On Thu, Oct 10, 2024 at 12:05:38PM -0700, Mina Almasry wrote:
On Thu, Oct 10, 2024 at 4:17 AM Lai, Yi yi1.lai@linux.intel.com wrote:
Hi Mina Almasry,
Greetings!
I used Syzkaller and found that there is BUG: soft lockup inqt in linux-next tree next-20241008
After bisection and the first bad commit is: " 678f6e28b5f6 net: add SO_DEVMEM_DONTNEED setsockopt to release RX frags "
All detailed into can be found at: https://github.com/laifryiee/syzkaller_logs/tree/main/241009_103423_do_sock_... Syzkaller repro code: https://github.com/laifryiee/syzkaller_logs/tree/main/241009_103423_do_sock_... Syzkaller repro syscall steps: https://github.com/laifryiee/syzkaller_logs/tree/main/241009_103423_do_sock_... Syzkaller report: https://github.com/laifryiee/syzkaller_logs/tree/main/241009_103423_do_sock_... Kconfig(make olddefconfig): https://github.com/laifryiee/syzkaller_logs/tree/main/241009_103423_do_sock_... Bisect info: https://github.com/laifryiee/syzkaller_logs/tree/main/241009_103423_do_sock_... bzImage: https://github.com/laifryiee/syzkaller_logs/raw/refs/heads/main/241009_10342... Issue dmesg: https://github.com/laifryiee/syzkaller_logs/blob/main/241009_103423_do_sock_...
" [ 48.825073] ? __lock_acquire+0x1b0f/0x5c90 [ 48.825419] ? __pfx___lock_acquire+0x10/0x10 [ 48.825774] sock_setsockopt+0x68/0x90 [ 48.826117] do_sock_setsockopt+0x3fb/0x480 [ 48.826455] ? __pfx_do_sock_setsockopt+0x10/0x10 [ 48.826829] ? lock_release+0x441/0x870 [ 48.827140] ? __sanitizer_cov_trace_const_cmp4+0x1a/0x20 [ 48.827558] ? fdget+0x188/0x230 [ 48.827846] __sys_setsockopt+0x131/0x200 [ 48.828184] ? __pfx___sys_setsockopt+0x10/0x10 [ 48.828551] ? seqcount_lockdep_reader_access.constprop.0+0xc0/0xd0 [ 48.829042] ? __sanitizer_cov_trace_cmp4+0x1a/0x20 [ 48.829425] ? ktime_get_coarse_real_ts64+0xbf/0xf0 [ 48.829817] __x64_sys_setsockopt+0xc6/0x160 [ 48.830160] ? syscall_trace_enter+0x14a/0x230 [ 48.830520] x64_sys_call+0x6cf/0x20d0 [ 48.830825] do_syscall_64+0x6d/0x140 [ 48.831124] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 48.831517] RIP: 0033:0x7f26cdc3ee5d [ 48.831804] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 93 af 1b 00 f7 d8 64 89 01 48 [ 48.833180] RSP: 002b:00007fff33f36278 EFLAGS: 00000213 ORIG_RAX: 0000000000000036 [ 48.833756] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f26cdc3ee5d [ 48.834294] RDX: 0000000000000050 RSI: 0000000000000001 RDI: 0000000000000003 [ 48.834830] RBP: 00007fff33f36290 R08: 0000000000000010 R09: 00007fff33f36290 [ 48.835368] R10: 0000000020000080 R11: 0000000000000213 R12: 00007fff33f363e8 [ 48.835906] R13: 000000000040178f R14: 0000000000403e08 R15: 00007f26cde51000 [ 48.836466] </TASK> [ 48.836648] Kernel panic - not syncing: softlockup: hung tasks [ 48.837096] CPU: 1 UID: 0 PID: 729 Comm: repro Tainted: G L 6.12.0-rc2-8cf0b93919e1 #1 [ 48.837796] Tainted: [L]=SOFTLOCKUP [ 48.838071] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.0-0-gd239552ce722-prebuilt.qemu.org 04/01/2014 [ 48.838916] Call Trace: [ 48.839113] <IRQ> [ 48.839282] dump_stack_lvl+0x42/0x150 [ 48.839584] dump_stack+0x19/0x20 [ 48.839846] panic+0x703/0x790 [ 48.840100] ? __pfx_panic+0x10/0x10 [ 48.840394] ? watchdog_timer_fn+0x599/0x6b0 [ 48.840727] ? watchdog_timer_fn+0x58c/0x6b0 [ 48.841065] watchdog_timer_fn+0x5aa/0x6b0 [ 48.841382] ? __pfx_watchdog_timer_fn+0x10/0x10 [ 48.841743] __hrtimer_run_queues+0x5d6/0xc30 [ 48.842091] ? __pfx___hrtimer_run_queues+0x10/0x10 [ 48.842473] hrtimer_interrupt+0x324/0x7a0 [ 48.842802] __sysvec_apic_timer_interrupt+0x10b/0x410 [ 48.843198] ? debug_smp_processor_id+0x20/0x30 [ 48.843551] sysvec_apic_timer_interrupt+0xaf/0xd0 [ 48.843922] </IRQ> [ 48.844101] <TASK> [ 48.844275] asm_sysvec_apic_timer_interrupt+0x1f/0x30 [ 48.844711] RIP: 0010:__sanitizer_cov_trace_pc+0x45/0x70 [ 48.845130] Code: a9 00 01 ff 00 74 1d f6 c4 01 74 43 a9 00 00 0f 00 75 3c a9 00 00 f0 00 75 35 8b 82 04 1e 00 00 85 c0 74 2b 8b 82 e0 1d 00 00 <83> f8 02 75 20 48 8b 8a e8 1d 00 00 8b 92 e4 1d 00 00 48 8b 01 48 [ 48.846480] RSP: 0018:ffff8880239cf790 EFLAGS: 00000246 [ 48.846876] RAX: 0000000000000000 RBX: ffff8880239cf900 RCX: ffffffff8581c19f [ 48.847407] RDX: ffff88801a818000 RSI: ffffffff8581c1d5 RDI: 0000000000000007 [ 48.847933] RBP: ffff8880239cf790 R08: 0000000000000001 R09: ffffed1004739f23 [ 48.848472] R10: 0000000077cc006e R11: 0000000000000001 R12: 0000000000000000 [ 48.849002] R13: 0000000077cc006e R14: ffff8880239cf918 R15: 0000000000000000 [ 48.849536] ? xas_start+0x11f/0x730 [ 48.849818] ? xas_start+0x155/0x730 [ 48.850101] xas_start+0x155/0x730 [ 48.850372] xas_load+0x2f/0x520 [ 48.850629] ? irqentry_exit+0x3e/0xa0 [ 48.850922] ? sysvec_apic_timer_interrupt+0x6a/0xd0 [ 48.851304] xas_store+0x1165/0x1ad0 [ 48.851588] ? __this_cpu_preempt_check+0x21/0x30 [ 48.851950] ? irqentry_exit+0x3e/0xa0 [ 48.852254] __xa_erase+0xc6/0x180 [ 48.852524] ? __pfx___xa_erase+0x10/0x10 [ 48.852842] ? __xa_erase+0xf1/0x180 [ 48.853123] ? sock_devmem_dontneed+0x42c/0x6d0 [ 48.853480] sock_devmem_dontneed+0x3a8/0x6d0 [ 48.853829] ? __pfx_sock_devmem_dontneed+0x10/0x10 [ 48.854205] ? trace_lock_acquire+0x139/0x1b0 [ 48.854548] ? lock_acquire+0x80/0xb0 [ 48.854833] ? __might_fault+0xf1/0x1b0 [ 48.855133] ? __might_fault+0xf1/0x1b0 [ 48.855437] ? __sanitizer_cov_trace_const_cmp8+0x1c/0x30 [ 48.855849] sk_setsockopt+0x480/0x3c60 [ 48.856158] ? __pfx_sk_setsockopt+0x10/0x10 [ 48.856491] ? __kasan_check_read+0x15/0x20 [ 48.856814] ? __lock_acquire+0x1b0f/0x5c90 [ 48.857144] ? __pfx___lock_acquire+0x10/0x10 [ 48.857488] sock_setsockopt+0x68/0x90 [ 48.857785] do_sock_setsockopt+0x3fb/0x480 [ 48.858110] ? __pfx_do_sock_setsockopt+0x10/0x10 [ 48.858474] ? lock_release+0x441/0x870 [ 48.858776] ? __sanitizer_cov_trace_const_cmp4+0x1a/0x20 [ 48.859184] ? fdget+0x188/0x230 [ 48.859448] __sys_setsockopt+0x131/0x200 [ 48.859764] ? __pfx___sys_setsockopt+0x10/0x10 [ 48.860123] ? seqcount_lockdep_reader_access.constprop.0+0xc0/0xd0 [ 48.860598] ? __sanitizer_cov_trace_cmp4+0x1a/0x20 [ 48.860982] ? ktime_get_coarse_real_ts64+0xbf/0xf0 [ 48.861370] __x64_sys_setsockopt+0xc6/0x160 [ 48.861710] ? syscall_trace_enter+0x14a/0x230 [ 48.862057] x64_sys_call+0x6cf/0x20d0 [ 48.862350] do_syscall_64+0x6d/0x140 [ 48.862639] entry_SYSCALL_64_after_hwframe+0x76/0x7e [ 48.863023] RIP: 0033:0x7f26cdc3ee5d [ 48.863301] Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 90 f3 0f 1e fa 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 8b 0d 93 af 1b 00 f7 d8 64 89 01 48 [ 48.864659] RSP: 002b:00007fff33f36278 EFLAGS: 00000213 ORIG_RAX: 0000000000000036 [ 48.865223] RAX: ffffffffffffffda RBX: 0000000000000000 RCX: 00007f26cdc3ee5d "
I hope you find it useful.
