From: Paolo Abeni <pabeni@redhat.com>
To: Andrey Konovalov <andreyknvl@google.com>,
Florian Westphal <fw@strlen.de>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>,
Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>,
"David S. Miller" <davem@davemloft.net>,
netfilter-devel@vger.kernel.org, netdev <netdev@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>,
Dmitry Vyukov <dvyukov@google.com>,
Kostya Serebryany <kcc@google.com>,
Eric Dumazet <edumazet@google.com>,
syzkaller <syzkaller@googlegroups.com>
Subject: Re: net: possible deadlock in skb_queue_tail
Date: Thu, 04 May 2017 16:05:29 +0200 [thread overview]
Message-ID: <1493906729.2274.6.camel@redhat.com> (raw)
In-Reply-To: <CAAeHK+wNPLWKy7q-mpPFrgK6pvnGYA9aPc_rs5d4sSvpvtoxDA@mail.gmail.com>
On Thu, 2017-05-04 at 15:49 +0200, Andrey Konovalov wrote:
> On Fri, Feb 24, 2017 at 3:56 AM, Florian Westphal <fw@strlen.de> wrote:
> > Andrey Konovalov <andreyknvl@google.com> wrote:
> >
> > [ CC Paolo ]
> >
> > > I've got the following error report while fuzzing the kernel with syzkaller.
> > >
> > > On commit c470abd4fde40ea6a0846a2beab642a578c0b8cd (4.10).
> > >
> > > Unfortunately I can't reproduce it.
> >
> > This needs NETLINK_BROADCAST_ERROR enabled on a netlink socket
> > that then subscribes to netfilter conntrack (ctnetlink) events.
> > probably syzkaller did this by accident -- impressive.
> >
> > (one task is the ctnetlink event redelivery worker
> > which won't be scheduled otherwise).
> >
> > > ======================================================
> > > [ INFO: possible circular locking dependency detected ]
> > > 4.10.0-rc8+ #201 Not tainted
> > > -------------------------------------------------------
> > > kworker/0:2/1404 is trying to acquire lock:
> > > (&(&list->lock)->rlock#3){+.-...}, at: [<ffffffff8335b23f>]
> > > skb_queue_tail+0xcf/0x2f0 net/core/skbuff.c:2478
> > >
> > > but task is already holding lock:
> > > (&(&pcpu->lock)->rlock){+.-...}, at: [<ffffffff8366b55f>] spin_lock
> > > include/linux/spinlock.h:302 [inline]
> > > (&(&pcpu->lock)->rlock){+.-...}, at: [<ffffffff8366b55f>]
> > > ecache_work_evict_list+0xaf/0x590
> > > net/netfilter/nf_conntrack_ecache.c:48
> > >
> > > which lock already depends on the new lock.
> >
> > Cong is correct, this is a false positive.
> >
> > However we should fix this splat.
> >
> > Paolo, this happens since 7c13f97ffde63cc792c49ec1513f3974f2f05229
> > ('udp: do fwd memory scheduling on dequeue'), before this
> > commit kfree_skb() was invoked outside of the locked section in
> > first_packet_length().
> >
> > cpu 0 call chain:
> > - first_packet_length (hold udp sk_receive_queue lock)
> > - kfree_skb
> > - nf_conntrack_destroy
> > - spin_lock(net->ct.pcpu->lock)
> >
> > cpu 1 call chain:
> > - ecache_work_evict_list
> > - spin_lock( net->ct.pcpu->lock)
> > - nf_conntrack_event
> > - aquire netlink socket sk_receive_queue
> >
> > So this could only ever deadlock if a netlink socket
> > calls kfree_skb while holding its sk_receive_queue lock, but afaics
> > this is never the case.
> >
> > There are two ways to avoid this splat (other than lockdep annotation):
> >
> > 1. re-add the list to first_packet_length() and free the
> > skbs outside of locked section.
> >
> > 2. change ecache_work_evict_list to not call nf_conntrack_event()
> > while holding the pcpu lock.
> >
> > doing #2 might be a good idea anyway to avoid potential deadlock
> > when kfree_skb gets invoked while other cpu holds its sk_receive_queue
> > lock, I'll have a look if this is feasible.
>
> Hi!
>
> Any updates on this?
>
> I might have missed the patch if there was one.
>
> Thanks!
That has should be fixed via lockdep annotation with
581319c58600b54612c417aff32ae9bbd79f4cdb
Paolo
prev parent reply other threads:[~2017-05-04 14:05 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-02-20 13:29 net: possible deadlock in skb_queue_tail Andrey Konovalov
2017-02-20 22:51 ` Cong Wang
2017-02-24 2:56 ` Florian Westphal
2017-05-04 13:49 ` Andrey Konovalov
2017-05-04 14:05 ` Paolo Abeni [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1493906729.2274.6.camel@redhat.com \
--to=pabeni@redhat.com \
--cc=andreyknvl@google.com \
--cc=davem@davemloft.net \
--cc=dvyukov@google.com \
--cc=edumazet@google.com \
--cc=fw@strlen.de \
--cc=kadlec@blackhole.kfki.hu \
--cc=kcc@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pablo@netfilter.org \
--cc=syzkaller@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.