+0x7a/0xa0() [ 176.265145] Hardware name: Bochs [ 176.265677] Modules linked in: [ 176.266341] Pid: 742, comm: bash Not tainted 3.7.0userns+ MotorolaMobilityLLC#18 [ 176.266564] Call Trace: [ 176.266564] [<ffffffff810a539f>] warn_slowpath_common+0x7f/0xc0 [ 176.266564] [<ffffffff810a53fa>] warn_slowpath_null+0x1a/0x20 [ 176.266564] [<ffffffff810ad9ea>] local_bh_enable_ip+0x7a/0xa0 [ 176.266564] [<ffffffff819308c9>] _raw_spin_unlock_bh+0x19/0x20 [ 176.266564] [<ffffffff8123dbda>] proc_free_inum+0x3a/0x50 [ 176.266564] [<ffffffff8111d0dc>] free_pid_ns+0x1c/0x80 [ 176.266564] [<ffffffff8111d195>] put_pid_ns+0x35/0x50 [ 176.266564] [<ffffffff810c608a>] put_pid+0x4a/0x60 [ 176.266564] [<ffffffff8146b177>] tty_ioctl+0x717/0xc10 [ 176.266564] [<ffffffff810aa4d5>] ? wait_consider_task+0x855/0xb90 [ 176.266564] [<ffffffff81086bf9>] ? default_spin_lock_flags+0x9/0x10 [ 176.266564] [<ffffffff810cab0a>] ? remove_wait_queue+0x5a/0x70 [ 176.266564] [<ffffffff811e37e8>] do_vfs_ioctl+0x98/0x550 [ 176.266564] [<ffffffff810b8a0f>] ? recalc_sigpending+0x1f/0x60 [ 176.266564] [<ffffffff810b9127>] ? __set_task_blocked+0x37/0x80 [ 176.266564] [<ffffffff810ab95b>] ? sys_wait4+0xab/0xf0 [ 176.266564] [<ffffffff811e3d31>] sys_ioctl+0x91/0xb0 [ 176.266564] [<ffffffff810a95f0>] ? task_stopped_code+0x50/0x50 [ 176.266564] [<ffffffff81939199>] system_call_fastpath+0x16/0x1b [ 176.266564] ---[ end trace 387af88219ad6143 ]--- It turns out that spin_unlock_bh(proc_inum_lock) is not safe when put_pid is called with another spinlock held and irqs disabled. For now take the easy path and use spin_lock_irqsave(proc_inum_lock) in proc_free_inum and spin_loc_irq in proc_alloc_inum(proc_inum_lock). Change-Id: Icc5e02fca3db0bda4acd491ad93b8f730d3b8627 Signed-off-by: "Eric W. Biederman" <ebiederm@xmission.com>
nikitsharma15
pushed a commit
to nikitsharma15/Vegito-athene
that referenced
this issue
Jul 2, 2017
commit 45caeaa upstream. As Eric Dumazet pointed out this also needs to be fixed in IPv6. v2: Contains the IPv6 tcp/Ipv6 dccp patches as well. We have seen a few incidents lately where a dst_enty has been freed with a dangling TCP socket reference (sk->sk_dst_cache) pointing to that dst_entry. If the conditions/timings are right a crash then ensues when the freed dst_entry is referenced later on. A Common crashing back trace is: MotorolaMobilityLLC#8 [] page_fault at ffffffff8163e648 [exception RIP: __tcp_ack_snd_check+74] . . MotorolaMobilityLLC#9 [] tcp_rcv_established at ffffffff81580b64 MotorolaMobilityLLC#10 [] tcp_v4_do_rcv at ffffffff8158b54a MotorolaMobilityLLC#11 [] tcp_v4_rcv at ffffffff8158cd02 MotorolaMobilityLLC#12 [] ip_local_deliver_finish at ffffffff815668f4 MotorolaMobilityLLC#13 [] ip_local_deliver at ffffffff81566bd9 MotorolaMobilityLLC#14 [] ip_rcv_finish at ffffffff8156656d MotorolaMobilityLLC#15 [] ip_rcv at ffffffff81566f06 MotorolaMobilityLLC#16 [] __netif_receive_skb_core at ffffffff8152b3a2 MotorolaMobilityLLC#17 [] __netif_receive_skb at ffffffff8152b608 MotorolaMobilityLLC#18 [] netif_receive_skb at ffffffff8152b690 MotorolaMobilityLLC#19 [] vmxnet3_rq_rx_complete at ffffffffa015eeaf [vmxnet3] MotorolaMobilityLLC#20 [] vmxnet3_poll_rx_only at ffffffffa015f32a [vmxnet3] MotorolaMobilityLLC#21 [] net_rx_action at ffffffff8152bac2 MotorolaMobilityLLC#22 [] __do_softirq at ffffffff81084b4f MotorolaMobilityLLC#23 [] call_softirq at ffffffff8164845c MotorolaMobilityLLC#24 [] do_softirq at ffffffff81016fc5 MotorolaMobilityLLC#25 [] irq_exit at ffffffff81084ee5 MotorolaMobilityLLC#26 [] do_IRQ at ffffffff81648ff8 Of course it may happen with other NIC drivers as well. It's found the freed dst_entry here: 224 static bool tcp_in_quickack_mode(struct sock *sk)� 225 {� 226 � const struct inet_connection_sock *icsk = inet_csk(sk);� 227 � const struct dst_entry *dst = __sk_dst_get(sk);� 228 � 229 � return (dst && dst_metric(dst, RTAX_QUICKACK)) ||� 230 � � (icsk->icsk_ack.quick && !icsk->icsk_ack.pingpong);� 231 }� But there are other backtraces attributed to the same freed dst_entry in netfilter code as well. All the vmcores showed 2 significant clues: - Remote hosts behind the default gateway had always been redirected to a different gateway. A rtable/dst_entry will be added for that host. Making more dst_entrys with lower reference counts. Making this more probable. - All vmcores showed a postitive LockDroppedIcmps value, e.g: LockDroppedIcmps 267 A closer look at the tcp_v4_err() handler revealed that do_redirect() will run regardless of whether user space has the socket locked. This can result in a race condition where the same dst_entry cached in sk->sk_dst_entry can be decremented twice for the same socket via: do_redirect()->__sk_dst_check()-> dst_release(). Which leads to the dst_entry being prematurely freed with another socket pointing to it via sk->sk_dst_cache and a subsequent crash. To fix this skip do_redirect() if usespace has the socket locked. Instead let the redirect take place later when user space does not have the socket locked. The dccp/IPv6 code is very similar in this respect, so fixing it there too. As Eric Garver pointed out the following commit now invalidates routes. Which can set the dst->obsolete flag so that ipv4_dst_check() returns null and triggers the dst_release(). Fixes: ceb3320 ("ipv4: Kill routes during PMTU/redirect updates.") Cc: Eric Garver <egarver@redhat.com> Cc: Hannes Sowa <hsowa@redhat.com> Signed-off-by: Jon Maxwell <jmaxwell37@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Willy Tarreau <w@1wt.eu>
nikitsharma15
pushed a commit
to nikitsharma15/Vegito-athene
that referenced
this issue
Jul 18, 2017
commit 45caeaa upstream. As Eric Dumazet pointed out this also needs to be fixed in IPv6. v2: Contains the IPv6 tcp/Ipv6 dccp patches as well. We have seen a few incidents lately where a dst_enty has been freed with a dangling TCP socket reference (sk->sk_dst_cache) pointing to that dst_entry. If the conditions/timings are right a crash then ensues when the freed dst_entry is referenced later on. A Common crashing back trace is: MotorolaMobilityLLC#8 [] page_fault at ffffffff8163e648 [exception RIP: __tcp_ack_snd_check+74] . . MotorolaMobilityLLC#9 [] tcp_rcv_established at ffffffff81580b64 MotorolaMobilityLLC#10 [] tcp_v4_do_rcv at ffffffff8158b54a MotorolaMobilityLLC#11 [] tcp_v4_rcv at ffffffff8158cd02 MotorolaMobilityLLC#12 [] ip_local_deliver_finish at ffffffff815668f4 MotorolaMobilityLLC#13 [] ip_local_deliver at ffffffff81566bd9 MotorolaMobilityLLC#14 [] ip_rcv_finish at ffffffff8156656d MotorolaMobilityLLC#15 [] ip_rcv at ffffffff81566f06 MotorolaMobilityLLC#16 [] __netif_receive_skb_core at ffffffff8152b3a2 MotorolaMobilityLLC#17 [] __netif_receive_skb at ffffffff8152b608 MotorolaMobilityLLC#18 [] netif_receive_skb at ffffffff8152b690 MotorolaMobilityLLC#19 [] vmxnet3_rq_rx_complete at ffffffffa015eeaf [vmxnet3] MotorolaMobilityLLC#20 [] vmxnet3_poll_rx_only at ffffffffa015f32a [vmxnet3] MotorolaMobilityLLC#21 [] net_rx_action at ffffffff8152bac2 MotorolaMobilityLLC#22 [] __do_softirq at ffffffff81084b4f MotorolaMobilityLLC#23 [] call_softirq at ffffffff8164845c MotorolaMobilityLLC#24 [] do_softirq at ffffffff81016fc5 MotorolaMobilityLLC#25 [] irq_exit at ffffffff81084ee5 MotorolaMobilityLLC#26 [] do_IRQ at ffffffff81648ff8 Of course it may happen with other NIC drivers as well. It's found the freed dst_entry here: 224 static bool tcp_in_quickack_mode(struct sock *sk)� 225 {� 226 � const struct inet_connection_sock *icsk = inet_csk(sk);� 227 � const struct dst_entry *dst = __sk_dst_get(sk);� 228 � 229 � return (dst && dst_metric(dst, RTAX_QUICKACK)) ||� 230 � � (icsk->icsk_ack.quick && !icsk->icsk_ack.pingpong);� 231 }� But there are other backtraces attributed to the same freed dst_entry in netfilter code as well. All the vmcores showed 2 significant clues: - Remote hosts behind the default gateway had always been redirected to a different gateway. A rtable/dst_entry will be added for that host. Making more dst_entrys with lower reference counts. Making this more probable. - All vmcores showed a postitive LockDroppedIcmps value, e.g: LockDroppedIcmps 267 A closer look at the tcp_v4_err() handler revealed that do_redirect() will run regardless of whether user space has the socket locked. This can result in a race condition where the same dst_entry cached in sk->sk_dst_entry can be decremented twice for the same socket via: do_redirect()->__sk_dst_check()-> dst_release(). Which leads to the dst_entry being prematurely freed with another socket pointing to it via sk->sk_dst_cache and a subsequent crash. To fix this skip do_redirect() if usespace has the socket locked. Instead let the redirect take place later when user space does not have the socket locked. The dccp/IPv6 code is very similar in this respect, so fixing it there too. As Eric Garver pointed out the following commit now invalidates routes. Which can set the dst->obsolete flag so that ipv4_dst_check() returns null and triggers the dst_release(). Fixes: ceb3320 ("ipv4: Kill routes during PMTU/redirect updates.") Cc: Eric Garver <egarver@redhat.com> Cc: Hannes Sowa <hsowa@redhat.com> Signed-off-by: Jon Maxwell <jmaxwell37@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Willy Tarreau <w@1wt.eu>
flar2
pushed a commit
to flar2/kernel-msm
that referenced
this issue
Jul 22, 2017
commit 45caeaa upstream. As Eric Dumazet pointed out this also needs to be fixed in IPv6. v2: Contains the IPv6 tcp/Ipv6 dccp patches as well. We have seen a few incidents lately where a dst_enty has been freed with a dangling TCP socket reference (sk->sk_dst_cache) pointing to that dst_entry. If the conditions/timings are right a crash then ensues when the freed dst_entry is referenced later on. A Common crashing back trace is: MotorolaMobilityLLC#8 [] page_fault at ffffffff8163e648 [exception RIP: __tcp_ack_snd_check+74] . . MotorolaMobilityLLC#9 [] tcp_rcv_established at ffffffff81580b64 MotorolaMobilityLLC#10 [] tcp_v4_do_rcv at ffffffff8158b54a MotorolaMobilityLLC#11 [] tcp_v4_rcv at ffffffff8158cd02 MotorolaMobilityLLC#12 [] ip_local_deliver_finish at ffffffff815668f4 MotorolaMobilityLLC#13 [] ip_local_deliver at ffffffff81566bd9 MotorolaMobilityLLC#14 [] ip_rcv_finish at ffffffff8156656d MotorolaMobilityLLC#15 [] ip_rcv at ffffffff81566f06 MotorolaMobilityLLC#16 [] __netif_receive_skb_core at ffffffff8152b3a2 MotorolaMobilityLLC#17 [] __netif_receive_skb at ffffffff8152b608 MotorolaMobilityLLC#18 [] netif_receive_skb at ffffffff8152b690 MotorolaMobilityLLC#19 [] vmxnet3_rq_rx_complete at ffffffffa015eeaf [vmxnet3] MotorolaMobilityLLC#20 [] vmxnet3_poll_rx_only at ffffffffa015f32a [vmxnet3] MotorolaMobilityLLC#21 [] net_rx_action at ffffffff8152bac2 MotorolaMobilityLLC#22 [] __do_softirq at ffffffff81084b4f MotorolaMobilityLLC#23 [] call_softirq at ffffffff8164845c MotorolaMobilityLLC#24 [] do_softirq at ffffffff81016fc5 MotorolaMobilityLLC#25 [] irq_exit at ffffffff81084ee5 MotorolaMobilityLLC#26 [] do_IRQ at ffffffff81648ff8 Of course it may happen with other NIC drivers as well. It's found the freed dst_entry here: 224 static bool tcp_in_quickack_mode(struct sock *sk)↩ 225 {↩ 226 ▹ const struct inet_connection_sock *icsk = inet_csk(sk);↩ 227 ▹ const struct dst_entry *dst = __sk_dst_get(sk);↩ 228 ↩ 229 ▹ return (dst && dst_metric(dst, RTAX_QUICKACK)) ||↩ 230 ▹ ▹ (icsk->icsk_ack.quick && !icsk->icsk_ack.pingpong);↩ 231 }↩ But there are other backtraces attributed to the same freed dst_entry in netfilter code as well. All the vmcores showed 2 significant clues: - Remote hosts behind the default gateway had always been redirected to a different gateway. A rtable/dst_entry will be added for that host. Making more dst_entrys with lower reference counts. Making this more probable. - All vmcores showed a postitive LockDroppedIcmps value, e.g: LockDroppedIcmps 267 A closer look at the tcp_v4_err() handler revealed that do_redirect() will run regardless of whether user space has the socket locked. This can result in a race condition where the same dst_entry cached in sk->sk_dst_entry can be decremented twice for the same socket via: do_redirect()->__sk_dst_check()-> dst_release(). Which leads to the dst_entry being prematurely freed with another socket pointing to it via sk->sk_dst_cache and a subsequent crash. To fix this skip do_redirect() if usespace has the socket locked. Instead let the redirect take place later when user space does not have the socket locked. The dccp/IPv6 code is very similar in this respect, so fixing it there too. As Eric Garver pointed out the following commit now invalidates routes. Which can set the dst->obsolete flag so that ipv4_dst_check() returns null and triggers the dst_release(). Fixes: ceb3320 ("ipv4: Kill routes during PMTU/redirect updates.") Cc: Eric Garver <egarver@redhat.com> Cc: Hannes Sowa <hsowa@redhat.com> Signed-off-by: Jon Maxwell <jmaxwell37@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
flar2
pushed a commit
to flar2/kernel-msm
that referenced
this issue
Jul 22, 2017
