On Mon, Aug 09, 2021 at 12:16:27PM -0700, Shoaib Rao wrote:
On 8/9/21 11:06 AM, Dmitry Vyukov wrote:
On Mon, 9 Aug 2021 at 19:33, Shoaib Rao rao.shoaib@oracle.com wrote:
This seems like a false positive. 1) The function will not sleep because it only calls copy routine if the byte is present. 2). There is no difference between this new call and the older calls in unix_stream_read_generic().
Hi Shoaib,
Thanks for looking into this. Do you have any ideas on how to fix this tool's false positive? Tools with false positives are order of magnitude less useful than tools w/o false positives. E.g. do we turn it off on syzbot? But I don't remember any other false positives from "sleeping function called from invalid context" checker...
Before we take any action I would like to understand why the tool does not single out other calls to recv_actor in unix_stream_read_generic(). The context in all cases is the same. I also do not understand why the code would sleep, Let's assume the user provided address is bad, the code will return EFAULT, it will never sleep, if the kernel provided address is bad the system will panic. The only difference I see is that the new code holds 2 locks while the previous code held one lock, but the locks are acquired before the call to copy.
So please help me understand how the tool works. Even though I have evaluated the code carefully, there is always a possibility that the tool is correct.
Huh???
What do you mean "address is bad"? "Address is inside an area mmapped from NFS file". And it bloody well will sleep on attempt to read the page.
You should never, ever do copy_{to,from}_user() or equivalents while holding a spinlock, period.