Syzkaller reports using smp_processor_id() in preemptible code at radix_tree_node_alloc() in 5.10 stable releases. The problem has been fixed by the following patch which can be cleanly applied to the 5.10 branch.
Found by Linux Verification Center (linuxtesting.org) with Syzkaller.
From: "Matthew Wilcox (Oracle)" willy@infradead.org
commit 3403fb9adea5f5d8f9337d77ba1b31e6536ac7f1 upstream.
The XArray interface is easier for this driver to use. Also fixes a bug reported by the improper use of GFP_ATOMIC.
Signed-off-by: Matthew Wilcox (Oracle) willy@infradead.org Reviewed-by: Manivannan Sadhasivam manivannan.sadhasivam@linaro.org Signed-off-by: David S. Miller davem@davemloft.net Signed-off-by: Stanislav Goriainov goriainov@ispras.ru --- net/qrtr/qrtr.c | 42 ++++++++++++++---------------------------- 1 file changed, 14 insertions(+), 28 deletions(-)
diff --git a/net/qrtr/qrtr.c b/net/qrtr/qrtr.c index 56cffbfa000b..13448ca5aeff 100644 --- a/net/qrtr/qrtr.c +++ b/net/qrtr/qrtr.c @@ -20,6 +20,8 @@ /* auto-bind range */ #define QRTR_MIN_EPH_SOCKET 0x4000 #define QRTR_MAX_EPH_SOCKET 0x7fff +#define QRTR_EPH_PORT_RANGE \ + XA_LIMIT(QRTR_MIN_EPH_SOCKET, QRTR_MAX_EPH_SOCKET)
/** * struct qrtr_hdr_v1 - (I|R)PCrouter packet header version 1 @@ -106,8 +108,7 @@ static LIST_HEAD(qrtr_all_nodes); static DEFINE_MUTEX(qrtr_node_lock);
/* local port allocation management */ -static DEFINE_IDR(qrtr_ports); -static DEFINE_MUTEX(qrtr_port_lock); +static DEFINE_XARRAY_ALLOC(qrtr_ports);
/** * struct qrtr_node - endpoint node @@ -635,7 +636,7 @@ static struct qrtr_sock *qrtr_port_lookup(int port) port = 0;
rcu_read_lock(); - ipc = idr_find(&qrtr_ports, port); + ipc = xa_load(&qrtr_ports, port); if (ipc) sock_hold(&ipc->sk); rcu_read_unlock(); @@ -677,9 +678,7 @@ static void qrtr_port_remove(struct qrtr_sock *ipc)
__sock_put(&ipc->sk);
- mutex_lock(&qrtr_port_lock); - idr_remove(&qrtr_ports, port); - mutex_unlock(&qrtr_port_lock); + xa_erase(&qrtr_ports, port);
/* Ensure that if qrtr_port_lookup() did enter the RCU read section we * wait for it to up increment the refcount */ @@ -698,29 +697,20 @@ static void qrtr_port_remove(struct qrtr_sock *ipc) */ static int qrtr_port_assign(struct qrtr_sock *ipc, int *port) { - u32 min_port; int rc;
- mutex_lock(&qrtr_port_lock); if (!*port) { - min_port = QRTR_MIN_EPH_SOCKET; - rc = idr_alloc_u32(&qrtr_ports, ipc, &min_port, QRTR_MAX_EPH_SOCKET, GFP_ATOMIC); - if (!rc) - *port = min_port; + rc = xa_alloc(&qrtr_ports, port, ipc, QRTR_EPH_PORT_RANGE, + GFP_KERNEL); } else if (*port < QRTR_MIN_EPH_SOCKET && !capable(CAP_NET_ADMIN)) { rc = -EACCES; } else if (*port == QRTR_PORT_CTRL) { - min_port = 0; - rc = idr_alloc_u32(&qrtr_ports, ipc, &min_port, 0, GFP_ATOMIC); + rc = xa_insert(&qrtr_ports, 0, ipc, GFP_KERNEL); } else { - min_port = *port; - rc = idr_alloc_u32(&qrtr_ports, ipc, &min_port, *port, GFP_ATOMIC); - if (!rc) - *port = min_port; + rc = xa_insert(&qrtr_ports, *port, ipc, GFP_KERNEL); } - mutex_unlock(&qrtr_port_lock);
- if (rc == -ENOSPC) + if (rc == -EBUSY) return -EADDRINUSE; else if (rc < 0) return rc; @@ -734,20 +724,16 @@ static int qrtr_port_assign(struct qrtr_sock *ipc, int *port) static void qrtr_reset_ports(void) { struct qrtr_sock *ipc; - int id; - - mutex_lock(&qrtr_port_lock); - idr_for_each_entry(&qrtr_ports, ipc, id) { - /* Don't reset control port */ - if (id == 0) - continue; + unsigned long index;
+ rcu_read_lock(); + xa_for_each_start(&qrtr_ports, index, ipc, 1) { sock_hold(&ipc->sk); ipc->sk.sk_err = ENETRESET; ipc->sk.sk_error_report(&ipc->sk); sock_put(&ipc->sk); } - mutex_unlock(&qrtr_port_lock); + rcu_read_unlock(); }
/* Bind socket to address.
On Thu, Aug 18, 2022 at 05:14:01PM +0300, Stanislav Goriainov wrote:
From: "Matthew Wilcox (Oracle)" willy@infradead.org
commit 3403fb9adea5f5d8f9337d77ba1b31e6536ac7f1 upstream.
This is not a commit id in Linus's tree that I can find anywhere :(
On Fri, Aug 19, 2022 at 01:21:59PM +0200, Greg Kroah-Hartman wrote:
On Thu, Aug 18, 2022 at 05:14:01PM +0300, Stanislav Goriainov wrote:
From: "Matthew Wilcox (Oracle)" willy@infradead.org
commit 3403fb9adea5f5d8f9337d77ba1b31e6536ac7f1 upstream.
This is not a commit id in Linus's tree that I can find anywhere :(
I see it as 3cbf7530a163, fwiw.
On Fri, Aug 19, 2022 at 02:53:02PM +0100, Matthew Wilcox wrote:
On Fri, Aug 19, 2022 at 01:21:59PM +0200, Greg Kroah-Hartman wrote:
On Thu, Aug 18, 2022 at 05:14:01PM +0300, Stanislav Goriainov wrote:
From: "Matthew Wilcox (Oracle)" willy@infradead.org
commit 3403fb9adea5f5d8f9337d77ba1b31e6536ac7f1 upstream.
This is not a commit id in Linus's tree that I can find anywhere :(
I see it as 3cbf7530a163, fwiw.
I'll wait for a resend, as obviously something went wrong on the sender's side...
Greg Kroah-Hartman писал 2022-08-19 17:32:
On Fri, Aug 19, 2022 at 02:53:02PM +0100, Matthew Wilcox wrote:
On Fri, Aug 19, 2022 at 01:21:59PM +0200, Greg Kroah-Hartman wrote:
On Thu, Aug 18, 2022 at 05:14:01PM +0300, Stanislav Goriainov wrote:
From: "Matthew Wilcox (Oracle)" willy@infradead.org
commit 3403fb9adea5f5d8f9337d77ba1b31e6536ac7f1 upstream.
This is not a commit id in Linus's tree that I can find anywhere :(
I see it as 3cbf7530a163, fwiw.
I'll wait for a resend, as obviously something went wrong on the sender's side...
Yeah, my bad.. Corrected version follows up.
linux-stable-mirror@lists.linaro.org
-
goriainov@ispras.ru -
Greg Kroah-Hartman -
Matthew Wilcox -
Stanislav Goriainov