GPF in net sybsystem - Pavel Skripkin

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Pavel Skripkin <paskripkin@gmail.com>
To: ralf@linux-mips.org, davem@davemloft.net, kuba@kernel.org
Cc: netdev@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: GPF in net sybsystem
Date: Wed, 5 May 2021 20:02:42 +0300	[thread overview]
Message-ID: <20210505200242.31d58452@gmail.com> (raw)

Hi, netdev developers!

I've spent some time debugging this bug
https://syzkaller.appspot.com/bug?id=c670fb9da2ce08f7b5101baa9426083b39ee9f90
and, I believe, I found the root case:

static int nr_accept(struct socket *sock, struct socket *newsock, int flags,
		     bool kern)
{
....
	for (;;) {
		prepare_to_wait(sk_sleep(sk), &wait, TASK_INTERRUPTIBLE);
		...
		if (!signal_pending(current)) {
			release_sock(sk);
			schedule();
			lock_sock(sk);
			continue;
		}
		...
	}
...
}

When calling process will be scheduled, another proccess can release
this socket and set sk->sk_wq to NULL. (In this case nr_release()
will call sock_orphan(sk)). In this case GPF will happen in
prepare_to_wait().

I came up with this patch, but im not an expect in netdev sybsystem and
im not sure about this one:

diff --git a/net/netrom/af_netrom.c b/net/netrom/af_netrom.c
index 6d16e1ab1a8a..89ceddea48e8 100644
--- a/net/netrom/af_netrom.c
+++ b/net/netrom/af_netrom.c
@@ -803,6 +803,10 @@ static int nr_accept(struct socket *sock, struct socket *newsock, int flags,
 			release_sock(sk);
 			schedule();
 			lock_sock(sk);
+			if (sock_flag(sk, SOCK_DEAD)) {
+				err = -ECONNABORTED;
+				goto out_release;
+			}
 			continue;
 		}
 		err = -ERESTARTSYS;

I look forward to hearing your perspective on this :)


BTW, I found similar code in:

1) net/ax25/af_ax25.c
2) net/rose/af_rose.c


I hope, this will help!

With regards,
Pavel Skripkin

next             reply	other threads:[~2021-05-05 17:35 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-05-05 17:02 Pavel Skripkin [this message]
2021-05-06 22:09 ` GPF in net sybsystem Jakub Kicinski
2021-05-07  0:40 ` Cong Wang

find likely ancestor, descendant, or conflicting patches for this message:
( dfblob:6d16e1ab1a8 dfblob:89ceddea48e )
 OR (
bs:"GPF in net sybsystem" )
	(help)

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210505200242.31d58452@gmail.com \
    --to=paskripkin@gmail.com \
    --cc=davem@davemloft.net \
    --cc=kuba@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=ralf@linux-mips.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.