commit 4dfce57 upstream. There have been several reports over the years of NULL pointer dereferences in xfs_trans_log_inode during xfs_fsr processes, when the process is doing an fput and tearing down extents on the temporary inode, something like: BUG: unable to handle kernel NULL pointer dereference at 0000000000000018 PID: 29439 TASK: ffff880550584fa0 CPU: 6 COMMAND: "xfs_fsr" [exception RIP: xfs_trans_log_inode+0x10] MotorolaMobilityLLC#9 [ffff8800a57bbbe0] xfs_bunmapi at ffffffffa037398e [xfs] MotorolaMobilityLLC#10 [ffff8800a57bbce8] xfs_itruncate_extents at ffffffffa0391b29 [xfs] MotorolaMobilityLLC#11 [ffff8800a57bbd88] xfs_inactive_truncate at ffffffffa0391d0c [xfs] MotorolaMobilityLLC#12 [ffff8800a57bbdb8] xfs_inactive at ffffffffa0392508 [xfs] MotorolaMobilityLLC#13 [ffff8800a57bbdd8] xfs_fs_evict_inode at ffffffffa035907e [xfs] MotorolaMobilityLLC#14 [ffff8800a57bbe00] evict at ffffffff811e1b67 MotorolaMobilityLLC#15 [ffff8800a57bbe28] iput at ffffffff811e23a5 MotorolaMobilityLLC#16 [ffff8800a57bbe58] dentry_kill at ffffffff811dcfc8 MotorolaMobilityLLC#17 [ffff8800a57bbe88] dput at ffffffff811dd06c MotorolaMobilityLLC#18 [ffff8800a57bbea8] __fput at ffffffff811c823b MotorolaMobilityLLC#19 [ffff8800a57bbef0] ____fput at ffffffff811c846e MotorolaMobilityLLC#20 [ffff8800a57bbf00] task_work_run at ffffffff81093b27 MotorolaMobilityLLC#21 [ffff8800a57bbf30] do_notify_resume at ffffffff81013b0c MotorolaMobilityLLC#22 [ffff8800a57bbf50] int_signal at ffffffff8161405d As it turns out, this is because the i_itemp pointer, along with the d_ops pointer, has been overwritten with zeros when we tear down the extents during truncate. When the in-core inode fork on the temporary inode used by xfs_fsr was originally set up during the extent swap, we mistakenly looked at di_nextents to determine whether all extents fit inline, but this misses extents generated by speculative preallocation; we should be using if_bytes instead. This mistake corrupts the in-memory inode, and code in xfs_iext_remove_inline eventually gets bad inputs, causing it to memmove and memset incorrect ranges; this became apparent because the two values in ifp->if_u2.if_inline_ext[1] contained what should have been in d_ops and i_itemp; they were memmoved due to incorrect array indexing and then the original locations were zeroed with memset, again due to an array overrun. Fix this by properly using i_df.if_bytes to determine the number of extents, not di_nextents. Thanks to dchinner for looking at this with me and spotting the root cause. [nborisov: backported to 4.4] Signed-off-by: Eric Sandeen <sandeen@redhat.com> Reviewed-by: Brian Foster <bfoster@redhat.com> Signed-off-by: Dave Chinner <david@fromorbit.com> Signed-off-by: Nikolay Borisov <nborisov@suse.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
JeikWazTaken
pushed a commit
to motoTurboZ/kernel-msm
that referenced
this issue
Oct 24, 2017
commit 45caeaa upstream. As Eric Dumazet pointed out this also needs to be fixed in IPv6. v2: Contains the IPv6 tcp/Ipv6 dccp patches as well. We have seen a few incidents lately where a dst_enty has been freed with a dangling TCP socket reference (sk->sk_dst_cache) pointing to that dst_entry. If the conditions/timings are right a crash then ensues when the freed dst_entry is referenced later on. A Common crashing back trace is: MotorolaMobilityLLC#8 [] page_fault at ffffffff8163e648 [exception RIP: __tcp_ack_snd_check+74] . . MotorolaMobilityLLC#9 [] tcp_rcv_established at ffffffff81580b64 MotorolaMobilityLLC#10 [] tcp_v4_do_rcv at ffffffff8158b54a MotorolaMobilityLLC#11 [] tcp_v4_rcv at ffffffff8158cd02 MotorolaMobilityLLC#12 [] ip_local_deliver_finish at ffffffff815668f4 MotorolaMobilityLLC#13 [] ip_local_deliver at ffffffff81566bd9 MotorolaMobilityLLC#14 [] ip_rcv_finish at ffffffff8156656d MotorolaMobilityLLC#15 [] ip_rcv at ffffffff81566f06 MotorolaMobilityLLC#16 [] __netif_receive_skb_core at ffffffff8152b3a2 MotorolaMobilityLLC#17 [] __netif_receive_skb at ffffffff8152b608 MotorolaMobilityLLC#18 [] netif_receive_skb at ffffffff8152b690 MotorolaMobilityLLC#19 [] vmxnet3_rq_rx_complete at ffffffffa015eeaf [vmxnet3] MotorolaMobilityLLC#20 [] vmxnet3_poll_rx_only at ffffffffa015f32a [vmxnet3] MotorolaMobilityLLC#21 [] net_rx_action at ffffffff8152bac2 MotorolaMobilityLLC#22 [] __do_softirq at ffffffff81084b4f MotorolaMobilityLLC#23 [] call_softirq at ffffffff8164845c MotorolaMobilityLLC#24 [] do_softirq at ffffffff81016fc5 MotorolaMobilityLLC#25 [] irq_exit at ffffffff81084ee5 MotorolaMobilityLLC#26 [] do_IRQ at ffffffff81648ff8 Of course it may happen with other NIC drivers as well. It's found the freed dst_entry here: 224 static bool tcp_in_quickack_mode(struct sock *sk)↩ 225 {↩ 226 ▹ const struct inet_connection_sock *icsk = inet_csk(sk);↩ 227 ▹ const struct dst_entry *dst = __sk_dst_get(sk);↩ 228 ↩ 229 ▹ return (dst && dst_metric(dst, RTAX_QUICKACK)) ||↩ 230 ▹ ▹ (icsk->icsk_ack.quick && !icsk->icsk_ack.pingpong);↩ 231 }↩ But there are other backtraces attributed to the same freed dst_entry in netfilter code as well. All the vmcores showed 2 significant clues: - Remote hosts behind the default gateway had always been redirected to a different gateway. A rtable/dst_entry will be added for that host. Making more dst_entrys with lower reference counts. Making this more probable. - All vmcores showed a postitive LockDroppedIcmps value, e.g: LockDroppedIcmps 267 A closer look at the tcp_v4_err() handler revealed that do_redirect() will run regardless of whether user space has the socket locked. This can result in a race condition where the same dst_entry cached in sk->sk_dst_entry can be decremented twice for the same socket via: do_redirect()->__sk_dst_check()-> dst_release(). Which leads to the dst_entry being prematurely freed with another socket pointing to it via sk->sk_dst_cache and a subsequent crash. To fix this skip do_redirect() if usespace has the socket locked. Instead let the redirect take place later when user space does not have the socket locked. The dccp/IPv6 code is very similar in this respect, so fixing it there too. As Eric Garver pointed out the following commit now invalidates routes. Which can set the dst->obsolete flag so that ipv4_dst_check() returns null and triggers the dst_release(). Fixes: ceb3320 ("ipv4: Kill routes during PMTU/redirect updates.") Cc: Eric Garver <egarver@redhat.com> Cc: Hannes Sowa <hsowa@redhat.com> Signed-off-by: Jon Maxwell <jmaxwell37@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
JeikWazTaken
pushed a commit
to motoTurboZ/kernel-msm
that referenced
this issue
Oct 24, 2017
commit 4dfce57 upstream. There have been several reports over the years of NULL pointer dereferences in xfs_trans_log_inode during xfs_fsr processes, when the process is doing an fput and tearing down extents on the temporary inode, something like: BUG: unable to handle kernel NULL pointer dereference at 0000000000000018 PID: 29439 TASK: ffff880550584fa0 CPU: 6 COMMAND: "xfs_fsr" [exception RIP: xfs_trans_log_inode+0x10] MotorolaMobilityLLC#9 [ffff8800a57bbbe0] xfs_bunmapi at ffffffffa037398e [xfs] MotorolaMobilityLLC#10 [ffff8800a57bbce8] xfs_itruncate_extents at ffffffffa0391b29 [xfs] MotorolaMobilityLLC#11 [ffff8800a57bbd88] xfs_inactive_truncate at ffffffffa0391d0c [xfs] MotorolaMobilityLLC#12 [ffff8800a57bbdb8] xfs_inactive at ffffffffa0392508 [xfs] MotorolaMobilityLLC#13 [ffff8800a57bbdd8] xfs_fs_evict_inode at ffffffffa035907e [xfs] MotorolaMobilityLLC#14 [ffff8800a57bbe00] evict at ffffffff811e1b67 MotorolaMobilityLLC#15 [ffff8800a57bbe28] iput at ffffffff811e23a5 MotorolaMobilityLLC#16 [ffff8800a57bbe58] dentry_kill at ffffffff811dcfc8 MotorolaMobilityLLC#17 [ffff8800a57bbe88] dput at ffffffff811dd06c MotorolaMobilityLLC#18 [ffff8800a57bbea8] __fput at ffffffff811c823b MotorolaMobilityLLC#19 [ffff8800a57bbef0] ____fput at ffffffff811c846e MotorolaMobilityLLC#20 [ffff8800a57bbf00] task_work_run at ffffffff81093b27 MotorolaMobilityLLC#21 [ffff8800a57bbf30] do_notify_resume at ffffffff81013b0c MotorolaMobilityLLC#22 [ffff8800a57bbf50] int_signal at ffffffff8161405d As it turns out, this is because the i_itemp pointer, along with the d_ops pointer, has been overwritten with zeros when we tear down the extents during truncate. When the in-core inode fork on the temporary inode used by xfs_fsr was originally set up during the extent swap, we mistakenly looked at di_nextents to determine whether all extents fit inline, but this misses extents generated by speculative preallocation; we should be using if_bytes instead. This mistake corrupts the in-memory inode, and code in xfs_iext_remove_inline eventually gets bad inputs, causing it to memmove and memset incorrect ranges; this became apparent because the two values in ifp->if_u2.if_inline_ext[1] contained what should have been in d_ops and i_itemp; they were memmoved due to incorrect array indexing and then the original locations were zeroed with memset, again due to an array overrun. Fix this by properly using i_df.if_bytes to determine the number of extents, not di_nextents. Thanks to dchinner for looking at this with me and spotting the root cause. [nborisov: backported to 4.4] Signed-off-by: Eric Sandeen <sandeen@redhat.com> Reviewed-by: Brian Foster <bfoster@redhat.com> Signed-off-by: Dave Chinner <david@fromorbit.com> Signed-off-by: Nikolay Borisov <nborisov@suse.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
JeikWazTaken
pushed a commit
to motoTurboZ/kernel-msm
that referenced
this issue
Oct 28, 2017
commit 4dfce57 upstream. There have been several reports over the years of NULL pointer dereferences in xfs_trans_log_inode during xfs_fsr processes, when the process is doing an fput and tearing down extents on the temporary inode, something like: BUG: unable to handle kernel NULL pointer dereference at 0000000000000018 PID: 29439 TASK: ffff880550584fa0 CPU: 6 COMMAND: "xfs_fsr" [exception RIP: xfs_trans_log_inode+0x10] MotorolaMobilityLLC#9 [ffff8800a57bbbe0] xfs_bunmapi at ffffffffa037398e [xfs] MotorolaMobilityLLC#10 [ffff8800a57bbce8] xfs_itruncate_extents at ffffffffa0391b29 [xfs] MotorolaMobilityLLC#11 [ffff8800a57bbd88] xfs_inactive_truncate at ffffffffa0391d0c [xfs] MotorolaMobilityLLC#12 [ffff8800a57bbdb8] xfs_inactive at ffffffffa0392508 [xfs] MotorolaMobilityLLC#13 [ffff8800a57bbdd8] xfs_fs_evict_inode at ffffffffa035907e [xfs] MotorolaMobilityLLC#14 [ffff8800a57bbe00] evict at ffffffff811e1b67 MotorolaMobilityLLC#15 [ffff8800a57bbe28] iput at ffffffff811e23a5 MotorolaMobilityLLC#16 [ffff8800a57bbe58] dentry_kill at ffffffff811dcfc8 MotorolaMobilityLLC#17 [ffff8800a57bbe88] dput at ffffffff811dd06c MotorolaMobilityLLC#18 [ffff8800a57bbea8] __fput at ffffffff811c823b MotorolaMobilityLLC#19 [ffff8800a57bbef0] ____fput at ffffffff811c846e MotorolaMobilityLLC#20 [ffff8800a57bbf00] task_work_run at ffffffff81093b27 MotorolaMobilityLLC#21 [ffff8800a57bbf30] do_notify_resume at ffffffff81013b0c MotorolaMobilityLLC#22 [ffff8800a57bbf50] int_signal at ffffffff8161405d As it turns out, this is because the i_itemp pointer, along with the d_ops pointer, has been overwritten with zeros when we tear down the extents during truncate. When the in-core inode fork on the temporary inode used by xfs_fsr was originally set up during the extent swap, we mistakenly looked at di_nextents to determine whether all extents fit inline, but this misses extents generated by speculative preallocation; we should be using if_bytes instead. This mistake corrupts the in-memory inode, and code in xfs_iext_remove_inline eventually gets bad inputs, causing it to memmove and memset incorrect ranges; this became apparent because the two values in ifp->if_u2.if_inline_ext[1] contained what should have been in d_ops and i_itemp; they were memmoved due to incorrect array indexing and then the original locations were zeroed with memset, again due to an array overrun. Fix this by properly using i_df.if_bytes to determine the number of extents, not di_nextents. Thanks to dchinner for looking at this with me and spotting the root cause. [nborisov: backported to 4.4] Signed-off-by: Eric Sandeen <sandeen@redhat.com> Reviewed-by: Brian Foster <bfoster@redhat.com> Signed-off-by: Dave Chinner <david@fromorbit.com> Signed-off-by: Nikolay Borisov <nborisov@suse.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
fernandobouchet
pushed a commit
to fernandobouchet/kernel-msm
that referenced
this issue
Jan 26, 2018
commit 45caeaa upstream. As Eric Dumazet pointed out this also needs to be fixed in IPv6. v2: Contains the IPv6 tcp/Ipv6 dccp patches as well. We have seen a few incidents lately where a dst_enty has been freed with a dangling TCP socket reference (sk->sk_dst_cache) pointing to that dst_entry. If the conditions/timings are right a crash then ensues when the freed dst_entry is referenced later on. A Common crashing back trace is: MotorolaMobilityLLC#8 [] page_fault at ffffffff8163e648 [exception RIP: __tcp_ack_snd_check+74] . . MotorolaMobilityLLC#9 [] tcp_rcv_established at ffffffff81580b64 MotorolaMobilityLLC#10 [] tcp_v4_do_rcv at ffffffff8158b54a MotorolaMobilityLLC#11 [] tcp_v4_rcv at ffffffff8158cd02 MotorolaMobilityLLC#12 [] ip_local_deliver_finish at ffffffff815668f4 MotorolaMobilityLLC#13 [] ip_local_deliver at ffffffff81566bd9 MotorolaMobilityLLC#14 [] ip_rcv_finish at ffffffff8156656d MotorolaMobilityLLC#15 [] ip_rcv at ffffffff81566f06 MotorolaMobilityLLC#16 [] __netif_receive_skb_core at ffffffff8152b3a2 MotorolaMobilityLLC#17 [] __netif_receive_skb at ffffffff8152b608 MotorolaMobilityLLC#18 [] netif_receive_skb at ffffffff8152b690 MotorolaMobilityLLC#19 [] vmxnet3_rq_rx_complete at ffffffffa015eeaf [vmxnet3] MotorolaMobilityLLC#20 [] vmxnet3_poll_rx_only at ffffffffa015f32a [vmxnet3] MotorolaMobilityLLC#21 [] net_rx_action at ffffffff8152bac2 MotorolaMobilityLLC#22 [] __do_softirq at ffffffff81084b4f MotorolaMobilityLLC#23 [] call_softirq at ffffffff8164845c MotorolaMobilityLLC#24 [] do_softirq at ffffffff81016fc5 MotorolaMobilityLLC#25 [] irq_exit at ffffffff81084ee5 MotorolaMobilityLLC#26 [] do_IRQ at ffffffff81648ff8 Of course it may happen with other NIC drivers as well. It's found the freed dst_entry here: 224 static bool tcp_in_quickack_mode(struct sock *sk)↩ 225 {↩ 226 ▹ const struct inet_connection_sock *icsk = inet_csk(sk);↩ 227 ▹ const struct dst_entry *dst = __sk_dst_get(sk);↩ 228 ↩ 229 ▹ return (dst && dst_metric(dst, RTAX_QUICKACK)) ||↩ 230 ▹ ▹ (icsk->icsk_ack.quick && !icsk->icsk_ack.pingpong);↩ 231 }↩ But there are other backtraces attributed to the same freed dst_entry in netfilter code as well. All the vmcores showed 2 significant clues: - Remote hosts behind the default gateway had always been redirected to a different gateway. A rtable/dst_entry will be added for that host. Making more dst_entrys with lower reference counts. Making this more probable. - All vmcores showed a postitive LockDroppedIcmps value, e.g: LockDroppedIcmps 267 A closer look at the tcp_v4_err() handler revealed that do_redirect() will run regardless of whether user space has the socket locked. This can result in a race condition where the same dst_entry cached in sk->sk_dst_entry can be decremented twice for the same socket via: do_redirect()->__sk_dst_check()-> dst_release(). Which leads to the dst_entry being prematurely freed with another socket pointing to it via sk->sk_dst_cache and a subsequent crash. To fix this skip do_redirect() if usespace has the socket locked. Instead let the redirect take place later when user space does not have the socket locked. The dccp/IPv6 code is very similar in this respect, so fixing it there too. As Eric Garver pointed out the following commit now invalidates routes. Which can set the dst->obsolete flag so that ipv4_dst_check() returns null and triggers the dst_release(). Fixes: ceb3320 ("ipv4: Kill routes during PMTU/redirect updates.") Cc: Eric Garver <egarver@redhat.com> Cc: Hannes Sowa <hsowa@redhat.com> Signed-off-by: Jon Maxwell <jmaxwell37@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
