tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

ptr_ring: do not block hard interrupts in ptr_ring_resize_multiple()

Jakub added a lockdep_assert_no_hardirq() check in __page_pool_put_page()
to increase test coverage.

syzbot found a splat caused by hard irq blocking in
ptr_ring_resize_multiple() [1]

As current users of ptr_ring_resize_multiple() do not require
hard irqs being masked, replace it to only block BH.

Rename helpers to better reflect they are safe against BH only.

- ptr_ring_resize_multiple() to ptr_ring_resize_multiple_bh()
- skb_array_resize_multiple() to skb_array_resize_multiple_bh()

[1]

WARNING: CPU: 1 PID: 9150 at net/core/page_pool.c:709 __page_pool_put_page net/core/page_pool.c:709 [inline]
WARNING: CPU: 1 PID: 9150 at net/core/page_pool.c:709 page_pool_put_unrefed_netmem+0x157/0xa40 net/core/page_pool.c:780
Modules linked in:
CPU: 1 UID: 0 PID: 9150 Comm: syz.1.1052 Not tainted 6.11.0-rc3-syzkaller-00202-gf8669d7b5f5d #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 08/06/2024
RIP: 0010:__page_pool_put_page net/core/page_pool.c:709 [inline]
RIP: 0010:page_pool_put_unrefed_netmem+0x157/0xa40 net/core/page_pool.c:780
Code: 74 0e e8 7c aa fb f7 eb 43 e8 75 aa fb f7 eb 3c 65 8b 1d 38 a8 6a 76 31 ff 89 de e8 a3 ae fb f7 85 db 74 0b e8 5a aa fb f7 90 <0f> 0b 90 eb 1d 65 8b 1d 15 a8 6a 76 31 ff 89 de e8 84 ae fb f7 85
RSP: 0018:ffffc9000bda6b58 EFLAGS: 00010083
RAX: ffffffff8997e523 RBX: 0000000000000000 RCX: 0000000000040000
RDX: ffffc9000fbd0000 RSI: 0000000000001842 RDI: 0000000000001843
RBP: 0000000000000000 R08: ffffffff8997df2c R09: 1ffffd40003a000d
R10: dffffc0000000000 R11: fffff940003a000e R12: ffffea0001d00040
R13: ffff88802e8a4000 R14: dffffc0000000000 R15: 00000000ffffffff
FS: 00007fb7aaf716c0(0000) GS:ffff8880b9300000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007fa15a0d4b72 CR3: 00000000561b0000 CR4: 00000000003506f0
DR0: 0000000000000000 DR1: 0000000000000000 DR2: 0000000000000000
DR3: 0000000000000000 DR6: 00000000fffe0ff0 DR7: 0000000000000400
Call Trace:
<TASK>
tun_ptr_free drivers/net/tun.c:617 [inline]
__ptr_ring_swap_queue include/linux/ptr_ring.h:571 [inline]
ptr_ring_resize_multiple_noprof include/linux/ptr_ring.h:643 [inline]
tun_queue_resize drivers/net/tun.c:3694 [inline]
tun_device_event+0xaaf/0x1080 drivers/net/tun.c:3714
notifier_call_chain+0x19f/0x3e0 kernel/notifier.c:93
call_netdevice_notifiers_extack net/core/dev.c:2032 [inline]
call_netdevice_notifiers net/core/dev.c:2046 [inline]
dev_change_tx_queue_len+0x158/0x2a0 net/core/dev.c:9024
do_setlink+0xff6/0x41f0 net/core/rtnetlink.c:2923
rtnl_setlink+0x40d/0x5a0 net/core/rtnetlink.c:3201
rtnetlink_rcv_msg+0x73f/0xcf0 net/core/rtnetlink.c:6647
netlink_rcv_skb+0x1e3/0x430 net/netlink/af_netlink.c:2550

Fixes: ff4e538c8c3e ("page_pool: add a lockdep check for recycling in hardirq")
Reported-by: syzbot+f56a5c5eac2b28439810@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/netdev/671e10df.050a0220.2b8c0f.01cf.GAE@google.com/T/
Signed-off-by: Eric Dumazet <edumazet@google.com>
Acked-by: Michael S. Tsirkin <mst@redhat.com>
Acked-by: Jason Wang <jasowang@redhat.com>
Link: https://patch.msgid.link/20241217135121.326370-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

authored by

Eric Dumazet and committed by
Jakub Kicinski a126061c 65c233d8

+27 -27
+3 -3
drivers/net/tap.c
··· 1329 1329 list_for_each_entry(q, &tap->queue_list, next) 1330 1330 rings[i++] = &q->ring; 1331 1331 1332 - ret = ptr_ring_resize_multiple(rings, n, 1333 - dev->tx_queue_len, GFP_KERNEL, 1334 - __skb_array_destroy_skb); 1332 + ret = ptr_ring_resize_multiple_bh(rings, n, 1333 + dev->tx_queue_len, GFP_KERNEL, 1334 + __skb_array_destroy_skb); 1335 1335 1336 1336 kfree(rings); 1337 1337 return ret;
+3 -3
drivers/net/tun.c
··· 3701 3701 list_for_each_entry(tfile, &tun->disabled, next) 3702 3702 rings[i++] = &tfile->tx_ring; 3703 3703 3704 - ret = ptr_ring_resize_multiple(rings, n, 3705 - dev->tx_queue_len, GFP_KERNEL, 3706 - tun_ptr_free); 3704 + ret = ptr_ring_resize_multiple_bh(rings, n, 3705 + dev->tx_queue_len, GFP_KERNEL, 3706 + tun_ptr_free); 3707 3707 3708 3708 kfree(rings); 3709 3709 return ret;
+10 -11
include/linux/ptr_ring.h
··· 615 615 /* 616 616 * Note: producer lock is nested within consumer lock, so if you 617 617 * resize you must make sure all uses nest correctly. 618 - * In particular if you consume ring in interrupt or BH context, you must 619 - * disable interrupts/BH when doing so. 618 + * In particular if you consume ring in BH context, you must 619 + * disable BH when doing so. 620 620 */ 621 - static inline int ptr_ring_resize_multiple_noprof(struct ptr_ring **rings, 622 - unsigned int nrings, 623 - int size, 624 - gfp_t gfp, void (*destroy)(void *)) 621 + static inline int ptr_ring_resize_multiple_bh_noprof(struct ptr_ring **rings, 622 + unsigned int nrings, 623 + int size, gfp_t gfp, 624 + void (*destroy)(void *)) 625 625 { 626 - unsigned long flags; 627 626 void ***queues; 628 627 int i; 629 628 ··· 637 638 } 638 639 639 640 for (i = 0; i < nrings; ++i) { 640 - spin_lock_irqsave(&(rings[i])->consumer_lock, flags); 641 + spin_lock_bh(&(rings[i])->consumer_lock); 641 642 spin_lock(&(rings[i])->producer_lock); 642 643 queues[i] = __ptr_ring_swap_queue(rings[i], queues[i], 643 644 size, gfp, destroy); 644 645 spin_unlock(&(rings[i])->producer_lock); 645 - spin_unlock_irqrestore(&(rings[i])->consumer_lock, flags); 646 + spin_unlock_bh(&(rings[i])->consumer_lock); 646 647 } 647 648 648 649 for (i = 0; i < nrings; ++i) ··· 661 662 noqueues: 662 663 return -ENOMEM; 663 664 } 664 - #define ptr_ring_resize_multiple(...) \ 665 - alloc_hooks(ptr_ring_resize_multiple_noprof(__VA_ARGS__)) 665 + #define ptr_ring_resize_multiple_bh(...) \ 666 + alloc_hooks(ptr_ring_resize_multiple_bh_noprof(__VA_ARGS__)) 666 667 667 668 static inline void ptr_ring_cleanup(struct ptr_ring *r, void (*destroy)(void *)) 668 669 {
+9 -8
include/linux/skb_array.h
··· 199 199 return ptr_ring_resize(&a->ring, size, gfp, __skb_array_destroy_skb); 200 200 } 201 201 202 - static inline int skb_array_resize_multiple_noprof(struct skb_array **rings, 203 - int nrings, unsigned int size, 204 - gfp_t gfp) 202 + static inline int skb_array_resize_multiple_bh_noprof(struct skb_array **rings, 203 + int nrings, 204 + unsigned int size, 205 + gfp_t gfp) 205 206 { 206 207 BUILD_BUG_ON(offsetof(struct skb_array, ring)); 207 - return ptr_ring_resize_multiple_noprof((struct ptr_ring **)rings, 208 - nrings, size, gfp, 209 - __skb_array_destroy_skb); 208 + return ptr_ring_resize_multiple_bh_noprof((struct ptr_ring **)rings, 209 + nrings, size, gfp, 210 + __skb_array_destroy_skb); 210 211 } 211 - #define skb_array_resize_multiple(...) \ 212 - alloc_hooks(skb_array_resize_multiple_noprof(__VA_ARGS__)) 212 + #define skb_array_resize_multiple_bh(...) \ 213 + alloc_hooks(skb_array_resize_multiple_bh_noprof(__VA_ARGS__)) 213 214 214 215 static inline void skb_array_cleanup(struct skb_array *a) 215 216 {
+2 -2
net/sched/sch_generic.c
··· 911 911 bands[prio] = q; 912 912 } 913 913 914 - return skb_array_resize_multiple(bands, PFIFO_FAST_BANDS, new_len, 915 - GFP_KERNEL); 914 + return skb_array_resize_multiple_bh(bands, PFIFO_FAST_BANDS, new_len, 915 + GFP_KERNEL); 916 916 } 917 917 918 918 struct Qdisc_ops pfifo_fast_ops __read_mostly = {