LKML Archive on lore.kernel.org
help / color / mirror / Atom feed
From: Shoaib Rao <rao.shoaib@oracle.com>
To: Al Viro <viro@zeniv.linux.org.uk>
Cc: Dmitry Vyukov <dvyukov@google.com>,
	syzbot <syzbot+8760ca6c1ee783ac4abd@syzkaller.appspotmail.com>,
	andrii@kernel.org, ast@kernel.org, bpf@vger.kernel.org,
	christian.brauner@ubuntu.com, cong.wang@bytedance.com,
	daniel@iogearbox.net, davem@davemloft.net, edumazet@google.com,
	jamorris@linux.microsoft.com, john.fastabend@gmail.com,
	kafai@fb.com, kpsingh@kernel.org, kuba@kernel.org,
	linux-kernel@vger.kernel.org, linux-kselftest@vger.kernel.org,
	netdev@vger.kernel.org, shuah@kernel.org, songliubraving@fb.com,
	syzkaller-bugs@googlegroups.com, yhs@fb.com
Subject: Re: [syzbot] BUG: sleeping function called from invalid context in _copy_to_iter
Date: Mon, 9 Aug 2021 13:37:08 -0700	[thread overview]
Message-ID: <c1ec22f6-ed3b-fe70-2c7e-38a534f01d2b@oracle.com> (raw)
In-Reply-To: <YRGNIduUvw/kCLIU@zeniv-ca.linux.org.uk>


On 8/9/21 1:16 PM, Al Viro wrote:
> On Mon, Aug 09, 2021 at 08:04:40PM +0000, Al Viro wrote:
>> On Mon, Aug 09, 2021 at 12:40:03PM -0700, Shoaib Rao wrote:
>>
>>> Page faults occur all the time, the page may not even be in the cache or the
>>> mapping is not there (mmap), so I would not consider this a bug. The code
>>> should complain about all other calls as they are also copying  to user
>>> pages. I must not be following some semantics for the code to be triggered
>>> but I can not figure that out. What is the recommended interface to do user
>>> copy from kernel?
>> 	What are you talking about?  Yes, page faults happen.  No, they
>> must not be triggered in contexts when you cannot afford going to sleep.
>> In particular, you can't do that while holding a spinlock.
>>
>> 	There are things that can't be done under a spinlock.  If your
>> commit is attempting that, it's simply broken.
> ... in particular, this
>
> +#if IS_ENABLED(CONFIG_AF_UNIX_OOB)
> +               mutex_lock(&u->iolock);
> +               unix_state_lock(sk);
> +
> +               err = unix_stream_recv_urg(state);
> +
> +               unix_state_unlock(sk);
> +               mutex_unlock(&u->iolock);
> +#endif
>
> is 100% broken, since you *are* attempting to copy data to userland between
> spin_lock(&unix_sk(s)->lock) and spin_unlock(&unix_sk(s)->lock).

Yes, but why are we calling it unix_state_lock() why not 
unix_state_spinlock() ?

I have tons of experience doing kernel coding and you can never ever 
cover everything, that is why I wanted to root cause the issue instead 
of just turning off the check.

Imagine you or Eric make a mistake and break the kernel, how would you 
guys feel if I were to write a similar email?

Shoaib

>
> You can't do blocking operations under a spinlock.  And copyout is inherently
> a blocking operation - it can require any kind of IO to complete.  If you
> have the destination (very much valid - no bad addresses there) in the middle
> of a page mmapped from a file and currently not paged in, you *must* read
> the current contents of the page, at least into the parts of page that
> are not going to be overwritten by your copyout.  No way around that.  And
> that can involve any kind of delays and any amount of disk/network/whatnot
> traffic.
>
> You fundamentally can not do that kind of thing without giving the CPU up.
> And under a spinlock you are not allowed to do that.
>
> In the current form that commit is obviously broken.
I am

  parent reply	other threads:[~2021-08-09 20:37 UTC|newest]

Thread overview: 21+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-08-08 23:38 syzbot
2021-08-09 17:32 ` Shoaib Rao
2021-08-09 18:06   ` Dmitry Vyukov
2021-08-09 19:16     ` Shoaib Rao
2021-08-09 19:21       ` Dmitry Vyukov
2021-08-09 19:40         ` Shoaib Rao
2021-08-09 20:02           ` Eric Dumazet
2021-08-09 20:09             ` Eric Dumazet
2021-08-09 20:31               ` Shoaib Rao
2021-08-10  9:19                 ` Eric Dumazet
2021-08-10 17:50                   ` Shoaib Rao
2021-08-10 18:02                     ` Eric Dumazet
2021-08-10 18:29                       ` Shoaib Rao
2021-08-09 20:04           ` Al Viro
2021-08-09 20:16             ` Al Viro
2021-08-09 20:30               ` Shoaib Rao
2021-08-09 20:37               ` Shoaib Rao [this message]
2021-08-09 21:41                 ` Al Viro
2021-08-09 22:38                   ` Shoaib Rao
2021-08-09 19:57       ` Al Viro
2021-08-09 20:18         ` Shoaib Rao

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=c1ec22f6-ed3b-fe70-2c7e-38a534f01d2b@oracle.com \
    --to=rao.shoaib@oracle.com \
    --cc=andrii@kernel.org \
    --cc=ast@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=christian.brauner@ubuntu.com \
    --cc=cong.wang@bytedance.com \
    --cc=daniel@iogearbox.net \
    --cc=davem@davemloft.net \
    --cc=dvyukov@google.com \
    --cc=edumazet@google.com \
    --cc=jamorris@linux.microsoft.com \
    --cc=john.fastabend@gmail.com \
    --cc=kafai@fb.com \
    --cc=kpsingh@kernel.org \
    --cc=kuba@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-kselftest@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=shuah@kernel.org \
    --cc=songliubraving@fb.com \
    --cc=syzbot+8760ca6c1ee783ac4abd@syzkaller.appspotmail.com \
    --cc=syzkaller-bugs@googlegroups.com \
    --cc=viro@zeniv.linux.org.uk \
    --cc=yhs@fb.com \
    --subject='Re: [syzbot] BUG: sleeping function called from invalid context in _copy_to_iter' \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).