fernandobouchet
pushed a commit
to fernandobouchet/kernel-msm
that referenced
this issue
Jan 26, 2018
commit 4dfce57 upstream. There have been several reports over the years of NULL pointer dereferences in xfs_trans_log_inode during xfs_fsr processes, when the process is doing an fput and tearing down extents on the temporary inode, something like: BUG: unable to handle kernel NULL pointer dereference at 0000000000000018 PID: 29439 TASK: ffff880550584fa0 CPU: 6 COMMAND: "xfs_fsr" [exception RIP: xfs_trans_log_inode+0x10] MotorolaMobilityLLC#9 [ffff8800a57bbbe0] xfs_bunmapi at ffffffffa037398e [xfs] MotorolaMobilityLLC#10 [ffff8800a57bbce8] xfs_itruncate_extents at ffffffffa0391b29 [xfs] MotorolaMobilityLLC#11 [ffff8800a57bbd88] xfs_inactive_truncate at ffffffffa0391d0c [xfs] MotorolaMobilityLLC#12 [ffff8800a57bbdb8] xfs_inactive at ffffffffa0392508 [xfs] MotorolaMobilityLLC#13 [ffff8800a57bbdd8] xfs_fs_evict_inode at ffffffffa035907e [xfs] MotorolaMobilityLLC#14 [ffff8800a57bbe00] evict at ffffffff811e1b67 MotorolaMobilityLLC#15 [ffff8800a57bbe28] iput at ffffffff811e23a5 MotorolaMobilityLLC#16 [ffff8800a57bbe58] dentry_kill at ffffffff811dcfc8 MotorolaMobilityLLC#17 [ffff8800a57bbe88] dput at ffffffff811dd06c MotorolaMobilityLLC#18 [ffff8800a57bbea8] __fput at ffffffff811c823b MotorolaMobilityLLC#19 [ffff8800a57bbef0] ____fput at ffffffff811c846e MotorolaMobilityLLC#20 [ffff8800a57bbf00] task_work_run at ffffffff81093b27 MotorolaMobilityLLC#21 [ffff8800a57bbf30] do_notify_resume at ffffffff81013b0c MotorolaMobilityLLC#22 [ffff8800a57bbf50] int_signal at ffffffff8161405d As it turns out, this is because the i_itemp pointer, along with the d_ops pointer, has been overwritten with zeros when we tear down the extents during truncate. When the in-core inode fork on the temporary inode used by xfs_fsr was originally set up during the extent swap, we mistakenly looked at di_nextents to determine whether all extents fit inline, but this misses extents generated by speculative preallocation; we should be using if_bytes instead. This mistake corrupts the in-memory inode, and code in xfs_iext_remove_inline eventually gets bad inputs, causing it to memmove and memset incorrect ranges; this became apparent because the two values in ifp->if_u2.if_inline_ext[1] contained what should have been in d_ops and i_itemp; they were memmoved due to incorrect array indexing and then the original locations were zeroed with memset, again due to an array overrun. Fix this by properly using i_df.if_bytes to determine the number of extents, not di_nextents. Thanks to dchinner for looking at this with me and spotting the root cause. [nborisov: backported to 4.4] Signed-off-by: Eric Sandeen <sandeen@redhat.com> Reviewed-by: Brian Foster <bfoster@redhat.com> Signed-off-by: Dave Chinner <david@fromorbit.com> Signed-off-by: Nikolay Borisov <nborisov@suse.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
fernandobouchet
pushed a commit
to fernandobouchet/kernel-msm
that referenced
this issue
Jan 27, 2018
commit 45caeaa upstream. As Eric Dumazet pointed out this also needs to be fixed in IPv6. v2: Contains the IPv6 tcp/Ipv6 dccp patches as well. We have seen a few incidents lately where a dst_enty has been freed with a dangling TCP socket reference (sk->sk_dst_cache) pointing to that dst_entry. If the conditions/timings are right a crash then ensues when the freed dst_entry is referenced later on. A Common crashing back trace is: MotorolaMobilityLLC#8 [] page_fault at ffffffff8163e648 [exception RIP: __tcp_ack_snd_check+74] . . MotorolaMobilityLLC#9 [] tcp_rcv_established at ffffffff81580b64 MotorolaMobilityLLC#10 [] tcp_v4_do_rcv at ffffffff8158b54a MotorolaMobilityLLC#11 [] tcp_v4_rcv at ffffffff8158cd02 MotorolaMobilityLLC#12 [] ip_local_deliver_finish at ffffffff815668f4 MotorolaMobilityLLC#13 [] ip_local_deliver at ffffffff81566bd9 MotorolaMobilityLLC#14 [] ip_rcv_finish at ffffffff8156656d MotorolaMobilityLLC#15 [] ip_rcv at ffffffff81566f06 MotorolaMobilityLLC#16 [] __netif_receive_skb_core at ffffffff8152b3a2 MotorolaMobilityLLC#17 [] __netif_receive_skb at ffffffff8152b608 MotorolaMobilityLLC#18 [] netif_receive_skb at ffffffff8152b690 MotorolaMobilityLLC#19 [] vmxnet3_rq_rx_complete at ffffffffa015eeaf [vmxnet3] MotorolaMobilityLLC#20 [] vmxnet3_poll_rx_only at ffffffffa015f32a [vmxnet3] MotorolaMobilityLLC#21 [] net_rx_action at ffffffff8152bac2 MotorolaMobilityLLC#22 [] __do_softirq at ffffffff81084b4f MotorolaMobilityLLC#23 [] call_softirq at ffffffff8164845c MotorolaMobilityLLC#24 [] do_softirq at ffffffff81016fc5 MotorolaMobilityLLC#25 [] irq_exit at ffffffff81084ee5 MotorolaMobilityLLC#26 [] do_IRQ at ffffffff81648ff8 Of course it may happen with other NIC drivers as well. It's found the freed dst_entry here: 224 static bool tcp_in_quickack_mode(struct sock *sk)↩ 225 {↩ 226 ▹ const struct inet_connection_sock *icsk = inet_csk(sk);↩ 227 ▹ const struct dst_entry *dst = __sk_dst_get(sk);↩ 228 ↩ 229 ▹ return (dst && dst_metric(dst, RTAX_QUICKACK)) ||↩ 230 ▹ ▹ (icsk->icsk_ack.quick && !icsk->icsk_ack.pingpong);↩ 231 }↩ But there are other backtraces attributed to the same freed dst_entry in netfilter code as well. All the vmcores showed 2 significant clues: - Remote hosts behind the default gateway had always been redirected to a different gateway. A rtable/dst_entry will be added for that host. Making more dst_entrys with lower reference counts. Making this more probable. - All vmcores showed a postitive LockDroppedIcmps value, e.g: LockDroppedIcmps 267 A closer look at the tcp_v4_err() handler revealed that do_redirect() will run regardless of whether user space has the socket locked. This can result in a race condition where the same dst_entry cached in sk->sk_dst_entry can be decremented twice for the same socket via: do_redirect()->__sk_dst_check()-> dst_release(). Which leads to the dst_entry being prematurely freed with another socket pointing to it via sk->sk_dst_cache and a subsequent crash. To fix this skip do_redirect() if usespace has the socket locked. Instead let the redirect take place later when user space does not have the socket locked. The dccp/IPv6 code is very similar in this respect, so fixing it there too. As Eric Garver pointed out the following commit now invalidates routes. Which can set the dst->obsolete flag so that ipv4_dst_check() returns null and triggers the dst_release(). Fixes: ceb3320 ("ipv4: Kill routes during PMTU/redirect updates.") Cc: Eric Garver <egarver@redhat.com> Cc: Hannes Sowa <hsowa@redhat.com> Signed-off-by: Jon Maxwell <jmaxwell37@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
fernandobouchet
pushed a commit
to fernandobouchet/kernel-msm
that referenced
this issue
Jan 27, 2018
commit 4dfce57 upstream. There have been several reports over the years of NULL pointer dereferences in xfs_trans_log_inode during xfs_fsr processes, when the process is doing an fput and tearing down extents on the temporary inode, something like: BUG: unable to handle kernel NULL pointer dereference at 0000000000000018 PID: 29439 TASK: ffff880550584fa0 CPU: 6 COMMAND: "xfs_fsr" [exception RIP: xfs_trans_log_inode+0x10] MotorolaMobilityLLC#9 [ffff8800a57bbbe0] xfs_bunmapi at ffffffffa037398e [xfs] MotorolaMobilityLLC#10 [ffff8800a57bbce8] xfs_itruncate_extents at ffffffffa0391b29 [xfs] MotorolaMobilityLLC#11 [ffff8800a57bbd88] xfs_inactive_truncate at ffffffffa0391d0c [xfs] MotorolaMobilityLLC#12 [ffff8800a57bbdb8] xfs_inactive at ffffffffa0392508 [xfs] MotorolaMobilityLLC#13 [ffff8800a57bbdd8] xfs_fs_evict_inode at ffffffffa035907e [xfs] MotorolaMobilityLLC#14 [ffff8800a57bbe00] evict at ffffffff811e1b67 MotorolaMobilityLLC#15 [ffff8800a57bbe28] iput at ffffffff811e23a5 MotorolaMobilityLLC#16 [ffff8800a57bbe58] dentry_kill at ffffffff811dcfc8 MotorolaMobilityLLC#17 [ffff8800a57bbe88] dput at ffffffff811dd06c MotorolaMobilityLLC#18 [ffff8800a57bbea8] __fput at ffffffff811c823b MotorolaMobilityLLC#19 [ffff8800a57bbef0] ____fput at ffffffff811c846e MotorolaMobilityLLC#20 [ffff8800a57bbf00] task_work_run at ffffffff81093b27 MotorolaMobilityLLC#21 [ffff8800a57bbf30] do_notify_resume at ffffffff81013b0c MotorolaMobilityLLC#22 [ffff8800a57bbf50] int_signal at ffffffff8161405d As it turns out, this is because the i_itemp pointer, along with the d_ops pointer, has been overwritten with zeros when we tear down the extents during truncate. When the in-core inode fork on the temporary inode used by xfs_fsr was originally set up during the extent swap, we mistakenly looked at di_nextents to determine whether all extents fit inline, but this misses extents generated by speculative preallocation; we should be using if_bytes instead. This mistake corrupts the in-memory inode, and code in xfs_iext_remove_inline eventually gets bad inputs, causing it to memmove and memset incorrect ranges; this became apparent because the two values in ifp->if_u2.if_inline_ext[1] contained what should have been in d_ops and i_itemp; they were memmoved due to incorrect array indexing and then the original locations were zeroed with memset, again due to an array overrun. Fix this by properly using i_df.if_bytes to determine the number of extents, not di_nextents. Thanks to dchinner for looking at this with me and spotting the root cause. [nborisov: backported to 4.4] Signed-off-by: Eric Sandeen <sandeen@redhat.com> Reviewed-by: Brian Foster <bfoster@redhat.com> Signed-off-by: Dave Chinner <david@fromorbit.com> Signed-off-by: Nikolay Borisov <nborisov@suse.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
fernandobouchet
pushed a commit
to fernandobouchet/kernel-msm
that referenced
this issue
Apr 27, 2018
commit 45caeaa upstream. As Eric Dumazet pointed out this also needs to be fixed in IPv6. v2: Contains the IPv6 tcp/Ipv6 dccp patches as well. We have seen a few incidents lately where a dst_enty has been freed with a dangling TCP socket reference (sk->sk_dst_cache) pointing to that dst_entry. If the conditions/timings are right a crash then ensues when the freed dst_entry is referenced later on. A Common crashing back trace is: MotorolaMobilityLLC#8 [] page_fault at ffffffff8163e648 [exception RIP: __tcp_ack_snd_check+74] . . MotorolaMobilityLLC#9 [] tcp_rcv_established at ffffffff81580b64 MotorolaMobilityLLC#10 [] tcp_v4_do_rcv at ffffffff8158b54a MotorolaMobilityLLC#11 [] tcp_v4_rcv at ffffffff8158cd02 MotorolaMobilityLLC#12 [] ip_local_deliver_finish at ffffffff815668f4 MotorolaMobilityLLC#13 [] ip_local_deliver at ffffffff81566bd9 MotorolaMobilityLLC#14 [] ip_rcv_finish at ffffffff8156656d MotorolaMobilityLLC#15 [] ip_rcv at ffffffff81566f06 MotorolaMobilityLLC#16 [] __netif_receive_skb_core at ffffffff8152b3a2 MotorolaMobilityLLC#17 [] __netif_receive_skb at ffffffff8152b608 MotorolaMobilityLLC#18 [] netif_receive_skb at ffffffff8152b690 MotorolaMobilityLLC#19 [] vmxnet3_rq_rx_complete at ffffffffa015eeaf [vmxnet3] MotorolaMobilityLLC#20 [] vmxnet3_poll_rx_only at ffffffffa015f32a [vmxnet3] MotorolaMobilityLLC#21 [] net_rx_action at ffffffff8152bac2 MotorolaMobilityLLC#22 [] __do_softirq at ffffffff81084b4f MotorolaMobilityLLC#23 [] call_softirq at ffffffff8164845c MotorolaMobilityLLC#24 [] do_softirq at ffffffff81016fc5 MotorolaMobilityLLC#25 [] irq_exit at ffffffff81084ee5 MotorolaMobilityLLC#26 [] do_IRQ at ffffffff81648ff8 Of course it may happen with other NIC drivers as well. It's found the freed dst_entry here: 224 static bool tcp_in_quickack_mode(struct sock *sk)↩ 225 {↩ 226 ▹ const struct inet_connection_sock *icsk = inet_csk(sk);↩ 227 ▹ const struct dst_entry *dst = __sk_dst_get(sk);↩ 228 ↩ 229 ▹ return (dst && dst_metric(dst, RTAX_QUICKACK)) ||↩ 230 ▹ ▹ (icsk->icsk_ack.quick && !icsk->icsk_ack.pingpong);↩ 231 }↩ But there are other backtraces attributed to the same freed dst_entry in netfilter code as well. All the vmcores showed 2 significant clues: - Remote hosts behind the default gateway had always been redirected to a different gateway. A rtable/dst_entry will be added for that host. Making more dst_entrys with lower reference counts. Making this more probable. - All vmcores showed a postitive LockDroppedIcmps value, e.g: LockDroppedIcmps 267 A closer look at the tcp_v4_err() handler revealed that do_redirect() will run regardless of whether user space has the socket locked. This can result in a race condition where the same dst_entry cached in sk->sk_dst_entry can be decremented twice for the same socket via: do_redirect()->__sk_dst_check()-> dst_release(). Which leads to the dst_entry being prematurely freed with another socket pointing to it via sk->sk_dst_cache and a subsequent crash. To fix this skip do_redirect() if usespace has the socket locked. Instead let the redirect take place later when user space does not have the socket locked. The dccp/IPv6 code is very similar in this respect, so fixing it there too. As Eric Garver pointed out the following commit now invalidates routes. Which can set the dst->obsolete flag so that ipv4_dst_check() returns null and triggers the dst_release(). Fixes: ceb3320 ("ipv4: Kill routes during PMTU/redirect updates.") Cc: Eric Garver <egarver@redhat.com> Cc: Hannes Sowa <hsowa@redhat.com> Signed-off-by: Jon Maxwell <jmaxwell37@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
