From: Jakub Sitnicki <jakub@cloudflare.com>
To: Eric Dumazet <edumazet@google.com>,
Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Cc: Boqun Feng <boqun.feng@gmail.com>,
"David S. Miller" <davem@davemloft.net>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
Peter Zijlstra <peterz@infradead.org>,
Ingo Molnar <mingo@redhat.com>, Will Deacon <will@kernel.org>,
Waiman Long <longman@redhat.com>,
netdev@vger.kernel.org,
syzbot <syzbot+94cc2a66fc228b23f360@syzkaller.appspotmail.com>,
syzkaller-bugs@googlegroups.com
Subject: Re: WARNING: locking bug in inet_autobind
Date: Tue, 22 Nov 2022 19:02:31 +0100 [thread overview]
Message-ID: <87sfialu2n.fsf@cloudflare.com> (raw)
In-Reply-To: <c9695548-3f27-dda1-3124-ec21da106741@I-love.SAKURA.ne.jp>
On Tue, Sep 27, 2022 at 10:00 PM +09, Tetsuo Handa wrote:
> On 2022/09/19 14:02, Tetsuo Handa wrote:
>> But unfortunately reordering
>>
>> tunnel->sock = sk;
>> ...
>> lockdep_set_class_and_name(&sk->sk_lock.slock,...);
>>
>> by
>>
>> lockdep_set_class_and_name(&sk->sk_lock.slock, &l2tp_socket_class, "l2tp_sock");
>> smp_store_release(&tunnel->sock, sk);
>>
>> does not help, for connect() on AF_INET6 socket is not finding this "sk" by
>> accessing tunnel->sock.
>>
>
> I considered something like below diff, but I came to think that this problem
> cannot be solved unless l2tp_tunnel_register() stops using userspace-supplied
> file descriptor and starts always calling l2tp_tunnel_sock_create(), for
> userspace can continue using userspace-supplied file descriptor as if a normal
> socket even after lockdep_set_class_and_name() told that this is a tunneling
> socket.
>
> Since userspace-supplied file descriptor has to be a datagram socket,
> can we somehow copy the source/destination addresses from
> userspace-supplied socket to kernel-created socket?
>
>
> diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
> index 7499c51b1850..07429bed7c4c 100644
> --- a/net/l2tp/l2tp_core.c
> +++ b/net/l2tp/l2tp_core.c
> @@ -1382,8 +1382,6 @@ static int l2tp_tunnel_sock_create(struct net *net,
> return err;
> }
>
> -static struct lock_class_key l2tp_socket_class;
> -
> int l2tp_tunnel_create(int fd, int version, u32 tunnel_id, u32 peer_tunnel_id,
> struct l2tp_tunnel_cfg *cfg, struct l2tp_tunnel **tunnelp)
> {
> @@ -1509,8 +1507,20 @@ int l2tp_tunnel_register(struct l2tp_tunnel *tunnel, struct net *net,
>
> tunnel->old_sk_destruct = sk->sk_destruct;
> sk->sk_destruct = &l2tp_tunnel_destruct;
> - lockdep_set_class_and_name(&sk->sk_lock.slock, &l2tp_socket_class,
> - "l2tp_sock");
> + if (IS_ENABLED(CONFIG_LOCKDEP)) {
> + static struct lock_class_key l2tp_socket_class;
> +
> + /* Changing class/name of an already visible sock might race
> + * with first lock_sock() call on that sock. In order to make
> + * sure that register_lock_class() has completed before
> + * lockdep_set_class_and_name() changes class/name, explicitly
> + * lock/release that sock.
> + */
> + lock_sock(sk);
> + release_sock(sk);
> + lockdep_set_class_and_name(&sk->sk_lock.slock,
> + &l2tp_socket_class, "l2tp_sock");
> + }
> sk->sk_allocation = GFP_ATOMIC;
>
> trace_register_tunnel(tunnel);
What if we revisit Eric's lockdep splat fix in 37159ef2c1ae ("l2tp: fix
a lockdep splat") and:
1. remove the lockdep_set_class_and_name(...) call in l2tp; it looks
like an odd case within the network stack, and
2. switch to bh_lock_sock_nested in l2tp_xmit_core so that we don't
break what has been fixed in 37159ef2c1ae.
Eric, WDYT?
next prev parent reply other threads:[~2022-11-22 18:31 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-16 5:46 WARNING: locking bug in inet_autobind syzbot
2019-05-21 8:31 ` syzbot
2019-05-22 3:16 ` syzbot
[not found] ` <0000000000008b645c058971629b-hpIqsD4AKlfQT0dZR+AlfA@public.gmane.org>
2019-05-22 3:21 ` Zhao, Yong
2022-09-18 15:52 ` Tetsuo Handa
2022-09-18 18:25 ` Boqun Feng
2022-09-19 5:02 ` Tetsuo Handa
2022-09-27 13:00 ` Tetsuo Handa
2022-11-22 18:02 ` Jakub Sitnicki [this message]
2022-12-29 6:26 ` [syzbot] " syzbot
2023-01-03 15:39 ` Felix Kuehling
2023-01-03 16:05 ` Waiman Long
2023-01-03 16:20 ` Felix Kuehling
2023-01-03 22:07 ` Tetsuo Handa
2023-01-03 22:07 ` Tetsuo Handa
2023-01-03 22:07 ` Tetsuo Handa
2023-01-03 22:12 ` Eric Dumazet
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87sfialu2n.fsf@cloudflare.com \
--to=jakub@cloudflare.com \
--cc=boqun.feng@gmail.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=longman@redhat.com \
--cc=mingo@redhat.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=penguin-kernel@I-love.SAKURA.ne.jp \
--cc=peterz@infradead.org \
--cc=syzbot+94cc2a66fc228b23f360@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.