Forwarded: [PATCH] locking/lockdep: skip irq save/restore in hardirq context in lock_release()

[syzbot <syzbot+0635dc2e2c3c21a6aa04@syzkaller.appspotmail.com>]

For archival purposes, forwarding an incoming command email to
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com.

***

Subject: [PATCH] locking/lockdep: skip irq save/restore in hardirq context in lock_release()
Author: kartikey406@gmail.com

#syz test: git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net-next.git master


lock_release() performs a raw_local_irq_save/restore dance around its
validation work. While safe in process and softirq context, this is
dangerous in hardirq context where IRQs must remain disabled for the
entire duration of the handler.

When lock_release() calls raw_local_irq_restore() inside a hardirq
handler, it briefly re-enables IRQs, creating a window where a new
interrupt can fire before the handler returns. This was observed with
taprio's advance_sched() hrtimer callback - the temporary IRQ
re-enablement inside lock_release() prevented CPU 0 from acknowledging
a pending TLB flush IPI sent by CPU 1 via smp_call_function_many().
CPU 1 then spun indefinitely in csd_lock_wait(), starving the RCU
grace-period kthread and triggering an RCU stall with eventual OOM.

lock_acquire() already handles the NMI case specially via lockdep_nmi()
to avoid this class of problem. Mirror that pattern for hardirq context
in lock_release() by introducing lockdep_hardirq() and skipping the
irq save/restore dance when called from hardirq context.

Link: https://syzkaller.appspot.com/bug?extid=0635dc2e2c3c21a6aa04
Reported-by: syzbot+0635dc2e2c3c21a6aa04@syzkaller.appspotmail.com
Signed-off-by: Deepanshu Kartikey <kartikey406@gmail.com>
---
 kernel/locking/lockdep.c | 17 +++++++++++++++++
 1 file changed, 17 insertions(+)

diff --git a/kernel/locking/lockdep.c b/kernel/locking/lockdep.c
index 2d4c5bab5af8..17eb9590e751 100644
--- a/kernel/locking/lockdep.c
+++ b/kernel/locking/lockdep.c
@@ -5872,6 +5872,15 @@ void lock_acquire(struct lockdep_map *lock, unsigned int subclass,
 }
 EXPORT_SYMBOL_GPL(lock_acquire);
 
+static bool lockdep_hardirq(void)
+{
+	if (raw_cpu_read(lockdep_recursion))
+		return false;
+	if (!in_hardirq())
+		return false;
+	return true;
+}
+
 void lock_release(struct lockdep_map *lock, unsigned long ip)
 {
 	unsigned long flags;
@@ -5882,6 +5891,14 @@ void lock_release(struct lockdep_map *lock, unsigned long ip)
 		     lock->key == &__lockdep_no_track__))
 		return;
 
+	if (lockdep_hardirq()) {
+		lockdep_recursion_inc();
+		if (__lock_release(lock, ip))
+			check_chain_key(current);
+		lockdep_recursion_finish();
+		return;
+	}
+
 	raw_local_irq_save(flags);
 	check_flags(flags);
 
-- 
2.43.0