fernandobouchet
pushed a commit
to fernandobouchet/kernel-msm
that referenced
this issue
Apr 27, 2018
commit 4dfce57 upstream. There have been several reports over the years of NULL pointer dereferences in xfs_trans_log_inode during xfs_fsr processes, when the process is doing an fput and tearing down extents on the temporary inode, something like: BUG: unable to handle kernel NULL pointer dereference at 0000000000000018 PID: 29439 TASK: ffff880550584fa0 CPU: 6 COMMAND: "xfs_fsr" [exception RIP: xfs_trans_log_inode+0x10] MotorolaMobilityLLC#9 [ffff8800a57bbbe0] xfs_bunmapi at ffffffffa037398e [xfs] MotorolaMobilityLLC#10 [ffff8800a57bbce8] xfs_itruncate_extents at ffffffffa0391b29 [xfs] MotorolaMobilityLLC#11 [ffff8800a57bbd88] xfs_inactive_truncate at ffffffffa0391d0c [xfs] MotorolaMobilityLLC#12 [ffff8800a57bbdb8] xfs_inactive at ffffffffa0392508 [xfs] MotorolaMobilityLLC#13 [ffff8800a57bbdd8] xfs_fs_evict_inode at ffffffffa035907e [xfs] MotorolaMobilityLLC#14 [ffff8800a57bbe00] evict at ffffffff811e1b67 MotorolaMobilityLLC#15 [ffff8800a57bbe28] iput at ffffffff811e23a5 MotorolaMobilityLLC#16 [ffff8800a57bbe58] dentry_kill at ffffffff811dcfc8 MotorolaMobilityLLC#17 [ffff8800a57bbe88] dput at ffffffff811dd06c MotorolaMobilityLLC#18 [ffff8800a57bbea8] __fput at ffffffff811c823b MotorolaMobilityLLC#19 [ffff8800a57bbef0] ____fput at ffffffff811c846e MotorolaMobilityLLC#20 [ffff8800a57bbf00] task_work_run at ffffffff81093b27 MotorolaMobilityLLC#21 [ffff8800a57bbf30] do_notify_resume at ffffffff81013b0c MotorolaMobilityLLC#22 [ffff8800a57bbf50] int_signal at ffffffff8161405d As it turns out, this is because the i_itemp pointer, along with the d_ops pointer, has been overwritten with zeros when we tear down the extents during truncate. When the in-core inode fork on the temporary inode used by xfs_fsr was originally set up during the extent swap, we mistakenly looked at di_nextents to determine whether all extents fit inline, but this misses extents generated by speculative preallocation; we should be using if_bytes instead. This mistake corrupts the in-memory inode, and code in xfs_iext_remove_inline eventually gets bad inputs, causing it to memmove and memset incorrect ranges; this became apparent because the two values in ifp->if_u2.if_inline_ext[1] contained what should have been in d_ops and i_itemp; they were memmoved due to incorrect array indexing and then the original locations were zeroed with memset, again due to an array overrun. Fix this by properly using i_df.if_bytes to determine the number of extents, not di_nextents. Thanks to dchinner for looking at this with me and spotting the root cause. [nborisov: backported to 4.4] Signed-off-by: Eric Sandeen <sandeen@redhat.com> Reviewed-by: Brian Foster <bfoster@redhat.com> Signed-off-by: Dave Chinner <david@fromorbit.com> Signed-off-by: Nikolay Borisov <nborisov@suse.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
fernandobouchet
pushed a commit
to fernandobouchet/kernel-msm
that referenced
this issue
Apr 30, 2018
commit 45caeaa upstream. As Eric Dumazet pointed out this also needs to be fixed in IPv6. v2: Contains the IPv6 tcp/Ipv6 dccp patches as well. We have seen a few incidents lately where a dst_enty has been freed with a dangling TCP socket reference (sk->sk_dst_cache) pointing to that dst_entry. If the conditions/timings are right a crash then ensues when the freed dst_entry is referenced later on. A Common crashing back trace is: MotorolaMobilityLLC#8 [] page_fault at ffffffff8163e648 [exception RIP: __tcp_ack_snd_check+74] . . MotorolaMobilityLLC#9 [] tcp_rcv_established at ffffffff81580b64 MotorolaMobilityLLC#10 [] tcp_v4_do_rcv at ffffffff8158b54a MotorolaMobilityLLC#11 [] tcp_v4_rcv at ffffffff8158cd02 MotorolaMobilityLLC#12 [] ip_local_deliver_finish at ffffffff815668f4 MotorolaMobilityLLC#13 [] ip_local_deliver at ffffffff81566bd9 MotorolaMobilityLLC#14 [] ip_rcv_finish at ffffffff8156656d MotorolaMobilityLLC#15 [] ip_rcv at ffffffff81566f06 MotorolaMobilityLLC#16 [] __netif_receive_skb_core at ffffffff8152b3a2 MotorolaMobilityLLC#17 [] __netif_receive_skb at ffffffff8152b608 MotorolaMobilityLLC#18 [] netif_receive_skb at ffffffff8152b690 MotorolaMobilityLLC#19 [] vmxnet3_rq_rx_complete at ffffffffa015eeaf [vmxnet3] MotorolaMobilityLLC#20 [] vmxnet3_poll_rx_only at ffffffffa015f32a [vmxnet3] MotorolaMobilityLLC#21 [] net_rx_action at ffffffff8152bac2 MotorolaMobilityLLC#22 [] __do_softirq at ffffffff81084b4f MotorolaMobilityLLC#23 [] call_softirq at ffffffff8164845c MotorolaMobilityLLC#24 [] do_softirq at ffffffff81016fc5 MotorolaMobilityLLC#25 [] irq_exit at ffffffff81084ee5 MotorolaMobilityLLC#26 [] do_IRQ at ffffffff81648ff8 Of course it may happen with other NIC drivers as well. It's found the freed dst_entry here: 224 static bool tcp_in_quickack_mode(struct sock *sk)↩ 225 {↩ 226 ▹ const struct inet_connection_sock *icsk = inet_csk(sk);↩ 227 ▹ const struct dst_entry *dst = __sk_dst_get(sk);↩ 228 ↩ 229 ▹ return (dst && dst_metric(dst, RTAX_QUICKACK)) ||↩ 230 ▹ ▹ (icsk->icsk_ack.quick && !icsk->icsk_ack.pingpong);↩ 231 }↩ But there are other backtraces attributed to the same freed dst_entry in netfilter code as well. All the vmcores showed 2 significant clues: - Remote hosts behind the default gateway had always been redirected to a different gateway. A rtable/dst_entry will be added for that host. Making more dst_entrys with lower reference counts. Making this more probable. - All vmcores showed a postitive LockDroppedIcmps value, e.g: LockDroppedIcmps 267 A closer look at the tcp_v4_err() handler revealed that do_redirect() will run regardless of whether user space has the socket locked. This can result in a race condition where the same dst_entry cached in sk->sk_dst_entry can be decremented twice for the same socket via: do_redirect()->__sk_dst_check()-> dst_release(). Which leads to the dst_entry being prematurely freed with another socket pointing to it via sk->sk_dst_cache and a subsequent crash. To fix this skip do_redirect() if usespace has the socket locked. Instead let the redirect take place later when user space does not have the socket locked. The dccp/IPv6 code is very similar in this respect, so fixing it there too. As Eric Garver pointed out the following commit now invalidates routes. Which can set the dst->obsolete flag so that ipv4_dst_check() returns null and triggers the dst_release(). Fixes: ceb3320 ("ipv4: Kill routes during PMTU/redirect updates.") Cc: Eric Garver <egarver@redhat.com> Cc: Hannes Sowa <hsowa@redhat.com> Signed-off-by: Jon Maxwell <jmaxwell37@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
fernandobouchet
pushed a commit
to fernandobouchet/kernel-msm
that referenced
this issue
Apr 30, 2018
commit 4dfce57 upstream. There have been several reports over the years of NULL pointer dereferences in xfs_trans_log_inode during xfs_fsr processes, when the process is doing an fput and tearing down extents on the temporary inode, something like: BUG: unable to handle kernel NULL pointer dereference at 0000000000000018 PID: 29439 TASK: ffff880550584fa0 CPU: 6 COMMAND: "xfs_fsr" [exception RIP: xfs_trans_log_inode+0x10] MotorolaMobilityLLC#9 [ffff8800a57bbbe0] xfs_bunmapi at ffffffffa037398e [xfs] MotorolaMobilityLLC#10 [ffff8800a57bbce8] xfs_itruncate_extents at ffffffffa0391b29 [xfs] MotorolaMobilityLLC#11 [ffff8800a57bbd88] xfs_inactive_truncate at ffffffffa0391d0c [xfs] MotorolaMobilityLLC#12 [ffff8800a57bbdb8] xfs_inactive at ffffffffa0392508 [xfs] MotorolaMobilityLLC#13 [ffff8800a57bbdd8] xfs_fs_evict_inode at ffffffffa035907e [xfs] MotorolaMobilityLLC#14 [ffff8800a57bbe00] evict at ffffffff811e1b67 MotorolaMobilityLLC#15 [ffff8800a57bbe28] iput at ffffffff811e23a5 MotorolaMobilityLLC#16 [ffff8800a57bbe58] dentry_kill at ffffffff811dcfc8 MotorolaMobilityLLC#17 [ffff8800a57bbe88] dput at ffffffff811dd06c MotorolaMobilityLLC#18 [ffff8800a57bbea8] __fput at ffffffff811c823b MotorolaMobilityLLC#19 [ffff8800a57bbef0] ____fput at ffffffff811c846e MotorolaMobilityLLC#20 [ffff8800a57bbf00] task_work_run at ffffffff81093b27 MotorolaMobilityLLC#21 [ffff8800a57bbf30] do_notify_resume at ffffffff81013b0c MotorolaMobilityLLC#22 [ffff8800a57bbf50] int_signal at ffffffff8161405d As it turns out, this is because the i_itemp pointer, along with the d_ops pointer, has been overwritten with zeros when we tear down the extents during truncate. When the in-core inode fork on the temporary inode used by xfs_fsr was originally set up during the extent swap, we mistakenly looked at di_nextents to determine whether all extents fit inline, but this misses extents generated by speculative preallocation; we should be using if_bytes instead. This mistake corrupts the in-memory inode, and code in xfs_iext_remove_inline eventually gets bad inputs, causing it to memmove and memset incorrect ranges; this became apparent because the two values in ifp->if_u2.if_inline_ext[1] contained what should have been in d_ops and i_itemp; they were memmoved due to incorrect array indexing and then the original locations were zeroed with memset, again due to an array overrun. Fix this by properly using i_df.if_bytes to determine the number of extents, not di_nextents. Thanks to dchinner for looking at this with me and spotting the root cause. [nborisov: backported to 4.4] Signed-off-by: Eric Sandeen <sandeen@redhat.com> Reviewed-by: Brian Foster <bfoster@redhat.com> Signed-off-by: Dave Chinner <david@fromorbit.com> Signed-off-by: Nikolay Borisov <nborisov@suse.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
mvaisakh
pushed a commit
to mvaisakh/kernel-msm
that referenced
this issue
Aug 25, 2018
[ Upstream commit 2bbea6e ] when mounting an ISO filesystem sometimes (very rarely) the system hangs because of a race condition between two tasks. PID: 6766 TASK: ffff88007b2a6dd0 CPU: 0 COMMAND: "mount" #0 [ffff880078447ae0] __schedule at ffffffff8168d605 MotorolaMobilityLLC#1 [ffff880078447b48] schedule_preempt_disabled at ffffffff8168ed49 MotorolaMobilityLLC#2 [ffff880078447b58] __mutex_lock_slowpath at ffffffff8168c995 MotorolaMobilityLLC#3 [ffff880078447bb8] mutex_lock at ffffffff8168bdef MotorolaMobilityLLC#4 [ffff880078447bd0] sr_block_ioctl at ffffffffa00b6818 [sr_mod] MotorolaMobilityLLC#5 [ffff880078447c10] blkdev_ioctl at ffffffff812fea50 MotorolaMobilityLLC#6 [ffff880078447c70] ioctl_by_bdev at ffffffff8123a8b3 MotorolaMobilityLLC#7 [ffff880078447c90] isofs_fill_super at ffffffffa04fb1e1 [isofs] MotorolaMobilityLLC#8 [ffff880078447da8] mount_bdev at ffffffff81202570 MotorolaMobilityLLC#9 [ffff880078447e18] isofs_mount at ffffffffa04f9828 [isofs] MotorolaMobilityLLC#10 [ffff880078447e28] mount_fs at ffffffff81202d09 MotorolaMobilityLLC#11 [ffff880078447e70] vfs_kern_mount at ffffffff8121ea8f MotorolaMobilityLLC#12 [ffff880078447ea8] do_mount at ffffffff81220fee MotorolaMobilityLLC#13 [ffff880078447f28] sys_mount at ffffffff812218d6 MotorolaMobilityLLC#14 [ffff880078447f80] system_call_fastpath at ffffffff81698c49 RIP: 00007fd9ea914e9a RSP: 00007ffd5d9bf648 RFLAGS: 00010246 RAX: 00000000000000a5 RBX: ffffffff81698c49 RCX: 0000000000000010 RDX: 00007fd9ec2bc210 RSI: 00007fd9ec2bc290 RDI: 00007fd9ec2bcf30 RBP: 0000000000000000 R8: 0000000000000000 R9: 0000000000000010 R10: 00000000c0ed0001 R11: 0000000000000206 R12: 00007fd9ec2bc040 R13: 00007fd9eb6b2380 R14: 00007fd9ec2bc210 R15: 00007fd9ec2bcf30 ORIG_RAX: 00000000000000a5 CS: 0033 SS: 002b This task was trying to mount the cdrom. It allocated and configured a super_block struct and owned the write-lock for the super_block->s_umount rwsem. While exclusively owning the s_umount lock, it called sr_block_ioctl and waited to acquire the global sr_mutex lock. PID: 6785 TASK: ffff880078720fb0 CPU: 0 COMMAND: "systemd-udevd" #0 [ffff880078417898] __schedule at ffffffff8168d605 MotorolaMobilityLLC#1 [ffff880078417900] schedule at ffffffff8168dc59 MotorolaMobilityLLC#2 [ffff880078417910] rwsem_down_read_failed at ffffffff8168f605 MotorolaMobilityLLC#3 [ffff880078417980] call_rwsem_down_read_failed at ffffffff81328838 MotorolaMobilityLLC#4 [ffff8800784179d0] down_read at ffffffff8168cde0 MotorolaMobilityLLC#5 [ffff8800784179e8] get_super at ffffffff81201cc7 MotorolaMobilityLLC#6 [ffff880078417a10] __invalidate_device at ffffffff8123a8de MotorolaMobilityLLC#7 [ffff880078417a40] flush_disk at ffffffff8123a94b MotorolaMobilityLLC#8 [ffff880078417a88] check_disk_change at ffffffff8123ab50 MotorolaMobilityLLC#9 [ffff880078417ab0] cdrom_open at ffffffffa00a29e1 [cdrom] MotorolaMobilityLLC#10 [ffff880078417b68] sr_block_open at ffffffffa00b6f9b [sr_mod] MotorolaMobilityLLC#11 [ffff880078417b98] __blkdev_get at ffffffff8123ba86 MotorolaMobilityLLC#12 [ffff880078417bf0] blkdev_get at ffffffff8123bd65 MotorolaMobilityLLC#13 [ffff880078417c78] blkdev_open at ffffffff8123bf9b MotorolaMobilityLLC#14 [ffff880078417c90] do_dentry_open at ffffffff811fc7f7 MotorolaMobilityLLC#15 [ffff880078417cd8] vfs_open at ffffffff811fc9cf MotorolaMobilityLLC#16 [ffff880078417d00] do_last at ffffffff8120d53d MotorolaMobilityLLC#17 [ffff880078417db0] path_openat at ffffffff8120e6b2 MotorolaMobilityLLC#18 [ffff880078417e48] do_filp_open at ffffffff8121082b MotorolaMobilityLLC#19 [ffff880078417f18] do_sys_open at ffffffff811fdd33 MotorolaMobilityLLC#20 [ffff880078417f70] sys_open at ffffffff811fde4e MotorolaMobilityLLC#21 [ffff880078417f80] system_call_fastpath at ffffffff81698c49 RIP: 00007f29438b0c20 RSP: 00007ffc76624b78 RFLAGS: 00010246 RAX: 0000000000000002 RBX: ffffffff81698c49 RCX: 0000000000000000 RDX: 00007f2944a5fa70 RSI: 00000000000a0800 RDI: 00007f2944a5fa70 RBP: 00007f2944a5f540 R8: 0000000000000000 R9: 0000000000000020 R10: 00007f2943614c40 R11: 0000000000000246 R12: ffffffff811fde4e R13: ffff880078417f78 R14: 000000000000000c R15: 00007f2944a4b010 ORIG_RAX: 0000000000000002 CS: 0033 SS: 002b This task tried to open the cdrom device, the sr_block_open function acquired the global sr_mutex lock. The call to check_disk_change() then saw an event flag indicating a possible media change and tried to flush any cached data for the device. As part of the flush, it tried to acquire the super_block->s_umount lock associated with the cdrom device. This was the same super_block as created and locked by the previous task. The first task acquires the s_umount lock and then the sr_mutex_lock; the second task acquires the sr_mutex_lock and then the s_umount lock. This patch fixes the issue by moving check_disk_change() out of cdrom_open() and let the caller take care of it. Signed-off-by: Maurizio Lombardi <mlombard@redhat.com> Signed-off-by: Jens Axboe <axboe@kernel.dk> Signed-off-by: Sasha Levin <alexander.levin@microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
