From: Jakub Kicinski <kuba@kernel.org>
To: Hawkins Jiawei <yin31149@gmail.com>, kafai@fb.com
Cc: syzbot+5f26f85569bd179c18ce@syzkaller.appspotmail.com,
18801353760@163.com, andrii@kernel.org, ast@kernel.org,
borisp@nvidia.com, bpf@vger.kernel.org, daniel@iogearbox.net,
davem@davemloft.net, edumazet@google.com, jakub@cloudflare.com,
john.fastabend@gmail.com, kgraul@linux.ibm.com,
kpsingh@kernel.org,
linux-kernel-mentees@lists.linuxfoundation.org,
linux-kernel@vger.kernel.org, netdev@vger.kernel.org,
pabeni@redhat.com, paskripkin@gmail.com,
skhan@linuxfoundation.org, songliubraving@fb.com,
syzkaller-bugs@googlegroups.com, yhs@fb.com,
Wen Gu <guwen@linux.alibaba.com>
Subject: Re: [PATCH v4] net: fix refcount bug in sk_psock_get (2)
Date: Wed, 3 Aug 2022 08:14:13 -0700 [thread overview]
Message-ID: <20220803081413.3cc27002@kernel.org> (raw)
In-Reply-To: <20220803124121.173303-1-yin31149@gmail.com>
On Wed, 3 Aug 2022 20:41:22 +0800 Hawkins Jiawei wrote:
> -/* Pointer stored in sk_user_data might not be suitable for copying
> - * when cloning the socket. For instance, it can point to a reference
> - * counted object. sk_user_data bottom bit is set if pointer must not
> - * be copied.
> +/* flag bits in sk_user_data
> + *
> + * SK_USER_DATA_NOCOPY - Pointer stored in sk_user_data might
> + * not be suitable for copying when cloning the socket.
> + * For instance, it can point to a reference counted object.
> + * sk_user_data bottom bit is set if pointer must not be copied.
> + *
> + * SK_USER_DATA_BPF - Managed by BPF
I'd use this opportunity to add more info here, BPF is too general.
Maybe "Pointer is used by a BPF reuseport array"? Martin, WDYT?
> + * SK_USER_DATA_PSOCK - Mark whether pointer stored in sk_user_data points
> + * to psock type. This bit should be set when sk_user_data is
> + * assigned to a psock object.
> +/**
> + * rcu_dereference_sk_user_data_psock - return psock if sk_user_data
> + * points to the psock type(SK_USER_DATA_PSOCK flag is set), otherwise
> + * return NULL
> + *
> + * @sk: socket
> + */
> +static inline
> +struct sk_psock *rcu_dereference_sk_user_data_psock(const struct sock *sk)
nit: the return type more commonly goes on the same line as "static
inline"
> +{
> + uintptr_t __tmp = (uintptr_t)rcu_dereference(__sk_user_data((sk)));
> +
> + if (__tmp & SK_USER_DATA_PSOCK)
> + return (struct sk_psock *)(__tmp & SK_USER_DATA_PTRMASK);
> +
> + return NULL;
> +}
As a follow up we can probably generalize this into
__rcu_dereference_sk_user_data_cond(sk, bit)
and make the psock just call that:
static inline struct sk_psock *
rcu_dereference_sk_user_data_psock(const struct sock *sk)
{
return __rcu_dereference_sk_user_data_cond(sk, SK_USER_DATA_PSOCK);
}
then reuseport can also benefit, maybe:
diff --git a/kernel/bpf/reuseport_array.c b/kernel/bpf/reuseport_array.c
index e2618fb5870e..ad5c447a690c 100644
--- a/kernel/bpf/reuseport_array.c
+++ b/kernel/bpf/reuseport_array.c
@@ -21,14 +21,11 @@ static struct reuseport_array *reuseport_array(struct bpf_map *map)
/* The caller must hold the reuseport_lock */
void bpf_sk_reuseport_detach(struct sock *sk)
{
- uintptr_t sk_user_data;
+ struct sock __rcu **socks;
write_lock_bh(&sk->sk_callback_lock);
- sk_user_data = (uintptr_t)sk->sk_user_data;
- if (sk_user_data & SK_USER_DATA_BPF) {
- struct sock __rcu **socks;
-
- socks = (void *)(sk_user_data & SK_USER_DATA_PTRMASK);
+ socks = __rcu_dereference_sk_user_data_cond(sk, SK_USER_DATA_BPF);
+ if (socks) {
WRITE_ONCE(sk->sk_user_data, NULL);
/*
* Do not move this NULL assignment outside of
But that must be a separate patch, not part of this fix.
