LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
From: Shoaib Rao <email@example.com>
To: Al Viro <firstname.lastname@example.org>
Cc: Dmitry Vyukov <email@example.com>,
firstname.lastname@example.org, email@example.com, firstname.lastname@example.org,
email@example.com, firstname.lastname@example.org, email@example.com,
firstname.lastname@example.org, email@example.com, firstname.lastname@example.org,
email@example.com, firstname.lastname@example.org, email@example.com,
Subject: Re: [syzbot] BUG: sleeping function called from invalid context in _copy_to_iter
Date: Mon, 9 Aug 2021 13:37:08 -0700 [thread overview]
Message-ID: <firstname.lastname@example.org> (raw)
On 8/9/21 1:16 PM, Al Viro wrote:
> On Mon, Aug 09, 2021 at 08:04:40PM +0000, Al Viro wrote:
>> On Mon, Aug 09, 2021 at 12:40:03PM -0700, Shoaib Rao wrote:
>>> Page faults occur all the time, the page may not even be in the cache or the
>>> mapping is not there (mmap), so I would not consider this a bug. The code
>>> should complain about all other calls as they are also copying to user
>>> pages. I must not be following some semantics for the code to be triggered
>>> but I can not figure that out. What is the recommended interface to do user
>>> copy from kernel?
>> What are you talking about? Yes, page faults happen. No, they
>> must not be triggered in contexts when you cannot afford going to sleep.
>> In particular, you can't do that while holding a spinlock.
>> There are things that can't be done under a spinlock. If your
>> commit is attempting that, it's simply broken.
> ... in particular, this
> +#if IS_ENABLED(CONFIG_AF_UNIX_OOB)
> + mutex_lock(&u->iolock);
> + unix_state_lock(sk);
> + err = unix_stream_recv_urg(state);
> + unix_state_unlock(sk);
> + mutex_unlock(&u->iolock);
> is 100% broken, since you *are* attempting to copy data to userland between
> spin_lock(&unix_sk(s)->lock) and spin_unlock(&unix_sk(s)->lock).
Yes, but why are we calling it unix_state_lock() why not
I have tons of experience doing kernel coding and you can never ever
cover everything, that is why I wanted to root cause the issue instead
of just turning off the check.
Imagine you or Eric make a mistake and break the kernel, how would you
guys feel if I were to write a similar email?
> You can't do blocking operations under a spinlock. And copyout is inherently
> a blocking operation - it can require any kind of IO to complete. If you
> have the destination (very much valid - no bad addresses there) in the middle
> of a page mmapped from a file and currently not paged in, you *must* read
> the current contents of the page, at least into the parts of page that
> are not going to be overwritten by your copyout. No way around that. And
> that can involve any kind of delays and any amount of disk/network/whatnot
> You fundamentally can not do that kind of thing without giving the CPU up.
> And under a spinlock you are not allowed to do that.
> In the current form that commit is obviously broken.
next prev parent reply other threads:[~2021-08-09 20:37 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-08-08 23:38 syzbot
2021-08-09 17:32 ` Shoaib Rao
2021-08-09 18:06 ` Dmitry Vyukov
2021-08-09 19:16 ` Shoaib Rao
2021-08-09 19:21 ` Dmitry Vyukov
2021-08-09 19:40 ` Shoaib Rao
2021-08-09 20:02 ` Eric Dumazet
2021-08-09 20:09 ` Eric Dumazet
2021-08-09 20:31 ` Shoaib Rao
2021-08-10 9:19 ` Eric Dumazet
2021-08-10 17:50 ` Shoaib Rao
2021-08-10 18:02 ` Eric Dumazet
2021-08-10 18:29 ` Shoaib Rao
2021-08-09 20:04 ` Al Viro
2021-08-09 20:16 ` Al Viro
2021-08-09 20:30 ` Shoaib Rao
2021-08-09 20:37 ` Shoaib Rao [this message]
2021-08-09 21:41 ` Al Viro
2021-08-09 22:38 ` Shoaib Rao
2021-08-09 19:57 ` Al Viro
2021-08-09 20:18 ` Shoaib Rao
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--subject='Re: [syzbot] BUG: sleeping function called from invalid context in _copy_to_iter' \
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).