fernandobouchet
pushed a commit
to fernandobouchet/kernel-msm
that referenced
this issue
Aug 28, 2018
[ Upstream commit 373c83a ] Using built-in in kernel image without a firmware in filesystem or in the kernel image can lead to a kernel NULL pointer deference. Watchdog need to be stopped in brcmf_sdio_remove The system is going down NOW! [ 1348.110759] Unable to handle kernel NULL pointer dereference at virtual address 000002f8 Sent SIGTERM to all processes [ 1348.121412] Mem abort info: [ 1348.126962] ESR = 0x96000004 [ 1348.130023] Exception class = DABT (current EL), IL = 32 bits [ 1348.135948] SET = 0, FnV = 0 [ 1348.138997] EA = 0, S1PTW = 0 [ 1348.142154] Data abort info: [ 1348.145045] ISV = 0, ISS = 0x00000004 [ 1348.148884] CM = 0, WnR = 0 [ 1348.151861] user pgtable: 4k pages, 48-bit VAs, pgdp = (____ptrval____) [ 1348.158475] [00000000000002f8] pgd=0000000000000000 [ 1348.163364] Internal error: Oops: 96000004 [MotorolaMobilityLLC#1] PREEMPT SMP [ 1348.168927] Modules linked in: ipv6 [ 1348.172421] CPU: 3 PID: 1421 Comm: brcmf_wdog/mmc0 Not tainted 4.17.0-rc5-next-20180517 MotorolaMobilityLLC#18 [ 1348.180757] Hardware name: Amarula A64-Relic (DT) [ 1348.185455] pstate: 60000005 (nZCv daif -PAN -UAO) [ 1348.190251] pc : brcmf_sdiod_freezer_count+0x0/0x20 [ 1348.195124] lr : brcmf_sdio_watchdog_thread+0x64/0x290 [ 1348.200253] sp : ffff00000b85be30 [ 1348.203561] x29: ffff00000b85be30 x28: 0000000000000000 [ 1348.208868] x27: ffff00000b6cb918 x26: ffff80003b990638 [ 1348.214176] x25: ffff0000087b1a20 x24: ffff80003b94f800 [ 1348.219483] x23: ffff000008e620c8 x22: ffff000008f0b660 [ 1348.224790] x21: ffff000008c6a858 x20: 00000000fffffe00 [ 1348.230097] x19: ffff80003b94f800 x18: 0000000000000001 [ 1348.235404] x17: 0000ffffab2e8a74 x16: ffff0000080d7de8 [ 1348.240711] x15: 0000000000000000 x14: 0000000000000400 [ 1348.246018] x13: 0000000000000400 x12: 0000000000000001 [ 1348.251324] x11: 00000000000002c4 x10: 0000000000000a10 [ 1348.256631] x9 : ffff00000b85bc40 x8 : ffff80003be11870 [ 1348.261937] x7 : ffff80003dfc7308 x6 : 000000078ff08b55 [ 1348.267243] x5 : 00000139e1058400 x4 : 0000000000000000 [ 1348.272550] x3 : dead000000000100 x2 : 958f2788d6618100 [ 1348.277856] x1 : 00000000fffffe00 x0 : 0000000000000000 Signed-off-by: Michael Trimarchi <michael@amarulasolutions.com> Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com> Tested-by: Andy Shevchenko <andy.shevchenko@gmail.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Signed-off-by: Sasha Levin <alexander.levin@microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
mvaisakh
pushed a commit
to mvaisakh/kernel-msm
that referenced
this issue
Aug 31, 2018
[ Upstream commit 373c83a ] Using built-in in kernel image without a firmware in filesystem or in the kernel image can lead to a kernel NULL pointer deference. Watchdog need to be stopped in brcmf_sdio_remove The system is going down NOW! [ 1348.110759] Unable to handle kernel NULL pointer dereference at virtual address 000002f8 Sent SIGTERM to all processes [ 1348.121412] Mem abort info: [ 1348.126962] ESR = 0x96000004 [ 1348.130023] Exception class = DABT (current EL), IL = 32 bits [ 1348.135948] SET = 0, FnV = 0 [ 1348.138997] EA = 0, S1PTW = 0 [ 1348.142154] Data abort info: [ 1348.145045] ISV = 0, ISS = 0x00000004 [ 1348.148884] CM = 0, WnR = 0 [ 1348.151861] user pgtable: 4k pages, 48-bit VAs, pgdp = (____ptrval____) [ 1348.158475] [00000000000002f8] pgd=0000000000000000 [ 1348.163364] Internal error: Oops: 96000004 [MotorolaMobilityLLC#1] PREEMPT SMP [ 1348.168927] Modules linked in: ipv6 [ 1348.172421] CPU: 3 PID: 1421 Comm: brcmf_wdog/mmc0 Not tainted 4.17.0-rc5-next-20180517 MotorolaMobilityLLC#18 [ 1348.180757] Hardware name: Amarula A64-Relic (DT) [ 1348.185455] pstate: 60000005 (nZCv daif -PAN -UAO) [ 1348.190251] pc : brcmf_sdiod_freezer_count+0x0/0x20 [ 1348.195124] lr : brcmf_sdio_watchdog_thread+0x64/0x290 [ 1348.200253] sp : ffff00000b85be30 [ 1348.203561] x29: ffff00000b85be30 x28: 0000000000000000 [ 1348.208868] x27: ffff00000b6cb918 x26: ffff80003b990638 [ 1348.214176] x25: ffff0000087b1a20 x24: ffff80003b94f800 [ 1348.219483] x23: ffff000008e620c8 x22: ffff000008f0b660 [ 1348.224790] x21: ffff000008c6a858 x20: 00000000fffffe00 [ 1348.230097] x19: ffff80003b94f800 x18: 0000000000000001 [ 1348.235404] x17: 0000ffffab2e8a74 x16: ffff0000080d7de8 [ 1348.240711] x15: 0000000000000000 x14: 0000000000000400 [ 1348.246018] x13: 0000000000000400 x12: 0000000000000001 [ 1348.251324] x11: 00000000000002c4 x10: 0000000000000a10 [ 1348.256631] x9 : ffff00000b85bc40 x8 : ffff80003be11870 [ 1348.261937] x7 : ffff80003dfc7308 x6 : 000000078ff08b55 [ 1348.267243] x5 : 00000139e1058400 x4 : 0000000000000000 [ 1348.272550] x3 : dead000000000100 x2 : 958f2788d6618100 [ 1348.277856] x1 : 00000000fffffe00 x0 : 0000000000000000 Signed-off-by: Michael Trimarchi <michael@amarulasolutions.com> Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com> Tested-by: Andy Shevchenko <andy.shevchenko@gmail.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Signed-off-by: Sasha Levin <alexander.levin@microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
mvaisakh
pushed a commit
to mvaisakh/kernel-msm
that referenced
this issue
Dec 8, 2018
[ Upstream commit 373c83a ] Using built-in in kernel image without a firmware in filesystem or in the kernel image can lead to a kernel NULL pointer deference. Watchdog need to be stopped in brcmf_sdio_remove The system is going down NOW! [ 1348.110759] Unable to handle kernel NULL pointer dereference at virtual address 000002f8 Sent SIGTERM to all processes [ 1348.121412] Mem abort info: [ 1348.126962] ESR = 0x96000004 [ 1348.130023] Exception class = DABT (current EL), IL = 32 bits [ 1348.135948] SET = 0, FnV = 0 [ 1348.138997] EA = 0, S1PTW = 0 [ 1348.142154] Data abort info: [ 1348.145045] ISV = 0, ISS = 0x00000004 [ 1348.148884] CM = 0, WnR = 0 [ 1348.151861] user pgtable: 4k pages, 48-bit VAs, pgdp = (____ptrval____) [ 1348.158475] [00000000000002f8] pgd=0000000000000000 [ 1348.163364] Internal error: Oops: 96000004 [MotorolaMobilityLLC#1] PREEMPT SMP [ 1348.168927] Modules linked in: ipv6 [ 1348.172421] CPU: 3 PID: 1421 Comm: brcmf_wdog/mmc0 Not tainted 4.17.0-rc5-next-20180517 MotorolaMobilityLLC#18 [ 1348.180757] Hardware name: Amarula A64-Relic (DT) [ 1348.185455] pstate: 60000005 (nZCv daif -PAN -UAO) [ 1348.190251] pc : brcmf_sdiod_freezer_count+0x0/0x20 [ 1348.195124] lr : brcmf_sdio_watchdog_thread+0x64/0x290 [ 1348.200253] sp : ffff00000b85be30 [ 1348.203561] x29: ffff00000b85be30 x28: 0000000000000000 [ 1348.208868] x27: ffff00000b6cb918 x26: ffff80003b990638 [ 1348.214176] x25: ffff0000087b1a20 x24: ffff80003b94f800 [ 1348.219483] x23: ffff000008e620c8 x22: ffff000008f0b660 [ 1348.224790] x21: ffff000008c6a858 x20: 00000000fffffe00 [ 1348.230097] x19: ffff80003b94f800 x18: 0000000000000001 [ 1348.235404] x17: 0000ffffab2e8a74 x16: ffff0000080d7de8 [ 1348.240711] x15: 0000000000000000 x14: 0000000000000400 [ 1348.246018] x13: 0000000000000400 x12: 0000000000000001 [ 1348.251324] x11: 00000000000002c4 x10: 0000000000000a10 [ 1348.256631] x9 : ffff00000b85bc40 x8 : ffff80003be11870 [ 1348.261937] x7 : ffff80003dfc7308 x6 : 000000078ff08b55 [ 1348.267243] x5 : 00000139e1058400 x4 : 0000000000000000 [ 1348.272550] x3 : dead000000000100 x2 : 958f2788d6618100 [ 1348.277856] x1 : 00000000fffffe00 x0 : 0000000000000000 Signed-off-by: Michael Trimarchi <michael@amarulasolutions.com> Acked-by: Arend van Spriel <arend.vanspriel@broadcom.com> Tested-by: Andy Shevchenko <andy.shevchenko@gmail.com> Signed-off-by: Kalle Valo <kvalo@codeaurora.org> Signed-off-by: Sasha Levin <alexander.levin@microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
tansly
pushed a commit
to tansly/kernel-msm
that referenced
this issue
Jun 26, 2019
commit ecf5fc6 upstream. Nikolay has reported a hang when a memcg reclaim got stuck with the following backtrace: PID: 18308 TASK: ffff883d7c9b0a30 CPU: 1 COMMAND: "rsync" #0 __schedule at ffffffff815ab152 MotorolaMobilityLLC#1 schedule at ffffffff815ab76e MotorolaMobilityLLC#2 schedule_timeout at ffffffff815ae5e5 MotorolaMobilityLLC#3 io_schedule_timeout at ffffffff815aad6a MotorolaMobilityLLC#4 bit_wait_io at ffffffff815abfc6 MotorolaMobilityLLC#5 __wait_on_bit at ffffffff815abda5 MotorolaMobilityLLC#6 wait_on_page_bit at ffffffff8111fd4f MotorolaMobilityLLC#7 shrink_page_list at ffffffff81135445 MotorolaMobilityLLC#8 shrink_inactive_list at ffffffff81135845 MotorolaMobilityLLC#9 shrink_lruvec at ffffffff81135ead MotorolaMobilityLLC#10 shrink_zone at ffffffff811360c3 MotorolaMobilityLLC#11 shrink_zones at ffffffff81136eff MotorolaMobilityLLC#12 do_try_to_free_pages at ffffffff8113712f MotorolaMobilityLLC#13 try_to_free_mem_cgroup_pages at ffffffff811372be MotorolaMobilityLLC#14 try_charge at ffffffff81189423 MotorolaMobilityLLC#15 mem_cgroup_try_charge at ffffffff8118c6f5 MotorolaMobilityLLC#16 __add_to_page_cache_locked at ffffffff8112137d MotorolaMobilityLLC#17 add_to_page_cache_lru at ffffffff81121618 MotorolaMobilityLLC#18 pagecache_get_page at ffffffff8112170b MotorolaMobilityLLC#19 grow_dev_page at ffffffff811c8297 MotorolaMobilityLLC#20 __getblk_slow at ffffffff811c91d6 MotorolaMobilityLLC#21 __getblk_gfp at ffffffff811c92c1 MotorolaMobilityLLC#22 ext4_ext_grow_indepth at ffffffff8124565c MotorolaMobilityLLC#23 ext4_ext_create_new_leaf at ffffffff81246ca8 MotorolaMobilityLLC#24 ext4_ext_insert_extent at ffffffff81246f09 MotorolaMobilityLLC#25 ext4_ext_map_blocks at ffffffff8124a848 MotorolaMobilityLLC#26 ext4_map_blocks at ffffffff8121a5b7 MotorolaMobilityLLC#27 mpage_map_one_extent at ffffffff8121b1fa MotorolaMobilityLLC#28 mpage_map_and_submit_extent at ffffffff8121f07b MotorolaMobilityLLC#29 ext4_writepages at ffffffff8121f6d5 MotorolaMobilityLLC#30 do_writepages at ffffffff8112c490 MotorolaMobilityLLC#31 __filemap_fdatawrite_range at ffffffff81120199 MotorolaMobilityLLC#32 filemap_flush at ffffffff8112041c MotorolaMobilityLLC#33 ext4_alloc_da_blocks at ffffffff81219da1 MotorolaMobilityLLC#34 ext4_rename at ffffffff81229b91 MotorolaMobilityLLC#35 ext4_rename2 at ffffffff81229e32 MotorolaMobilityLLC#36 vfs_rename at ffffffff811a08a5 MotorolaMobilityLLC#37 SYSC_renameat2 at ffffffff811a3ffc MotorolaMobilityLLC#38 sys_renameat2 at ffffffff811a408e MotorolaMobilityLLC#39 sys_rename at ffffffff8119e51e MotorolaMobilityLLC#40 system_call_fastpath at ffffffff815afa89 Dave Chinner has properly pointed out that this is a deadlock in the reclaim code because ext4 doesn't submit pages which are marked by PG_writeback right away. The heuristic was introduced by commit e62e384 ("memcg: prevent OOM with too many dirty pages") and it was applied only when may_enter_fs was specified. The code has been changed by c3b94f4 ("memcg: further prevent OOM with too many dirty pages") which has removed the __GFP_FS restriction with a reasoning that we do not get into the fs code. But this is not sufficient apparently because the fs doesn't necessarily submit pages marked PG_writeback for IO right away. ext4_bio_write_page calls io_submit_add_bh but that doesn't necessarily submit the bio. Instead it tries to map more pages into the bio and mpage_map_one_extent might trigger memcg charge which might end up waiting on a page which is marked PG_writeback but hasn't been submitted yet so we would end up waiting for something that never finishes. Fix this issue by replacing __GFP_IO by may_enter_fs check (for case 2) before we go to wait on the writeback. The page fault path, which is the only path that triggers memcg oom killer since 3.12, shouldn't require GFP_NOFS and so we shouldn't reintroduce the premature OOM killer issue which was originally addressed by the heuristic. As per David Chinner the xfs is doing similar thing since 2.6.15 already so ext4 is not the only affected filesystem. Moreover he notes: : For example: IO completion might require unwritten extent conversion : which executes filesystem transactions and GFP_NOFS allocations. The : writeback flag on the pages can not be cleared until unwritten : extent conversion completes. Hence memory reclaim cannot wait on : page writeback to complete in GFP_NOFS context because it is not : safe to do so, memcg reclaim or otherwise. [tytso@mit.edu: corrected the control flow] Fixes: c3b94f4 ("memcg: further prevent OOM with too many dirty pages") Reported-by: Nikolay Borisov <kernel@kyup.com> Signed-off-by: Michal Hocko <mhocko@suse.cz> Signed-off-by: Hugh Dickins <hughd@google.com> Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> Conflicts: mm/vmscan.c