Thank you for the report. I think I see the issue and I commented on the fix in the code below.
Only issue is that this is unlucky timing for me. I have a flight tomorrow for a vacation where I think I may have internet access and may not. I will try to follow up here, but in case I can't, what's the urgency for this issue? Can this wait 2 weeks when I get back?
if (optlen % sizeof(struct dmabuf_token) ||optlen > sizeof(*tokens) * MAX_DONTNEED_TOKENS)return -EINVAL;tokens = kvmalloc_array(optlen, sizeof(*tokens), GFP_KERNEL);if (!tokens)return -ENOMEM;There is an unrelated bug here. The first argument for kvmalloc_array is the number of elements, I think, not the number of bytes. So this should be:
num_tokens = optlen / sizeof(struct dmabuf_token); tokens = kvmalloc_array(num_tokens, sizeof(*tokens), GFP_KERNEL); if (!tokens) return -ENOMEM;
if (copy_from_sockptr(tokens, optval, optlen)) {kvfree(tokens);return -EFAULT;}xa_lock_bh(&sk->sk_user_frags);for (i = 0; i < num_tokens; i++) {for (j = 0; j < tokens[i].token_count; j++) {The bug should be here. tokens[i].token_count is a u32 provided by the user. The user can specify U32_MAX here, which will make the loop below spin for a very long time with the lock held, which should be the cause of the soft lockup.
We should add a check that token_count is < MAX_DONTNEED_TOKENS or something like that, above this line.
Please let me know of urgency. If this can't wait I'll try very hard to repro the issue/fix while I'm out. Untested fix I'm going to try out:
Hi Mina
This bug can wait as you mentioned two weeks. Just let you know, after applied your proposed fix, the issue cannot be reproduced using the same repro binary.
If you have a formal fix patch later, I would be happy to test it again. Just let me know.
Regards, Yi Lai
diff --git a/net/core/sock.c b/net/core/sock.c index 083d438d8b6f..cb3d8b19de14 100644 --- a/net/core/sock.c +++ b/net/core/sock.c @@ -1071,11 +1071,11 @@ sock_devmem_dontneed(struct sock *sk, sockptr_t optval, unsigned int optlen) optlen > sizeof(*tokens) * MAX_DONTNEED_TOKENS) return -EINVAL;
tokens = kvmalloc_array(optlen, sizeof(*tokens), GFP_KERNEL);
num_tokens = optlen / sizeof(struct dmabuf_token);tokens = kvmalloc_array(num_tokens, sizeof(*tokens), GFP_KERNEL); if (!tokens) return -ENOMEM;
num_tokens = optlen / sizeof(struct dmabuf_token); if (copy_from_sockptr(tokens, optval, optlen)) { kvfree(tokens); return -EFAULT;@@ -1083,6 +1083,10 @@ sock_devmem_dontneed(struct sock *sk, sockptr_t optval, unsigned int optlen)
xa_lock_bh(&sk->sk_user_frags); for (i = 0; i < num_tokens; i++) {
if (tokens[i].token_count > MAX_DONTNEED_TOKENS)continue;for (j = 0; j < tokens[i].token_count; j++) { netmem_ref netmem = (__force netmem_ref)__xa_erase( &sk->sk_user_frags, tokens[i].token_start + j);-- Thanks, Mina