From: Florian Westphal <fw@strlen.de>
To: Andrey Konovalov <andreyknvl@google.com>
Cc: Pablo Neira Ayuso <pablo@netfilter.org>,
pabeni@redhat.com, Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>,
"David S. Miller" <davem@davemloft.net>,
netfilter-devel@vger.kernel.org, netdev <netdev@vger.kernel.org>,
LKML <linux-kernel@vger.kernel.org>,
Dmitry Vyukov <dvyukov@google.com>,
Kostya Serebryany <kcc@google.com>,
Eric Dumazet <edumazet@google.com>,
syzkaller <syzkaller@googlegroups.com>
Subject: Re: net: possible deadlock in skb_queue_tail
Date: Fri, 24 Feb 2017 03:56:50 +0100 [thread overview]
Message-ID: <20170224025650.GA16439@breakpoint.cc> (raw)
In-Reply-To: <CAAeHK+yCwsZE9iv+OLHJaU+7FEka8UHy_t5vMqFUBpQ8srBbsQ@mail.gmail.com>
Andrey Konovalov <andreyknvl@google.com> wrote:
[ CC Paolo ]
> I've got the following error report while fuzzing the kernel with syzkaller.
>
> On commit c470abd4fde40ea6a0846a2beab642a578c0b8cd (4.10).
>
> Unfortunately I can't reproduce it.
This needs NETLINK_BROADCAST_ERROR enabled on a netlink socket
that then subscribes to netfilter conntrack (ctnetlink) events.
probably syzkaller did this by accident -- impressive.
(one task is the ctnetlink event redelivery worker
which won't be scheduled otherwise).
> ======================================================
> [ INFO: possible circular locking dependency detected ]
> 4.10.0-rc8+ #201 Not tainted
> -------------------------------------------------------
> kworker/0:2/1404 is trying to acquire lock:
> (&(&list->lock)->rlock#3){+.-...}, at: [<ffffffff8335b23f>]
> skb_queue_tail+0xcf/0x2f0 net/core/skbuff.c:2478
>
> but task is already holding lock:
> (&(&pcpu->lock)->rlock){+.-...}, at: [<ffffffff8366b55f>] spin_lock
> include/linux/spinlock.h:302 [inline]
> (&(&pcpu->lock)->rlock){+.-...}, at: [<ffffffff8366b55f>]
> ecache_work_evict_list+0xaf/0x590
> net/netfilter/nf_conntrack_ecache.c:48
>
> which lock already depends on the new lock.
Cong is correct, this is a false positive.
However we should fix this splat.
Paolo, this happens since 7c13f97ffde63cc792c49ec1513f3974f2f05229
('udp: do fwd memory scheduling on dequeue'), before this
commit kfree_skb() was invoked outside of the locked section in
first_packet_length().
cpu 0 call chain:
- first_packet_length (hold udp sk_receive_queue lock)
- kfree_skb
- nf_conntrack_destroy
- spin_lock(net->ct.pcpu->lock)
cpu 1 call chain:
- ecache_work_evict_list
- spin_lock( net->ct.pcpu->lock)
- nf_conntrack_event
- aquire netlink socket sk_receive_queue
So this could only ever deadlock if a netlink socket
calls kfree_skb while holding its sk_receive_queue lock, but afaics
this is never the case.
There are two ways to avoid this splat (other than lockdep annotation):
1. re-add the list to first_packet_length() and free the
skbs outside of locked section.
2. change ecache_work_evict_list to not call nf_conntrack_event()
while holding the pcpu lock.
doing #2 might be a good idea anyway to avoid potential deadlock
when kfree_skb gets invoked while other cpu holds its sk_receive_queue
lock, I'll have a look if this is feasible.
next prev parent reply other threads:[~2017-02-24 2:56 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-02-20 13:29 net: possible deadlock in skb_queue_tail Andrey Konovalov
2017-02-20 22:51 ` Cong Wang
2017-02-24 2:56 ` Florian Westphal [this message]
2017-05-04 13:49 ` Andrey Konovalov
2017-05-04 14:05 ` Paolo Abeni
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20170224025650.GA16439@breakpoint.cc \
--to=fw@strlen.de \
--cc=andreyknvl@google.com \
--cc=davem@davemloft.net \
--cc=dvyukov@google.com \
--cc=edumazet@google.com \
--cc=kadlec@blackhole.kfki.hu \
--cc=kcc@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=netfilter-devel@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=pablo@netfilter.org \
--cc=syzkaller@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.