walidham
pushed a commit
to walidham/kernel-msm
that referenced
this issue
Oct 29, 2020
[ Upstream commit 2bbea6e ] when mounting an ISO filesystem sometimes (very rarely) the system hangs because of a race condition between two tasks. PID: 6766 TASK: ffff88007b2a6dd0 CPU: 0 COMMAND: "mount" #0 [ffff880078447ae0] __schedule at ffffffff8168d605 MotorolaMobilityLLC#1 [ffff880078447b48] schedule_preempt_disabled at ffffffff8168ed49 MotorolaMobilityLLC#2 [ffff880078447b58] __mutex_lock_slowpath at ffffffff8168c995 MotorolaMobilityLLC#3 [ffff880078447bb8] mutex_lock at ffffffff8168bdef MotorolaMobilityLLC#4 [ffff880078447bd0] sr_block_ioctl at ffffffffa00b6818 [sr_mod] MotorolaMobilityLLC#5 [ffff880078447c10] blkdev_ioctl at ffffffff812fea50 MotorolaMobilityLLC#6 [ffff880078447c70] ioctl_by_bdev at ffffffff8123a8b3 MotorolaMobilityLLC#7 [ffff880078447c90] isofs_fill_super at ffffffffa04fb1e1 [isofs] MotorolaMobilityLLC#8 [ffff880078447da8] mount_bdev at ffffffff81202570 MotorolaMobilityLLC#9 [ffff880078447e18] isofs_mount at ffffffffa04f9828 [isofs] MotorolaMobilityLLC#10 [ffff880078447e28] mount_fs at ffffffff81202d09 MotorolaMobilityLLC#11 [ffff880078447e70] vfs_kern_mount at ffffffff8121ea8f MotorolaMobilityLLC#12 [ffff880078447ea8] do_mount at ffffffff81220fee MotorolaMobilityLLC#13 [ffff880078447f28] sys_mount at ffffffff812218d6 MotorolaMobilityLLC#14 [ffff880078447f80] system_call_fastpath at ffffffff81698c49 RIP: 00007fd9ea914e9a RSP: 00007ffd5d9bf648 RFLAGS: 00010246 RAX: 00000000000000a5 RBX: ffffffff81698c49 RCX: 0000000000000010 RDX: 00007fd9ec2bc210 RSI: 00007fd9ec2bc290 RDI: 00007fd9ec2bcf30 RBP: 0000000000000000 R8: 0000000000000000 R9: 0000000000000010 R10: 00000000c0ed0001 R11: 0000000000000206 R12: 00007fd9ec2bc040 R13: 00007fd9eb6b2380 R14: 00007fd9ec2bc210 R15: 00007fd9ec2bcf30 ORIG_RAX: 00000000000000a5 CS: 0033 SS: 002b This task was trying to mount the cdrom. It allocated and configured a super_block struct and owned the write-lock for the super_block->s_umount rwsem. While exclusively owning the s_umount lock, it called sr_block_ioctl and waited to acquire the global sr_mutex lock. PID: 6785 TASK: ffff880078720fb0 CPU: 0 COMMAND: "systemd-udevd" #0 [ffff880078417898] __schedule at ffffffff8168d605 MotorolaMobilityLLC#1 [ffff880078417900] schedule at ffffffff8168dc59 MotorolaMobilityLLC#2 [ffff880078417910] rwsem_down_read_failed at ffffffff8168f605 MotorolaMobilityLLC#3 [ffff880078417980] call_rwsem_down_read_failed at ffffffff81328838 MotorolaMobilityLLC#4 [ffff8800784179d0] down_read at ffffffff8168cde0 MotorolaMobilityLLC#5 [ffff8800784179e8] get_super at ffffffff81201cc7 MotorolaMobilityLLC#6 [ffff880078417a10] __invalidate_device at ffffffff8123a8de MotorolaMobilityLLC#7 [ffff880078417a40] flush_disk at ffffffff8123a94b MotorolaMobilityLLC#8 [ffff880078417a88] check_disk_change at ffffffff8123ab50 MotorolaMobilityLLC#9 [ffff880078417ab0] cdrom_open at ffffffffa00a29e1 [cdrom] MotorolaMobilityLLC#10 [ffff880078417b68] sr_block_open at ffffffffa00b6f9b [sr_mod] MotorolaMobilityLLC#11 [ffff880078417b98] __blkdev_get at ffffffff8123ba86 MotorolaMobilityLLC#12 [ffff880078417bf0] blkdev_get at ffffffff8123bd65 MotorolaMobilityLLC#13 [ffff880078417c78] blkdev_open at ffffffff8123bf9b MotorolaMobilityLLC#14 [ffff880078417c90] do_dentry_open at ffffffff811fc7f7 MotorolaMobilityLLC#15 [ffff880078417cd8] vfs_open at ffffffff811fc9cf MotorolaMobilityLLC#16 [ffff880078417d00] do_last at ffffffff8120d53d MotorolaMobilityLLC#17 [ffff880078417db0] path_openat at ffffffff8120e6b2 MotorolaMobilityLLC#18 [ffff880078417e48] do_filp_open at ffffffff8121082b MotorolaMobilityLLC#19 [ffff880078417f18] do_sys_open at ffffffff811fdd33 MotorolaMobilityLLC#20 [ffff880078417f70] sys_open at ffffffff811fde4e MotorolaMobilityLLC#21 [ffff880078417f80] system_call_fastpath at ffffffff81698c49 RIP: 00007f29438b0c20 RSP: 00007ffc76624b78 RFLAGS: 00010246 RAX: 0000000000000002 RBX: ffffffff81698c49 RCX: 0000000000000000 RDX: 00007f2944a5fa70 RSI: 00000000000a0800 RDI: 00007f2944a5fa70 RBP: 00007f2944a5f540 R8: 0000000000000000 R9: 0000000000000020 R10: 00007f2943614c40 R11: 0000000000000246 R12: ffffffff811fde4e R13: ffff880078417f78 R14: 000000000000000c R15: 00007f2944a4b010 ORIG_RAX: 0000000000000002 CS: 0033 SS: 002b This task tried to open the cdrom device, the sr_block_open function acquired the global sr_mutex lock. The call to check_disk_change() then saw an event flag indicating a possible media change and tried to flush any cached data for the device. As part of the flush, it tried to acquire the super_block->s_umount lock associated with the cdrom device. This was the same super_block as created and locked by the previous task. The first task acquires the s_umount lock and then the sr_mutex_lock; the second task acquires the sr_mutex_lock and then the s_umount lock. This patch fixes the issue by moving check_disk_change() out of cdrom_open() and let the caller take care of it. Signed-off-by: Maurizio Lombardi <mlombard@redhat.com> Signed-off-by: Jens Axboe <axboe@kernel.dk> Signed-off-by: Sasha Levin <alexander.levin@microsoft.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
ElectroPerf
pushed a commit
to ElectroPerf/kernel-msm
that referenced
this issue
Feb 14, 2023
[ Upstream commit 5dd7caf ] In __unregister_kprobe_top(), if the currently unregistered probe has post_handler but other child probes of the aggrprobe do not have post_handler, the post_handler of the aggrprobe is cleared. If this is a ftrace-based probe, there is a problem. In later calls to disarm_kprobe(), we will use kprobe_ftrace_ops because post_handler is NULL. But we're armed with kprobe_ipmodify_ops. This triggers a WARN in __disarm_kprobe_ftrace() and may even cause use-after-free: Failed to disarm kprobe-ftrace at kernel_clone+0x0/0x3c0 (error -2) WARNING: CPU: 5 PID: 137 at kernel/kprobes.c:1135 __disarm_kprobe_ftrace.isra.21+0xcf/0xe0 Modules linked in: testKprobe_007(-) CPU: 5 PID: 137 Comm: rmmod Not tainted 6.1.0-rc4-dirty MotorolaMobilityLLC#18 [...] Call Trace: <TASK> __disable_kprobe+0xcd/0xe0 __unregister_kprobe_top+0x12/0x150 ? mutex_lock+0xe/0x30 unregister_kprobes.part.23+0x31/0xa0 unregister_kprobe+0x32/0x40 __x64_sys_delete_module+0x15e/0x260 ? do_user_addr_fault+0x2cd/0x6b0 do_syscall_64+0x3a/0x90 entry_SYSCALL_64_after_hwframe+0x63/0xcd [...] For the kprobe-on-ftrace case, we keep the post_handler setting to identify this aggrprobe armed with kprobe_ipmodify_ops. This way we can disarm it correctly. Link: https://lore.kernel.org/all/20221112070000.35299-1-lihuafei1@huawei.com/ Fixes: 0bc11ed ("kprobes: Allow kprobes coexist with livepatch") Reported-by: Zhao Gongyi <zhaogongyi@huawei.com> Suggested-by: Masami Hiramatsu (Google) <mhiramat@kernel.org> Signed-off-by: Li Huafei <lihuafei1@huawei.com> Acked-by: Masami Hiramatsu (Google) <mhiramat@kernel.org> Signed-off-by: Masami Hiramatsu (Google) <mhiramat@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
chenyt9
pushed a commit
that referenced
this issue
May 9, 2023
commit 2a4a62a upstream. syscall_stub_data() expects the data_count parameter to be the number of longs, not bytes. ================================================================== BUG: KASAN: stack-out-of-bounds in syscall_stub_data+0x70/0xe0 Read of size 128 at addr 000000006411f6f0 by task swapper/1 CPU: 0 PID: 1 Comm: swapper Not tainted 5.18.0+ #18 Call Trace: show_stack.cold+0x166/0x2a7 __dump_stack+0x3a/0x43 dump_stack_lvl+0x1f/0x27 print_report.cold+0xdb/0xf81 kasan_report+0x119/0x1f0 kasan_check_range+0x3a3/0x440 memcpy+0x52/0x140 syscall_stub_data+0x70/0xe0 write_ldt_entry+0xac/0x190 init_new_ldt+0x515/0x960 init_new_context+0x2c4/0x4d0 mm_init.constprop.0+0x5ed/0x760 mm_alloc+0x118/0x170 0x60033f48 do_one_initcall+0x1d7/0x860 0x60003e7b kernel_init+0x6e/0x3d4 new_thread_handler+0x1e7/0x2c0 The buggy address belongs to stack of task swapper/1 and is located at offset 64 in frame: init_new_ldt+0x0/0x960 This frame has 2 objects: [32, 40) 'addr' [64, 80) 'desc' ================================================================== Fixes: 858259c ("uml: maintain own LDT entries") Signed-off-by: Vincent Whitchurch <vincent.whitchurch@axis.com> Cc: stable@vger.kernel.org Signed-off-by: Richard Weinberger <richard@nod.at> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
ElectroPerf
pushed a commit
to ElectroPerf/kernel-msm
that referenced
this issue
May 21, 2023
…g the sock [ Upstream commit 3cf7203ca620682165706f70a1b12b5194607dce ] There is a race condition in vxlan that when deleting a vxlan device during receiving packets, there is a possibility that the sock is released after getting vxlan_sock vs from sk_user_data. Then in later vxlan_ecn_decapsulate(), vxlan_get_sk_family() we will got NULL pointer dereference. e.g. #0 [ffffa25ec6978a38] machine_kexec at ffffffff8c669757 MotorolaMobilityLLC#1 [ffffa25ec6978a90] __crash_kexec at ffffffff8c7c0a4d MotorolaMobilityLLC#2 [ffffa25ec6978b58] crash_kexec at ffffffff8c7c1c48 MotorolaMobilityLLC#3 [ffffa25ec6978b60] oops_end at ffffffff8c627f2b MotorolaMobilityLLC#4 [ffffa25ec6978b80] page_fault_oops at ffffffff8c678fcb MotorolaMobilityLLC#5 [ffffa25ec6978bd8] exc_page_fault at ffffffff8d109542 MotorolaMobilityLLC#6 [ffffa25ec6978c00] asm_exc_page_fault at ffffffff8d200b62 [exception RIP: vxlan_ecn_decapsulate+0x3b] RIP: ffffffffc1014e7b RSP: ffffa25ec6978cb0 RFLAGS: 00010246 RAX: 0000000000000008 RBX: ffff8aa000888000 RCX: 0000000000000000 RDX: 000000000000000e RSI: ffff8a9fc7ab803e RDI: ffff8a9fd1168700 RBP: ffff8a9fc7ab803e R8: 0000000000700000 R9: 00000000000010ae R10: ffff8a9fcb748980 R11: 0000000000000000 R12: ffff8a9fd1168700 R13: ffff8aa000888000 R14: 00000000002a0000 R15: 00000000000010ae ORIG_RAX: ffffffffffffffff CS: 0010 SS: 0018 MotorolaMobilityLLC#7 [ffffa25ec6978ce8] vxlan_rcv at ffffffffc10189cd [vxlan] MotorolaMobilityLLC#8 [ffffa25ec6978d90] udp_queue_rcv_one_skb at ffffffff8cfb6507 MotorolaMobilityLLC#9 [ffffa25ec6978dc0] udp_unicast_rcv_skb at ffffffff8cfb6e45 MotorolaMobilityLLC#10 [ffffa25ec6978dc8] __udp4_lib_rcv at ffffffff8cfb8807 MotorolaMobilityLLC#11 [ffffa25ec6978e20] ip_protocol_deliver_rcu at ffffffff8cf76951 MotorolaMobilityLLC#12 [ffffa25ec6978e48] ip_local_deliver at ffffffff8cf76bde MotorolaMobilityLLC#13 [ffffa25ec6978ea0] __netif_receive_skb_one_core at ffffffff8cecde9b MotorolaMobilityLLC#14 [ffffa25ec6978ec8] process_backlog at ffffffff8cece139 MotorolaMobilityLLC#15 [ffffa25ec6978f00] __napi_poll at ffffffff8ceced1a MotorolaMobilityLLC#16 [ffffa25ec6978f28] net_rx_action at ffffffff8cecf1f3 MotorolaMobilityLLC#17 [ffffa25ec6978fa0] __softirqentry_text_start at ffffffff8d4000ca MotorolaMobilityLLC#18 [ffffa25ec6978ff0] do_softirq at ffffffff8c6fbdc3 Reproducer: https://github.com/Mellanox/ovs-tests/blob/master/test-ovs-vxlan-remove-tunnel-during-traffic.sh Fix this by waiting for all sk_user_data reader to finish before releasing the sock. Reported-by: Jianlin Shi <jishi@redhat.com> Suggested-by: Jakub Sitnicki <jakub@cloudflare.com> Fixes: 6a93cc9 ("udp-tunnel: Add a few more UDP tunnel APIs") Signed-off-by: Hangbin Liu <liuhangbin@gmail.com> Reviewed-by: Jiri Pirko <jiri@nvidia.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Sasha Levin <sashal@kernel.org>
ElectroPerf
pushed a commit
to ElectroPerf/kernel-msm
that referenced
this issue
May 21, 2023
[ Upstream commit b6702a942a069c2a975478d719e98d83cdae1797 ] syzkaller reported use-after-free with the stack trace like below [1]: [ 38.960489][ C3] ================================================================== [ 38.963216][ C3] BUG: KASAN: use-after-free in ar5523_cmd_tx_cb+0x220/0x240 [ 38.964950][ C3] Read of size 8 at addr ffff888048e03450 by task swapper/3/0 [ 38.966363][ C3] [ 38.967053][ C3] CPU: 3 PID: 0 Comm: swapper/3 Not tainted 6.0.0-09039-ga6afa4199d3d-dirty MotorolaMobilityLLC#18 [ 38.968464][ C3] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.0-1.fc36 04/01/2014 [ 38.969959][ C3] Call Trace: [ 38.970841][ C3] <IRQ> [ 38.971663][ C3] dump_stack_lvl+0xfc/0x174 [ 38.972620][ C3] print_report.cold+0x2c3/0x752 [ 38.973626][ C3] ? ar5523_cmd_tx_cb+0x220/0x240 [ 38.974644][ C3] kasan_report+0xb1/0x1d0 [ 38.975720][ C3] ? ar5523_cmd_tx_cb+0x220/0x240 [ 38.976831][ C3] ar5523_cmd_tx_cb+0x220/0x240 [ 38.978412][ C3] __usb_hcd_giveback_urb+0x353/0x5b0 [ 38.979755][ C3] usb_hcd_giveback_urb+0x385/0x430 [ 38.981266][ C3] dummy_timer+0x140c/0x34e0 [ 38.982925][ C3] ? notifier_call_chain+0xb5/0x1e0 [ 38.984761][ C3] ? rcu_read_lock_sched_held+0xb/0x60 [ 38.986242][ C3] ? lock_release+0x51c/0x790 [ 38.987323][ C3] ? _raw_read_unlock_irqrestore+0x37/0x70 [ 38.988483][ C3] ? __wake_up_common_lock+0xde/0x130 [ 38.989621][ C3] ? reacquire_held_locks+0x4a0/0x4a0 [ 38.990777][ C3] ? lock_acquire+0x472/0x550 [ 38.991919][ C3] ? rcu_read_lock_sched_held+0xb/0x60 [ 38.993138][ C3] ? lock_acquire+0x472/0x550 [ 38.994890][ C3] ? dummy_urb_enqueue+0x860/0x860 [ 38.996266][ C3] ? do_raw_spin_unlock+0x16f/0x230 [ 38.997670][ C3] ? dummy_urb_enqueue+0x860/0x860 [ 38.999116][ C3] call_timer_fn+0x1a0/0x6a0 [ 39.000668][ C3] ? add_timer_on+0x4a0/0x4a0 [ 39.002137][ C3] ? reacquire_held_locks+0x4a0/0x4a0 [ 39.003809][ C3] ? __next_timer_interrupt+0x226/0x2a0 [ 39.005509][ C3] __run_timers.part.0+0x69a/0xac0 [ 39.007025][ C3] ? dummy_urb_enqueue+0x860/0x860 [ 39.008716][ C3] ? call_timer_fn+0x6a0/0x6a0 [ 39.010254][ C3] ? cpuacct_percpu_seq_show+0x10/0x10 [ 39.011795][ C3] ? kvm_sched_clock_read+0x14/0x40 [ 39.013277][ C3] ? sched_clock_cpu+0x69/0x2b0 [ 39.014724][ C3] run_timer_softirq+0xb6/0x1d0 [ 39.016196][ C3] __do_softirq+0x1d2/0x9be [ 39.017616][ C3] __irq_exit_rcu+0xeb/0x190 [ 39.019004][ C3] irq_exit_rcu+0x5/0x20 [ 39.020361][ C3] sysvec_apic_timer_interrupt+0x8f/0xb0 [ 39.021965][ C3] </IRQ> [ 39.023237][ C3] <TASK> In ar5523_probe(), ar5523_host_available() calls ar5523_cmd() as below (there are other functions which finally call ar5523_cmd()): ar5523_probe() -> ar5523_host_available() -> ar5523_cmd_read() -> ar5523_cmd() If ar5523_cmd() timed out, then ar5523_host_available() failed and ar5523_probe() freed the device structure. So, ar5523_cmd_tx_cb() might touch the freed structure. This patch fixes this issue by canceling in-flight tx cmd if submitted urb timed out. Link: https://syzkaller.appspot.com/bug?id=9e12b2d54300842b71bdd18b54971385ff0d0d3a [1] Reported-by: syzbot+95001b1fd6dfcc716c29@syzkaller.appspotmail.com Signed-off-by: Shigeru Yoshida <syoshida@redhat.com> Signed-off-by: Kalle Valo <quic_kvalo@quicinc.com> Link: https://lore.kernel.org/r/20221009183223.420015-1-syoshida@redhat.com Signed-off-by: Sasha Levin <sashal@kernel.org>
