| Message ID | 20240722085149.32479-1-qiang.zhang1211@gmail.com (mailing list archive) |
|---|---|
| State | New |
| Headers | show |
| Series | nsfs: Fix the missed rcu_read_unlock() invoking in ns_ioctl() | expand |
On Mon 22-07-24 16:51:49, Zqiang wrote: > Currently, the syzbot report follow wanings: > > Voluntary context switch within RCU read-side critical section! > WARNING: CPU: 0 PID: 3460 at kernel/rcu/tree_plugin.h:330 rcu_note_context_switch+0x354/0x49c > Call trace: > rcu_note_context_switch+0x354/0x49c kernel/rcu/tree_plugin.h:330 > __schedule+0xb0/0x850 kernel/sched/core.c:6417 > __schedule_loop kernel/sched/core.c:6606 [inline] > schedule+0x34/0x104 kernel/sched/core.c:6621 > do_notify_resume+0xe4/0x164 arch/arm64/kernel/entry-common.c:136 > exit_to_user_mode_prepare arch/arm64/kernel/entry-common.c:169 [inline] > exit_to_user_mode arch/arm64/kernel/entry-common.c:178 [inline] > el0_interrupt+0xc4/0xc8 arch/arm64/kernel/entry-common.c:797 > __el0_irq_handler_common+0x18/0x24 arch/arm64/kernel/entry-common.c:802 > el0t_64_irq_handler+0x10/0x1c arch/arm64/kernel/entry-common.c:807 > el0t_64_irq+0x19c/0x1a0 arch/arm64/kernel/entry.S:599 > > This happens when the tsk pointer is null and a call to rcu_read_unlock() > is missed in ns_ioctl(), this commit therefore invoke rcu_read_lock() > when tsk pointer is null. > > Reported-by: syzbot+784d0a1246a539975f05@syzkaller.appspotmail.com > Closes: https://syzkaller.appspot.com/bug?extid=784d0a1246a539975f05 > Fixes: ca567df74a28 ("nsfs: add pid translation ioctls") > Signed-off-by: Zqiang <qiang.zhang1211@gmail.com> Thanks for the fix but this should be already fixed by commit 280e36f0d5b9971 ("nsfs: use cleanup guard") that was recently merged upstream. Honza > --- > fs/nsfs.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/fs/nsfs.c b/fs/nsfs.c > index a4a925dce331..e228d06f0949 100644 > --- a/fs/nsfs.c > +++ b/fs/nsfs.c > @@ -188,8 +188,10 @@ static long ns_ioctl(struct file *filp, unsigned int ioctl, > tsk = find_task_by_vpid(arg); > else > tsk = find_task_by_pid_ns(arg, pid_ns); > - if (!tsk) > + if (!tsk) { > + rcu_read_unlock(); > break; > + } > > switch (ioctl) { > case NS_GET_PID_FROM_PIDNS: > -- > 2.17.1 >
diff --git a/fs/nsfs.c b/fs/nsfs.c index a4a925dce331..e228d06f0949 100644 --- a/fs/nsfs.c +++ b/fs/nsfs.c @@ -188,8 +188,10 @@ static long ns_ioctl(struct file *filp, unsigned int ioctl, tsk = find_task_by_vpid(arg); else tsk = find_task_by_pid_ns(arg, pid_ns); - if (!tsk) + if (!tsk) { + rcu_read_unlock(); break; + } switch (ioctl) { case NS_GET_PID_FROM_PIDNS:
Currently, the syzbot report follow wanings: Voluntary context switch within RCU read-side critical section! WARNING: CPU: 0 PID: 3460 at kernel/rcu/tree_plugin.h:330 rcu_note_context_switch+0x354/0x49c Call trace: rcu_note_context_switch+0x354/0x49c kernel/rcu/tree_plugin.h:330 __schedule+0xb0/0x850 kernel/sched/core.c:6417 __schedule_loop kernel/sched/core.c:6606 [inline] schedule+0x34/0x104 kernel/sched/core.c:6621 do_notify_resume+0xe4/0x164 arch/arm64/kernel/entry-common.c:136 exit_to_user_mode_prepare arch/arm64/kernel/entry-common.c:169 [inline] exit_to_user_mode arch/arm64/kernel/entry-common.c:178 [inline] el0_interrupt+0xc4/0xc8 arch/arm64/kernel/entry-common.c:797 __el0_irq_handler_common+0x18/0x24 arch/arm64/kernel/entry-common.c:802 el0t_64_irq_handler+0x10/0x1c arch/arm64/kernel/entry-common.c:807 el0t_64_irq+0x19c/0x1a0 arch/arm64/kernel/entry.S:599 This happens when the tsk pointer is null and a call to rcu_read_unlock() is missed in ns_ioctl(), this commit therefore invoke rcu_read_lock() when tsk pointer is null. Reported-by: syzbot+784d0a1246a539975f05@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=784d0a1246a539975f05 Fixes: ca567df74a28 ("nsfs: add pid translation ioctls") Signed-off-by: Zqiang <qiang.zhang1211@gmail.com> --- fs/nsfs.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)