WARNING: multiple messages have this Message-ID (diff)
From: Jakub Kicinski <kuba@kernel.org>
To: Hawkins Jiawei <yin31149@gmail.com>, kafai@fb.com
Cc: songliubraving@fb.com, ast@kernel.org, edumazet@google.com,
jakub@cloudflare.com, daniel@iogearbox.net, borisp@nvidia.com,
paskripkin@gmail.com, john.fastabend@gmail.com,
andrii@kernel.org, yhs@fb.com, pabeni@redhat.com,
linux-kernel-mentees@lists.linuxfoundation.org,
syzbot+5f26f85569bd179c18ce@syzkaller.appspotmail.com,
syzkaller-bugs@googlegroups.com, kpsingh@kernel.org,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
davem@davemloft.net, Wen Gu <guwen@linux.alibaba.com>,
bpf@vger.kernel.org, kgraul@linux.ibm.com
Subject: Re: [PATCH v4] net: fix refcount bug in sk_psock_get (2)
Date: Wed, 3 Aug 2022 08:14:13 -0700 [thread overview]
Message-ID: <20220803081413.3cc27002@kernel.org> (raw)
In-Reply-To: <20220803124121.173303-1-yin31149@gmail.com>
On Wed, 3 Aug 2022 20:41:22 +0800 Hawkins Jiawei wrote:
> -/* Pointer stored in sk_user_data might not be suitable for copying
> - * when cloning the socket. For instance, it can point to a reference
> - * counted object. sk_user_data bottom bit is set if pointer must not
> - * be copied.
> +/* flag bits in sk_user_data
> + *
> + * SK_USER_DATA_NOCOPY - Pointer stored in sk_user_data might
> + * not be suitable for copying when cloning the socket.
> + * For instance, it can point to a reference counted object.
> + * sk_user_data bottom bit is set if pointer must not be copied.
> + *
> + * SK_USER_DATA_BPF - Managed by BPF
I'd use this opportunity to add more info here, BPF is too general.
Maybe "Pointer is used by a BPF reuseport array"? Martin, WDYT?
> + * SK_USER_DATA_PSOCK - Mark whether pointer stored in sk_user_data points
> + * to psock type. This bit should be set when sk_user_data is
> + * assigned to a psock object.
> +/**
> + * rcu_dereference_sk_user_data_psock - return psock if sk_user_data
> + * points to the psock type(SK_USER_DATA_PSOCK flag is set), otherwise
> + * return NULL
> + *
> + * @sk: socket
> + */
> +static inline
> +struct sk_psock *rcu_dereference_sk_user_data_psock(const struct sock *sk)
nit: the return type more commonly goes on the same line as "static
inline"
> +{
> + uintptr_t __tmp = (uintptr_t)rcu_dereference(__sk_user_data((sk)));
> +
> + if (__tmp & SK_USER_DATA_PSOCK)
> + return (struct sk_psock *)(__tmp & SK_USER_DATA_PTRMASK);
> +
> + return NULL;
> +}
As a follow up we can probably generalize this into
__rcu_dereference_sk_user_data_cond(sk, bit)
and make the psock just call that:
static inline struct sk_psock *
rcu_dereference_sk_user_data_psock(const struct sock *sk)
{
return __rcu_dereference_sk_user_data_cond(sk, SK_USER_DATA_PSOCK);
}
then reuseport can also benefit, maybe:
diff --git a/kernel/bpf/reuseport_array.c b/kernel/bpf/reuseport_array.c
index e2618fb5870e..ad5c447a690c 100644
--- a/kernel/bpf/reuseport_array.c
+++ b/kernel/bpf/reuseport_array.c
@@ -21,14 +21,11 @@ static struct reuseport_array *reuseport_array(struct bpf_map *map)
/* The caller must hold the reuseport_lock */
void bpf_sk_reuseport_detach(struct sock *sk)
{
- uintptr_t sk_user_data;
+ struct sock __rcu **socks;
write_lock_bh(&sk->sk_callback_lock);
- sk_user_data = (uintptr_t)sk->sk_user_data;
- if (sk_user_data & SK_USER_DATA_BPF) {
- struct sock __rcu **socks;
-
- socks = (void *)(sk_user_data & SK_USER_DATA_PTRMASK);
+ socks = __rcu_dereference_sk_user_data_cond(sk, SK_USER_DATA_BPF);
+ if (socks) {
WRITE_ONCE(sk->sk_user_data, NULL);
/*
* Do not move this NULL assignment outside of
But that must be a separate patch, not part of this fix.