ElectroPerf
pushed a commit
to ElectroPerf/kernel-msm
that referenced
this issue
May 21, 2023
[ Upstream commit 031af50045ea97ed4386eb3751ca2c134d0fc911 ] The inline assembly for arm64's cmpxchg_double*() implementations use a +Q constraint to hazard against other accesses to the memory location being exchanged. However, the pointer passed to the constraint is a pointer to unsigned long, and thus the hazard only applies to the first 8 bytes of the location. GCC can take advantage of this, assuming that other portions of the location are unchanged, leading to a number of potential problems. This is similar to what we fixed back in commit: fee960b ("arm64: xchg: hazard against entire exchange variable") ... but we forgot to adjust cmpxchg_double*() similarly at the same time. The same problem applies, as demonstrated with the following test: | struct big { | u64 lo, hi; | } __aligned(128); | | unsigned long foo(struct big *b) | { | u64 hi_old, hi_new; | | hi_old = b->hi; | cmpxchg_double_local(&b->lo, &b->hi, 0x12, 0x34, 0x56, 0x78); | hi_new = b->hi; | | return hi_old ^ hi_new; | } ... which GCC 12.1.0 compiles as: | 0000000000000000 <foo>: | 0: d503233f paciasp | 4: aa0003e4 mov x4, x0 | 8: 1400000e b 40 <foo+0x40> | c: d2800240 mov x0, #0x12 // MotorolaMobilityLLC#18 | 10: d2800681 mov x1, #0x34 // MotorolaMobilityLLC#52 | 14: aa0003e5 mov x5, x0 | 18: aa0103e6 mov x6, x1 | 1c: d2800ac2 mov x2, #0x56 // MotorolaMobilityLLC#86 | 20: d2800f03 mov x3, #0x78 // MotorolaMobilityLLC#120 | 24: 48207c82 casp x0, x1, x2, x3, [x4] | 28: ca050000 eor x0, x0, x5 | 2c: ca060021 eor x1, x1, x6 | 30: aa010000 orr x0, x0, x1 | 34: d2800000 mov x0, #0x0 // #0 <--- BANG | 38: d50323bf autiasp | 3c: d65f03c0 ret | 40: d2800240 mov x0, #0x12 // MotorolaMobilityLLC#18 | 44: d2800681 mov x1, #0x34 // MotorolaMobilityLLC#52 | 48: d2800ac2 mov x2, #0x56 // MotorolaMobilityLLC#86 | 4c: d2800f03 mov x3, #0x78 // MotorolaMobilityLLC#120 | 50: f9800091 prfm pstl1strm, [x4] | 54: c87f1885 ldxp x5, x6, [x4] | 58: ca0000a5 eor x5, x5, x0 | 5c: ca0100c6 eor x6, x6, x1 | 60: aa0600a6 orr x6, x5, x6 | 64: b5000066 cbnz x6, 70 <foo+0x70> | 68: c8250c82 stxp w5, x2, x3, [x4] | 6c: 35ffff45 cbnz w5, 54 <foo+0x54> | 70: d2800000 mov x0, #0x0 // #0 <--- BANG | 74: d50323bf autiasp | 78: d65f03c0 ret Notice that at the lines with "BANG" comments, GCC has assumed that the higher 8 bytes are unchanged by the cmpxchg_double() call, and that `hi_old ^ hi_new` can be reduced to a constant zero, for both LSE and LL/SC versions of cmpxchg_double(). This patch fixes the issue by passing a pointer to __uint128_t into the +Q constraint, ensuring that the compiler hazards against the entire 16 bytes being modified. With this change, GCC 12.1.0 compiles the above test as: | 0000000000000000 <foo>: | 0: f9400407 ldr x7, [x0, MotorolaMobilityLLC#8] | 4: d503233f paciasp | 8: aa0003e4 mov x4, x0 | c: 1400000f b 48 <foo+0x48> | 10: d2800240 mov x0, #0x12 // MotorolaMobilityLLC#18 | 14: d2800681 mov x1, #0x34 // MotorolaMobilityLLC#52 | 18: aa0003e5 mov x5, x0 | 1c: aa0103e6 mov x6, x1 | 20: d2800ac2 mov x2, #0x56 // MotorolaMobilityLLC#86 | 24: d2800f03 mov x3, #0x78 // MotorolaMobilityLLC#120 | 28: 48207c82 casp x0, x1, x2, x3, [x4] | 2c: ca050000 eor x0, x0, x5 | 30: ca060021 eor x1, x1, x6 | 34: aa010000 orr x0, x0, x1 | 38: f9400480 ldr x0, [x4, MotorolaMobilityLLC#8] | 3c: d50323bf autiasp | 40: ca0000e0 eor x0, x7, x0 | 44: d65f03c0 ret | 48: d2800240 mov x0, #0x12 // MotorolaMobilityLLC#18 | 4c: d2800681 mov x1, #0x34 // MotorolaMobilityLLC#52 | 50: d2800ac2 mov x2, #0x56 // MotorolaMobilityLLC#86 | 54: d2800f03 mov x3, #0x78 // MotorolaMobilityLLC#120 | 58: f9800091 prfm pstl1strm, [x4] | 5c: c87f1885 ldxp x5, x6, [x4] | 60: ca0000a5 eor x5, x5, x0 | 64: ca0100c6 eor x6, x6, x1 | 68: aa0600a6 orr x6, x5, x6 | 6c: b5000066 cbnz x6, 78 <foo+0x78> | 70: c8250c82 stxp w5, x2, x3, [x4] | 74: 35ffff45 cbnz w5, 5c <foo+0x5c> | 78: f9400480 ldr x0, [x4, MotorolaMobilityLLC#8] | 7c: d50323bf autiasp | 80: ca0000e0 eor x0, x7, x0 | 84: d65f03c0 ret ... sampling the high 8 bytes before and after the cmpxchg, and performing an EOR, as we'd expect. For backporting, I've tested this atop linux-4.9.y with GCC 5.5.0. Note that linux-4.9.y is oldest currently supported stable release, and mandates GCC 5.1+. Unfortunately I couldn't get a GCC 5.1 binary to run on my machines due to library incompatibilities. I've also used a standalone test to check that we can use a __uint128_t pointer in a +Q constraint at least as far back as GCC 4.8.5 and LLVM 3.9.1. Fixes: 5284e1b ("arm64: xchg: Implement cmpxchg_double") Fixes: e9a4b79 ("arm64: cmpxchg_dbl: patch in lse instructions when supported by the CPU") Reported-by: Boqun Feng <boqun.feng@gmail.com> Link: https://lore.kernel.org/lkml/Y6DEfQXymYVgL3oJ@boqun-archlinux/ Reported-by: Peter Zijlstra <peterz@infradead.org> Link: https://lore.kernel.org/lkml/Y6GXoO4qmH9OIZ5Q@hirez.programming.kicks-ass.net/ Signed-off-by: Mark Rutland <mark.rutland@arm.com> Cc: stable@vger.kernel.org Cc: Arnd Bergmann <arnd@arndb.de> Cc: Catalin Marinas <catalin.marinas@arm.com> Cc: Steve Capper <steve.capper@arm.com> Cc: Will Deacon <will@kernel.org> Link: https://lore.kernel.org/r/20230104151626.3262137-1-mark.rutland@arm.com Signed-off-by: Will Deacon <will@kernel.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
ElectroPerf
pushed a commit
to ElectroPerf/kernel-msm
that referenced
this issue
Aug 25, 2023
commit fc80fc2d4e39137869da3150ee169b40bf879287 upstream. After the listener svc_sock is freed, and before invoking svc_tcp_accept() for the established child sock, there is a window that the newsock retaining a freed listener svc_sock in sk_user_data which cloning from parent. In the race window, if data is received on the newsock, we will observe use-after-free report in svc_tcp_listen_data_ready(). Reproduce by two tasks: 1. while :; do rpc.nfsd 0 ; rpc.nfsd; done 2. while :; do echo "" | ncat -4 127.0.0.1 2049 ; done KASAN report: ================================================================== BUG: KASAN: slab-use-after-free in svc_tcp_listen_data_ready+0x1cf/0x1f0 [sunrpc] Read of size 8 at addr ffff888139d96228 by task nc/102553 CPU: 7 PID: 102553 Comm: nc Not tainted 6.3.0+ MotorolaMobilityLLC#18 Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 Call Trace: <IRQ> dump_stack_lvl+0x33/0x50 print_address_description.constprop.0+0x27/0x310 print_report+0x3e/0x70 kasan_report+0xae/0xe0 svc_tcp_listen_data_ready+0x1cf/0x1f0 [sunrpc] tcp_data_queue+0x9f4/0x20e0 tcp_rcv_established+0x666/0x1f60 tcp_v4_do_rcv+0x51c/0x850 tcp_v4_rcv+0x23fc/0x2e80 ip_protocol_deliver_rcu+0x62/0x300 ip_local_deliver_finish+0x267/0x350 ip_local_deliver+0x18b/0x2d0 ip_rcv+0x2fb/0x370 __netif_receive_skb_one_core+0x166/0x1b0 process_backlog+0x24c/0x5e0 __napi_poll+0xa2/0x500 net_rx_action+0x854/0xc90 __do_softirq+0x1bb/0x5de do_softirq+0xcb/0x100 </IRQ> <TASK> ... </TASK> Allocated by task 102371: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 __kasan_kmalloc+0x7b/0x90 svc_setup_socket+0x52/0x4f0 [sunrpc] svc_addsock+0x20d/0x400 [sunrpc] __write_ports_addfd+0x209/0x390 [nfsd] write_ports+0x239/0x2c0 [nfsd] nfsctl_transaction_write+0xac/0x110 [nfsd] vfs_write+0x1c3/0xae0 ksys_write+0xed/0x1c0 do_syscall_64+0x38/0x90 entry_SYSCALL_64_after_hwframe+0x72/0xdc Freed by task 102551: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 kasan_save_free_info+0x2a/0x50 __kasan_slab_free+0x106/0x190 __kmem_cache_free+0x133/0x270 svc_xprt_free+0x1e2/0x350 [sunrpc] svc_xprt_destroy_all+0x25a/0x440 [sunrpc] nfsd_put+0x125/0x240 [nfsd] nfsd_svc+0x2cb/0x3c0 [nfsd] write_threads+0x1ac/0x2a0 [nfsd] nfsctl_transaction_write+0xac/0x110 [nfsd] vfs_write+0x1c3/0xae0 ksys_write+0xed/0x1c0 do_syscall_64+0x38/0x90 entry_SYSCALL_64_after_hwframe+0x72/0xdc Fix the UAF by simply doing nothing in svc_tcp_listen_data_ready() if state != TCP_LISTEN, that will avoid dereferencing svsk for all child socket. Link: https://lore.kernel.org/lkml/20230507091131.23540-1-dinghui@sangfor.com.cn/ Fixes: fa9251a ("SUNRPC: Call the default socket callbacks instead of open coding") Signed-off-by: Ding Hui <dinghui@sangfor.com.cn> Cc: <stable@vger.kernel.org> Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
sevenrock
pushed a commit
to sevenrock/android_kernel_motorola_sm6375
that referenced
this issue
Mar 26, 2024
commit 0b0747d507bffb827e40fc0f9fb5883fffc23477 upstream. The following processes run into a deadlock. CPU 41 was waiting for CPU 29 to handle a CSD request while holding spinlock "crashdump_lock", but CPU 29 was hung by that spinlock with IRQs disabled. PID: 17360 TASK: ffff95c1090c5c40 CPU: 41 COMMAND: "mrdiagd" !# 0 [ffffb80edbf37b58] __read_once_size at ffffffff9b871a40 include/linux/compiler.h:185:0 !# 1 [ffffb80edbf37b58] atomic_read at ffffffff9b871a40 arch/x86/include/asm/atomic.h:27:0 !# 2 [ffffb80edbf37b58] dump_stack at ffffffff9b871a40 lib/dump_stack.c:54:0 # 3 [ffffb80edbf37b78] csd_lock_wait_toolong at ffffffff9b131ad5 kernel/smp.c:364:0 # 4 [ffffb80edbf37b78] __csd_lock_wait at ffffffff9b131ad5 kernel/smp.c:384:0 # 5 [ffffb80edbf37bf8] csd_lock_wait at ffffffff9b13267a kernel/smp.c:394:0 # 6 [ffffb80edbf37bf8] smp_call_function_many at ffffffff9b13267a kernel/smp.c:843:0 # 7 [ffffb80edbf37c50] smp_call_function at ffffffff9b13279d kernel/smp.c:867:0 # 8 [ffffb80edbf37c50] on_each_cpu at ffffffff9b13279d kernel/smp.c:976:0 # 9 [ffffb80edbf37c78] flush_tlb_kernel_range at ffffffff9b085c4b arch/x86/mm/tlb.c:742:0 MotorolaMobilityLLC#10 [ffffb80edbf37cb8] __purge_vmap_area_lazy at ffffffff9b23a1e0 mm/vmalloc.c:701:0 MotorolaMobilityLLC#11 [ffffb80edbf37ce0] try_purge_vmap_area_lazy at ffffffff9b23a2cc mm/vmalloc.c:722:0 MotorolaMobilityLLC#12 [ffffb80edbf37ce0] free_vmap_area_noflush at ffffffff9b23a2cc mm/vmalloc.c:754:0 MotorolaMobilityLLC#13 [ffffb80edbf37cf8] free_unmap_vmap_area at ffffffff9b23bb3b mm/vmalloc.c:764:0 MotorolaMobilityLLC#14 [ffffb80edbf37cf8] remove_vm_area at ffffffff9b23bb3b mm/vmalloc.c:1509:0 MotorolaMobilityLLC#15 [ffffb80edbf37d18] __vunmap at ffffffff9b23bb8a mm/vmalloc.c:1537:0 MotorolaMobilityLLC#16 [ffffb80edbf37d40] vfree at ffffffff9b23bc85 mm/vmalloc.c:1612:0 MotorolaMobilityLLC#17 [ffffb80edbf37d58] megasas_free_host_crash_buffer [megaraid_sas] at ffffffffc020b7f2 drivers/scsi/megaraid/megaraid_sas_fusion.c:3932:0 MotorolaMobilityLLC#18 [ffffb80edbf37d80] fw_crash_state_store [megaraid_sas] at ffffffffc01f804d drivers/scsi/megaraid/megaraid_sas_base.c:3291:0 MotorolaMobilityLLC#19 [ffffb80edbf37dc0] dev_attr_store at ffffffff9b56dd7b drivers/base/core.c:758:0 MotorolaMobilityLLC#20 [ffffb80edbf37dd0] sysfs_kf_write at ffffffff9b326acf fs/sysfs/file.c:144:0 MotorolaMobilityLLC#21 [ffffb80edbf37de0] kernfs_fop_write at ffffffff9b325fd4 fs/kernfs/file.c:316:0 MotorolaMobilityLLC#22 [ffffb80edbf37e20] __vfs_write at ffffffff9b29418a fs/read_write.c:480:0 MotorolaMobilityLLC#23 [ffffb80edbf37ea8] vfs_write at ffffffff9b294462 fs/read_write.c:544:0 MotorolaMobilityLLC#24 [ffffb80edbf37ee8] SYSC_write at ffffffff9b2946ec fs/read_write.c:590:0 MotorolaMobilityLLC#25 [ffffb80edbf37ee8] SyS_write at ffffffff9b2946ec fs/read_write.c:582:0 MotorolaMobilityLLC#26 [ffffb80edbf37f30] do_syscall_64 at ffffffff9b003ca9 arch/x86/entry/common.c:298:0 MotorolaMobilityLLC#27 [ffffb80edbf37f58] entry_SYSCALL_64 at ffffffff9ba001b1 arch/x86/entry/entry_64.S:238:0 PID: 17355 TASK: ffff95c1090c3d80 CPU: 29 COMMAND: "mrdiagd" !# 0 [ffffb80f2d3c7d30] __read_once_size at ffffffff9b0f2ab0 include/linux/compiler.h:185:0 !# 1 [ffffb80f2d3c7d30] native_queued_spin_lock_slowpath at ffffffff9b0f2ab0 kernel/locking/qspinlock.c:368:0 # 2 [ffffb80f2d3c7d58] pv_queued_spin_lock_slowpath at ffffffff9b0f244b arch/x86/include/asm/paravirt.h:674:0 # 3 [ffffb80f2d3c7d58] queued_spin_lock_slowpath at ffffffff9b0f244b arch/x86/include/asm/qspinlock.h:53:0 # 4 [ffffb80f2d3c7d68] queued_spin_lock at ffffffff9b8961a6 include/asm-generic/qspinlock.h:90:0 # 5 [ffffb80f2d3c7d68] do_raw_spin_lock_flags at ffffffff9b8961a6 include/linux/spinlock.h:173:0 # 6 [ffffb80f2d3c7d68] __raw_spin_lock_irqsave at ffffffff9b8961a6 include/linux/spinlock_api_smp.h:122:0 # 7 [ffffb80f2d3c7d68] _raw_spin_lock_irqsave at ffffffff9b8961a6 kernel/locking/spinlock.c:160:0 # 8 [ffffb80f2d3c7d88] fw_crash_buffer_store [megaraid_sas] at ffffffffc01f8129 drivers/scsi/megaraid/megaraid_sas_base.c:3205:0 # 9 [ffffb80f2d3c7dc0] dev_attr_store at ffffffff9b56dd7b drivers/base/core.c:758:0 MotorolaMobilityLLC#10 [ffffb80f2d3c7dd0] sysfs_kf_write at ffffffff9b326acf fs/sysfs/file.c:144:0 MotorolaMobilityLLC#11 [ffffb80f2d3c7de0] kernfs_fop_write at ffffffff9b325fd4 fs/kernfs/file.c:316:0 MotorolaMobilityLLC#12 [ffffb80f2d3c7e20] __vfs_write at ffffffff9b29418a fs/read_write.c:480:0 MotorolaMobilityLLC#13 [ffffb80f2d3c7ea8] vfs_write at ffffffff9b294462 fs/read_write.c:544:0 MotorolaMobilityLLC#14 [ffffb80f2d3c7ee8] SYSC_write at ffffffff9b2946ec fs/read_write.c:590:0 MotorolaMobilityLLC#15 [ffffb80f2d3c7ee8] SyS_write at ffffffff9b2946ec fs/read_write.c:582:0 MotorolaMobilityLLC#16 [ffffb80f2d3c7f30] do_syscall_64 at ffffffff9b003ca9 arch/x86/entry/common.c:298:0 MotorolaMobilityLLC#17 [ffffb80f2d3c7f58] entry_SYSCALL_64 at ffffffff9ba001b1 arch/x86/entry/entry_64.S:238:0 The lock is used to synchronize different sysfs operations, it doesn't protect any resource that will be touched by an interrupt. Consequently it's not required to disable IRQs. Replace the spinlock with a mutex to fix the deadlock. Signed-off-by: Junxiao Bi <junxiao.bi@oracle.com> Link: https://lore.kernel.org/r/20230828221018.19471-1-junxiao.bi@oracle.com Reviewed-by: Mike Christie <michael.christie@oracle.com> Cc: stable@vger.kernel.org Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
