Skip to content

Commit

Permalink
netlink: disable IRQs for netlink_lock_table()
Browse files Browse the repository at this point in the history
[ Upstream commit 1d482e6 ]

Syzbot reports that in mac80211 we have a potential deadlock
between our "local->stop_queue_reasons_lock" (spinlock) and
netlink's nl_table_lock (rwlock). This is because there's at
least one situation in which we might try to send a netlink
message with this spinlock held while it is also possible to
take the spinlock from a hardirq context, resulting in the
following deadlock scenario reported by lockdep:

       CPU0                    CPU1
       ----                    ----
  lock(nl_table_lock);
                               local_irq_disable();
                               lock(&local->queue_stop_reason_lock);
                               lock(nl_table_lock);
  <Interrupt>
    lock(&local->queue_stop_reason_lock);

This seems valid, we can take the queue_stop_reason_lock in
any kind of context ("CPU0"), and call ieee80211_report_ack_skb()
with the spinlock held and IRQs disabled ("CPU1") in some
code path (ieee80211_do_stop() via ieee80211_free_txskb()).

Short of disallowing netlink use in scenarios like these
(which would be rather complex in mac80211's case due to
the deep callchain), it seems the only fix for this is to
disable IRQs while nl_table_lock is held to avoid hitting
this scenario, this disallows the "CPU0" portion of the
reported deadlock.

Note that the writer side (netlink_table_grab()) already
disables IRQs for this lock.

Unfortunately though, this seems like a huge hammer, and
maybe the whole netlink table locking should be reworked.

Reported-by: [email protected]
Signed-off-by: Johannes Berg <[email protected]>
Signed-off-by: David S. Miller <[email protected]>
Signed-off-by: Sasha Levin <[email protected]>
Signed-off-by: Lee Jones <[email protected]>
Change-Id: I318844527243eecb945e0b6b64bf633b5f7fda44
  • Loading branch information
jmberg-intel authored and lag-google committed Aug 6, 2021
1 parent b8278d9 commit f08d08a
Showing 1 changed file with 4 additions and 2 deletions.
6 changes: 4 additions & 2 deletions net/netlink/af_netlink.c
Original file line number Diff line number Diff line change
Expand Up @@ -456,11 +456,13 @@ void netlink_table_ungrab(void)
static inline void
netlink_lock_table(void)
{
unsigned long flags;

/* read_lock() synchronizes us to netlink_table_grab */

read_lock(&nl_table_lock);
read_lock_irqsave(&nl_table_lock, flags);
atomic_inc(&nl_table_users);
read_unlock(&nl_table_lock);
read_unlock_irqrestore(&nl_table_lock, flags);
}

static inline void
Expand Down

0 comments on commit f08d08a

Please sign in to comment.