_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees
next prev parent reply other threads:[~2022-08-03 15:14 UTC|newest]
Thread overview: 57+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-06-03 15:34 [syzbot] WARNING: refcount bug in sk_psock_get (2) syzbot
2022-07-09 2:46 ` [PATCH] smc: fix " Hawkins Jiawei
2022-07-09 2:46 ` Hawkins Jiawei
2022-07-09 3:06 ` Jakub Kicinski
2022-07-09 3:06 ` Jakub Kicinski
2022-07-09 8:36 ` Hawkins Jiawei
2022-07-09 8:36 ` Hawkins Jiawei
2022-07-11 7:21 ` Wen Gu
2022-07-11 7:21 ` Wen Gu
2022-07-13 3:10 ` Hawkins Jiawei
2022-07-13 3:10 ` Hawkins Jiawei
2022-07-13 3:33 ` Jakub Kicinski
2022-07-13 3:33 ` Jakub Kicinski
2022-07-13 3:53 ` Hawkins Jiawei
2022-07-13 3:53 ` Hawkins Jiawei
2022-07-12 9:47 ` Dan Carpenter
2022-07-12 9:47 ` Dan Carpenter
2022-07-13 3:35 ` Hawkins Jiawei
2022-07-13 3:35 ` Hawkins Jiawei
2022-07-30 8:56 ` [PATCH v2] net/smc: " Hawkins Jiawei
2022-07-30 8:56 ` Hawkins Jiawei
2022-08-01 9:09 ` Jakub Sitnicki
2022-08-01 9:09 ` Jakub Sitnicki via Linux-kernel-mentees
2022-08-02 14:32 ` Hawkins Jiawei
2022-08-02 14:32 ` Hawkins Jiawei
2022-08-03 8:03 ` [PATCH v3] " Hawkins Jiawei
2022-08-03 8:03 ` Hawkins Jiawei
2022-08-03 11:27 ` Wen Gu
2022-08-03 11:27 ` Wen Gu
2022-08-03 12:07 ` Hawkins Jiawei
2022-08-03 12:07 ` Hawkins Jiawei
2022-08-03 12:41 ` [PATCH v4] net: " Hawkins Jiawei
2022-08-03 12:41 ` Hawkins Jiawei
2022-08-03 15:14 ` Jakub Kicinski [this message]
2022-08-03 15:14 ` Jakub Kicinski
2022-08-03 15:37 ` Martin KaFai Lau
2022-08-03 15:37 ` Martin KaFai Lau via Linux-kernel-mentees
2022-08-04 3:05 ` Hawkins Jiawei
2022-08-04 3:05 ` Hawkins Jiawei
2022-08-04 15:29 ` Jakub Kicinski
2022-08-04 15:29 ` Jakub Kicinski
2022-08-05 6:28 ` Hawkins Jiawei
2022-08-05 6:28 ` Hawkins Jiawei
2022-08-05 7:36 ` [PATCH net v5 0/2] net: enhancements to sk_user_data field Hawkins Jiawei
2022-08-05 7:36 ` Hawkins Jiawei
2022-08-05 7:48 ` [PATCH net v5 1/2] net: fix refcount bug in sk_psock_get (2) Hawkins Jiawei
2022-08-05 7:48 ` Hawkins Jiawei
2022-08-05 7:48 ` [PATCH net v5 2/2] net: refactor bpf_sk_reuseport_detach() Hawkins Jiawei
2022-08-05 7:48 ` Hawkins Jiawei
2022-08-15 18:24 ` Martin KaFai Lau
2022-08-15 18:24 ` Martin KaFai Lau via Linux-kernel-mentees
2022-08-05 10:29 ` [PATCH net v5 0/2] net: enhancements to sk_user_data field Jakub Sitnicki
2022-08-05 10:29 ` Jakub Sitnicki via Linux-kernel-mentees
2022-08-05 15:36 ` Hawkins Jiawei
2022-08-05 15:36 ` Hawkins Jiawei
2022-08-11 5:30 ` patchwork-bot+netdevbpf
2022-08-11 5:30 ` patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220803081413.3cc27002@kernel.org \
--to=kuba@kernel.org \
--cc=18801353760@163.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=borisp@nvidia.com \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=guwen@linux.alibaba.com \
--cc=jakub@cloudflare.com \
--cc=john.fastabend@gmail.com \
--cc=kafai@fb.com \
--cc=kgraul@linux.ibm.com \
--cc=kpsingh@kernel.org \
--cc=linux-kernel-mentees@lists.linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=paskripkin@gmail.com \
--cc=skhan@linuxfoundation.org \
--cc=songliubraving@fb.com \
--cc=syzbot+5f26f85569bd179c18ce@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=yhs@fb.com \
--cc=yin31149@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.