Revision 7ff57e98fb78ad94edafbdc7435f2d745e9e6bb5 authored by Fabio M. De Francesco on 23 February 2022, 10:02:52 UTC, committed by Jakub Kicinski on 24 February 2022, 17:09:33 UTC
smc_pnetid_by_table_ib() uses read_lock() and then it calls smc_pnet_apply_ib()
which, in turn, calls mutex_lock(&smc_ib_devices.mutex).
read_lock() disables preemption. Therefore, the code acquires a mutex while in
atomic context and it leads to a SAC bug.
Fix this bug by replacing the rwlock with a mutex.
Reported-and-tested-by: syzbot+4f322a6d84e991c38775@syzkaller.appspotmail.com
Fixes: 64e28b52c7a6 ("net/smc: add pnet table namespace support")
Confirmed-by: Tony Lu <tonylu@linux.alibaba.com>
Signed-off-by: Fabio M. De Francesco <fmdefrancesco@gmail.com>
Acked-by: Karsten Graul <kgraul@linux.ibm.com>
Link: https://lore.kernel.org/r/20220223100252.22562-1-fmdefrancesco@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
1 parent e13ad14
| File | Mode | Size |
|---|---|---|
| read_overflow-memchr.c | -rw-r--r-- | 123 bytes |
| read_overflow-memchr_inv.c | -rw-r--r-- | 127 bytes |
| read_overflow-memcmp.c | -rw-r--r-- | 124 bytes |
| read_overflow-memscan.c | -rw-r--r-- | 124 bytes |
| read_overflow2-memcmp.c | -rw-r--r-- | 124 bytes |
| read_overflow2-memcpy.c | -rw-r--r-- | 127 bytes |
| read_overflow2-memmove.c | -rw-r--r-- | 128 bytes |
| test_fortify.h | -rw-r--r-- | 775 bytes |
| write_overflow-memcpy.c | -rw-r--r-- | 135 bytes |
| write_overflow-memmove.c | -rw-r--r-- | 136 bytes |
| write_overflow-memset.c | -rw-r--r-- | 130 bytes |
| write_overflow-strcpy-lit.c | -rw-r--r-- | 113 bytes |
| write_overflow-strcpy.c | -rw-r--r-- | 109 bytes |
| write_overflow-strlcpy-src.c | -rw-r--r-- | 129 bytes |
| write_overflow-strlcpy.c | -rw-r--r-- | 143 bytes |
| write_overflow-strncpy-src.c | -rw-r--r-- | 129 bytes |
| write_overflow-strncpy.c | -rw-r--r-- | 143 bytes |
| write_overflow-strscpy.c | -rw-r--r-- | 143 bytes |
Computing file changes ...