sevenrock
pushed a commit
to sevenrock/android_kernel_motorola_sm6375
that referenced
this issue
Mar 26, 2024
[ Upstream commit a154f5f643c6ecddd44847217a7a3845b4350003 ] The following call trace shows a deadlock issue due to recursive locking of mutex "device_mutex". First lock acquire is in target_for_each_device() and second in target_free_device(). PID: 148266 TASK: ffff8be21ffb5d00 CPU: 10 COMMAND: "iscsi_ttx" #0 [ffffa2bfc9ec3b18] __schedule at ffffffffa8060e7f MotorolaMobilityLLC#1 [ffffa2bfc9ec3ba0] schedule at ffffffffa8061224 MotorolaMobilityLLC#2 [ffffa2bfc9ec3bb8] schedule_preempt_disabled at ffffffffa80615ee MotorolaMobilityLLC#3 [ffffa2bfc9ec3bc8] __mutex_lock at ffffffffa8062fd7 MotorolaMobilityLLC#4 [ffffa2bfc9ec3c40] __mutex_lock_slowpath at ffffffffa80631d3 MotorolaMobilityLLC#5 [ffffa2bfc9ec3c50] mutex_lock at ffffffffa806320c MotorolaMobilityLLC#6 [ffffa2bfc9ec3c68] target_free_device at ffffffffc0935998 [target_core_mod] MotorolaMobilityLLC#7 [ffffa2bfc9ec3c90] target_core_dev_release at ffffffffc092f975 [target_core_mod] MotorolaMobilityLLC#8 [ffffa2bfc9ec3ca0] config_item_put at ffffffffa79d250f MotorolaMobilityLLC#9 [ffffa2bfc9ec3cd0] config_item_put at ffffffffa79d2583 MotorolaMobilityLLC#10 [ffffa2bfc9ec3ce0] target_devices_idr_iter at ffffffffc0933f3a [target_core_mod] MotorolaMobilityLLC#11 [ffffa2bfc9ec3d00] idr_for_each at ffffffffa803f6fc MotorolaMobilityLLC#12 [ffffa2bfc9ec3d60] target_for_each_device at ffffffffc0935670 [target_core_mod] MotorolaMobilityLLC#13 [ffffa2bfc9ec3d98] transport_deregister_session at ffffffffc0946408 [target_core_mod] MotorolaMobilityLLC#14 [ffffa2bfc9ec3dc8] iscsit_close_session at ffffffffc09a44a6 [iscsi_target_mod] MotorolaMobilityLLC#15 [ffffa2bfc9ec3df0] iscsit_close_connection at ffffffffc09a4a88 [iscsi_target_mod] MotorolaMobilityLLC#16 [ffffa2bfc9ec3df8] finish_task_switch at ffffffffa76e5d07 MotorolaMobilityLLC#17 [ffffa2bfc9ec3e78] iscsit_take_action_for_connection_exit at ffffffffc0991c23 [iscsi_target_mod] MotorolaMobilityLLC#18 [ffffa2bfc9ec3ea0] iscsi_target_tx_thread at ffffffffc09a403b [iscsi_target_mod] MotorolaMobilityLLC#19 [ffffa2bfc9ec3f08] kthread at ffffffffa76d8080 MotorolaMobilityLLC#20 [ffffa2bfc9ec3f50] ret_from_fork at ffffffffa8200364 Fixes: 36d4cb4 ("scsi: target: Avoid that EXTENDED COPY commands trigger lock inversion") Signed-off-by: Junxiao Bi <junxiao.bi@oracle.com> Link: https://lore.kernel.org/r/20230918225848.66463-1-junxiao.bi@oracle.com Reviewed-by: Mike Christie <michael.christie@oracle.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> Signed-off-by: Sasha Levin <sashal@kernel.org>
mbissaromoto
pushed a commit
that referenced
this issue
Jul 6, 2024
commit fc80fc2d4e39137869da3150ee169b40bf879287 upstream. After the listener svc_sock is freed, and before invoking svc_tcp_accept() for the established child sock, there is a window that the newsock retaining a freed listener svc_sock in sk_user_data which cloning from parent. In the race window, if data is received on the newsock, we will observe use-after-free report in svc_tcp_listen_data_ready(). Reproduce by two tasks: 1. while :; do rpc.nfsd 0 ; rpc.nfsd; done 2. while :; do echo "" | ncat -4 127.0.0.1 2049 ; done KASAN report: ================================================================== BUG: KASAN: slab-use-after-free in svc_tcp_listen_data_ready+0x1cf/0x1f0 [sunrpc] Read of size 8 at addr ffff888139d96228 by task nc/102553 CPU: 7 PID: 102553 Comm: nc Not tainted 6.3.0+ #18 Hardware name: VMware, Inc. VMware Virtual Platform/440BX Desktop Reference Platform, BIOS 6.00 11/12/2020 Call Trace: <IRQ> dump_stack_lvl+0x33/0x50 print_address_description.constprop.0+0x27/0x310 print_report+0x3e/0x70 kasan_report+0xae/0xe0 svc_tcp_listen_data_ready+0x1cf/0x1f0 [sunrpc] tcp_data_queue+0x9f4/0x20e0 tcp_rcv_established+0x666/0x1f60 tcp_v4_do_rcv+0x51c/0x850 tcp_v4_rcv+0x23fc/0x2e80 ip_protocol_deliver_rcu+0x62/0x300 ip_local_deliver_finish+0x267/0x350 ip_local_deliver+0x18b/0x2d0 ip_rcv+0x2fb/0x370 __netif_receive_skb_one_core+0x166/0x1b0 process_backlog+0x24c/0x5e0 __napi_poll+0xa2/0x500 net_rx_action+0x854/0xc90 __do_softirq+0x1bb/0x5de do_softirq+0xcb/0x100 </IRQ> <TASK> ... </TASK> Allocated by task 102371: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 __kasan_kmalloc+0x7b/0x90 svc_setup_socket+0x52/0x4f0 [sunrpc] svc_addsock+0x20d/0x400 [sunrpc] __write_ports_addfd+0x209/0x390 [nfsd] write_ports+0x239/0x2c0 [nfsd] nfsctl_transaction_write+0xac/0x110 [nfsd] vfs_write+0x1c3/0xae0 ksys_write+0xed/0x1c0 do_syscall_64+0x38/0x90 entry_SYSCALL_64_after_hwframe+0x72/0xdc Freed by task 102551: kasan_save_stack+0x1e/0x40 kasan_set_track+0x21/0x30 kasan_save_free_info+0x2a/0x50 __kasan_slab_free+0x106/0x190 __kmem_cache_free+0x133/0x270 svc_xprt_free+0x1e2/0x350 [sunrpc] svc_xprt_destroy_all+0x25a/0x440 [sunrpc] nfsd_put+0x125/0x240 [nfsd] nfsd_svc+0x2cb/0x3c0 [nfsd] write_threads+0x1ac/0x2a0 [nfsd] nfsctl_transaction_write+0xac/0x110 [nfsd] vfs_write+0x1c3/0xae0 ksys_write+0xed/0x1c0 do_syscall_64+0x38/0x90 entry_SYSCALL_64_after_hwframe+0x72/0xdc Fix the UAF by simply doing nothing in svc_tcp_listen_data_ready() if state != TCP_LISTEN, that will avoid dereferencing svsk for all child socket. Link: https://lore.kernel.org/lkml/20230507091131.23540-1-dinghui@sangfor.com.cn/ Fixes: fa9251a ("SUNRPC: Call the default socket callbacks instead of open coding") Signed-off-by: Ding Hui <dinghui@sangfor.com.cn> Cc: <stable@vger.kernel.org> Signed-off-by: Chuck Lever <chuck.lever@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
mbissaromoto
pushed a commit
that referenced
this issue
Jul 6, 2024
commit 0b0747d507bffb827e40fc0f9fb5883fffc23477 upstream. The following processes run into a deadlock. CPU 41 was waiting for CPU 29 to handle a CSD request while holding spinlock "crashdump_lock", but CPU 29 was hung by that spinlock with IRQs disabled. PID: 17360 TASK: ffff95c1090c5c40 CPU: 41 COMMAND: "mrdiagd" !# 0 [ffffb80edbf37b58] __read_once_size at ffffffff9b871a40 include/linux/compiler.h:185:0 !# 1 [ffffb80edbf37b58] atomic_read at ffffffff9b871a40 arch/x86/include/asm/atomic.h:27:0 !# 2 [ffffb80edbf37b58] dump_stack at ffffffff9b871a40 lib/dump_stack.c:54:0 # 3 [ffffb80edbf37b78] csd_lock_wait_toolong at ffffffff9b131ad5 kernel/smp.c:364:0 # 4 [ffffb80edbf37b78] __csd_lock_wait at ffffffff9b131ad5 kernel/smp.c:384:0 # 5 [ffffb80edbf37bf8] csd_lock_wait at ffffffff9b13267a kernel/smp.c:394:0 # 6 [ffffb80edbf37bf8] smp_call_function_many at ffffffff9b13267a kernel/smp.c:843:0 # 7 [ffffb80edbf37c50] smp_call_function at ffffffff9b13279d kernel/smp.c:867:0 # 8 [ffffb80edbf37c50] on_each_cpu at ffffffff9b13279d kernel/smp.c:976:0 # 9 [ffffb80edbf37c78] flush_tlb_kernel_range at ffffffff9b085c4b arch/x86/mm/tlb.c:742:0 #10 [ffffb80edbf37cb8] __purge_vmap_area_lazy at ffffffff9b23a1e0 mm/vmalloc.c:701:0 #11 [ffffb80edbf37ce0] try_purge_vmap_area_lazy at ffffffff9b23a2cc mm/vmalloc.c:722:0 #12 [ffffb80edbf37ce0] free_vmap_area_noflush at ffffffff9b23a2cc mm/vmalloc.c:754:0 #13 [ffffb80edbf37cf8] free_unmap_vmap_area at ffffffff9b23bb3b mm/vmalloc.c:764:0 #14 [ffffb80edbf37cf8] remove_vm_area at ffffffff9b23bb3b mm/vmalloc.c:1509:0 #15 [ffffb80edbf37d18] __vunmap at ffffffff9b23bb8a mm/vmalloc.c:1537:0 #16 [ffffb80edbf37d40] vfree at ffffffff9b23bc85 mm/vmalloc.c:1612:0 #17 [ffffb80edbf37d58] megasas_free_host_crash_buffer [megaraid_sas] at ffffffffc020b7f2 drivers/scsi/megaraid/megaraid_sas_fusion.c:3932:0 #18 [ffffb80edbf37d80] fw_crash_state_store [megaraid_sas] at ffffffffc01f804d drivers/scsi/megaraid/megaraid_sas_base.c:3291:0 #19 [ffffb80edbf37dc0] dev_attr_store at ffffffff9b56dd7b drivers/base/core.c:758:0 #20 [ffffb80edbf37dd0] sysfs_kf_write at ffffffff9b326acf fs/sysfs/file.c:144:0 #21 [ffffb80edbf37de0] kernfs_fop_write at ffffffff9b325fd4 fs/kernfs/file.c:316:0 #22 [ffffb80edbf37e20] __vfs_write at ffffffff9b29418a fs/read_write.c:480:0 #23 [ffffb80edbf37ea8] vfs_write at ffffffff9b294462 fs/read_write.c:544:0 #24 [ffffb80edbf37ee8] SYSC_write at ffffffff9b2946ec fs/read_write.c:590:0 #25 [ffffb80edbf37ee8] SyS_write at ffffffff9b2946ec fs/read_write.c:582:0 #26 [ffffb80edbf37f30] do_syscall_64 at ffffffff9b003ca9 arch/x86/entry/common.c:298:0 #27 [ffffb80edbf37f58] entry_SYSCALL_64 at ffffffff9ba001b1 arch/x86/entry/entry_64.S:238:0 PID: 17355 TASK: ffff95c1090c3d80 CPU: 29 COMMAND: "mrdiagd" !# 0 [ffffb80f2d3c7d30] __read_once_size at ffffffff9b0f2ab0 include/linux/compiler.h:185:0 !# 1 [ffffb80f2d3c7d30] native_queued_spin_lock_slowpath at ffffffff9b0f2ab0 kernel/locking/qspinlock.c:368:0 # 2 [ffffb80f2d3c7d58] pv_queued_spin_lock_slowpath at ffffffff9b0f244b arch/x86/include/asm/paravirt.h:674:0 # 3 [ffffb80f2d3c7d58] queued_spin_lock_slowpath at ffffffff9b0f244b arch/x86/include/asm/qspinlock.h:53:0 # 4 [ffffb80f2d3c7d68] queued_spin_lock at ffffffff9b8961a6 include/asm-generic/qspinlock.h:90:0 # 5 [ffffb80f2d3c7d68] do_raw_spin_lock_flags at ffffffff9b8961a6 include/linux/spinlock.h:173:0 # 6 [ffffb80f2d3c7d68] __raw_spin_lock_irqsave at ffffffff9b8961a6 include/linux/spinlock_api_smp.h:122:0 # 7 [ffffb80f2d3c7d68] _raw_spin_lock_irqsave at ffffffff9b8961a6 kernel/locking/spinlock.c:160:0 # 8 [ffffb80f2d3c7d88] fw_crash_buffer_store [megaraid_sas] at ffffffffc01f8129 drivers/scsi/megaraid/megaraid_sas_base.c:3205:0 # 9 [ffffb80f2d3c7dc0] dev_attr_store at ffffffff9b56dd7b drivers/base/core.c:758:0 #10 [ffffb80f2d3c7dd0] sysfs_kf_write at ffffffff9b326acf fs/sysfs/file.c:144:0 #11 [ffffb80f2d3c7de0] kernfs_fop_write at ffffffff9b325fd4 fs/kernfs/file.c:316:0 #12 [ffffb80f2d3c7e20] __vfs_write at ffffffff9b29418a fs/read_write.c:480:0 #13 [ffffb80f2d3c7ea8] vfs_write at ffffffff9b294462 fs/read_write.c:544:0 #14 [ffffb80f2d3c7ee8] SYSC_write at ffffffff9b2946ec fs/read_write.c:590:0 #15 [ffffb80f2d3c7ee8] SyS_write at ffffffff9b2946ec fs/read_write.c:582:0 #16 [ffffb80f2d3c7f30] do_syscall_64 at ffffffff9b003ca9 arch/x86/entry/common.c:298:0 #17 [ffffb80f2d3c7f58] entry_SYSCALL_64 at ffffffff9ba001b1 arch/x86/entry/entry_64.S:238:0 The lock is used to synchronize different sysfs operations, it doesn't protect any resource that will be touched by an interrupt. Consequently it's not required to disable IRQs. Replace the spinlock with a mutex to fix the deadlock. Signed-off-by: Junxiao Bi <junxiao.bi@oracle.com> Link: https://lore.kernel.org/r/20230828221018.19471-1-junxiao.bi@oracle.com Reviewed-by: M(CR) Christie <michael.christie@oracle.com> Cc: stable@vger.kernel.org Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
mbissaromoto
pushed a commit
that referenced
this issue
Jul 6, 2024
[ Upstream commit a154f5f643c6ecddd44847217a7a3845b4350003 ] The following call trace shows a deadlock issue due to recursive locking of mutex "device_mutex". First lock acquire is in target_for_each_device() and second in target_free_device(). PID: 148266 TASK: ffff8be21ffb5d00 CPU: 10 COMMAND: "iscsi_ttx" #0 [ffffa2bfc9ec3b18] __schedule at ffffffffa8060e7f #1 [ffffa2bfc9ec3ba0] schedule at ffffffffa8061224 #2 [ffffa2bfc9ec3bb8] schedule_preempt_disabled at ffffffffa80615ee #3 [ffffa2bfc9ec3bc8] __mutex_lock at ffffffffa8062fd7 #4 [ffffa2bfc9ec3c40] __mutex_lock_slowpath at ffffffffa80631d3 #5 [ffffa2bfc9ec3c50] mutex_lock at ffffffffa806320c #6 [ffffa2bfc9ec3c68] target_free_device at ffffffffc0935998 [target_core_mod] #7 [ffffa2bfc9ec3c90] target_core_dev_release at ffffffffc092f975 [target_core_mod] #8 [ffffa2bfc9ec3ca0] config_item_put at ffffffffa79d250f #9 [ffffa2bfc9ec3cd0] config_item_put at ffffffffa79d2583 #10 [ffffa2bfc9ec3ce0] target_devices_idr_iter at ffffffffc0933f3a [target_core_mod] #11 [ffffa2bfc9ec3d00] idr_for_each at ffffffffa803f6fc #12 [ffffa2bfc9ec3d60] target_for_each_device at ffffffffc0935670 [target_core_mod] #13 [ffffa2bfc9ec3d98] transport_deregister_session at ffffffffc0946408 [target_core_mod] #14 [ffffa2bfc9ec3dc8] iscsit_close_session at ffffffffc09a44a6 [iscsi_target_mod] #15 [ffffa2bfc9ec3df0] iscsit_close_connection at ffffffffc09a4a88 [iscsi_target_mod] #16 [ffffa2bfc9ec3df8] finish_task_switch at ffffffffa76e5d07 #17 [ffffa2bfc9ec3e78] iscsit_take_action_for_connection_exit at ffffffffc0991c23 [iscsi_target_mod] #18 [ffffa2bfc9ec3ea0] iscsi_target_tx_thread at ffffffffc09a403b [iscsi_target_mod] #19 [ffffa2bfc9ec3f08] kthread at ffffffffa76d8080 #20 [ffffa2bfc9ec3f50] ret_from_fork at ffffffffa8200364 Fixes: 36d4cb4 ("scsi: target: Avoid that EXTENDED COPY commands trigger lock inversion") Signed-off-by: Junxiao Bi <junxiao.bi@oracle.com> Link: https://lore.kernel.org/r/20230918225848.66463-1-junxiao.bi@oracle.com Reviewed-by: M(CR) Christie <michael.christie@oracle.com> Signed-off-by: Martin K. Petersen <martin.petersen@oracle.com> Signed-off-by: Sasha Levin <sashal@kernel.org>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Here we go again...
Please release the source for Razr HD:
System version: 180.46.127.XT925.CEE-Retail.en.EU
Build number: KDA20.127
Kernel version: 3.4.42-ga566aff hudsoncm@ilclbld29 #1 Wed Oct 15 05.30:34 CDT 2014
Thanks.
The text was updated successfully, but these errors were encountered: