From mboxrd@z Thu Jan 1 00:00:00 1970 From: David Miller Subject: Re: [PATCH] net: scm: Fix a possible sleep-in-atomic-context bug in scm_fp_copy() Date: Sun, 02 Sep 2018 16:01:44 -0700 (PDT) Message-ID: <20180902.160144.542360312136980090.davem@davemloft.net> References: <20180901100026.16956-1-baijiaju1990@gmail.com> Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: ktkhai@virtuozzo.com, viro@zeniv.linux.org.uk, adobriyan@gmail.com, dvlasenk@redhat.com, xiyou.wangcong@gmail.com, netdev@vger.kernel.org, linux-kernel@vger.kernel.org To: baijiaju1990@gmail.com Return-path: In-Reply-To: <20180901100026.16956-1-baijiaju1990@gmail.com> Sender: linux-kernel-owner@vger.kernel.org List-Id: netdev.vger.kernel.org From: Jia-Ju Bai Date: Sat, 1 Sep 2018 18:00:26 +0800 > The kernel module may sleep with holding a spinlock. > > The function call paths (from bottom to top) in Linux-4.16 are: > > [FUNC] kmalloc(GFP_KERNEL) > net/core/scm.c, 85: kmalloc in scm_fp_copy > net/core/scm.c, 161: scm_fp_copy in __scm_send > ./include/net/scm.h, 88: __scm_send in scm_send > net/unix/af_unix.c, 1600: scm_send in maybe_init_creds > net/unix/af_unix.c, 1983: maybe_init_creds in unix_stream_sendpage > net/unix/af_unix.c, 1973: spin_lock in unix_stream_sendpage Please, do a full analysis of the code for these changes you are submitting. Read maybe_init_creds(), it sets msg.msg_controllen to zero. struct msghdr msg = { .msg_controllen = 0 }; When that is zero, __scm__send() is never called. static __inline__ int scm_send(struct socket *sock, struct msghdr *msg, struct scm_cookie *scm, bool forcecreds) { ... if (msg->msg_controllen <= 0) return 0; return __scm_send(sock, msg, scm); If this bug existed, sleeping in atomic warnings would be triggering all the time and people would report that.