From: Jakub Sitnicki <jakub@cloudflare.com>
To: Hawkins Jiawei <yin31149@gmail.com>
Cc: syzbot+5f26f85569bd179c18ce@syzkaller.appspotmail.com,
andrii@kernel.org, ast@kernel.org, borisp@nvidia.com,
bpf@vger.kernel.org, wenjia@linux.ibm.com, ubraun@linux.ibm.com,
daniel@iogearbox.net, guvenc@linux.ibm.com, davem@davemloft.net,
edumazet@google.com, guwen@linux.alibaba.com,
john.fastabend@gmail.com, kafai@fb.com, kgraul@linux.ibm.com,
kpsingh@kernel.org, kuba@kernel.org,
linux-kernel@vger.kernel.org, netdev@vger.kernel.org,
pabeni@redhat.com, songliubraving@fb.com,
syzkaller-bugs@googlegroups.com, linux-s390@vger.kernel.org,
yhs@fb.com, 18801353760@163.com, paskripkin@gmail.com,
skhan@linuxfoundation.org,
linux-kernel-mentees@lists.linuxfoundation.org
Subject: Re: [PATCH v2] net/smc: fix refcount bug in sk_psock_get (2)
Date: Mon, 01 Aug 2022 11:09:23 +0200 [thread overview]
Message-ID: <87wnbsjpdb.fsf@cloudflare.com> (raw)
In-Reply-To: <20220730085654.2598-1-yin31149@gmail.com>
Hi,
On Sat, Jul 30, 2022 at 04:56 PM +08, Hawkins Jiawei wrote:
> Syzkaller reports refcount bug as follows:
> ------------[ cut here ]------------
> refcount_t: saturated; leaking memory.
> WARNING: CPU: 1 PID: 3605 at lib/refcount.c:19 refcount_warn_saturate+0xf4/0x1e0 lib/refcount.c:19
> Modules linked in:
> CPU: 1 PID: 3605 Comm: syz-executor208 Not tainted 5.18.0-syzkaller-03023-g7e062cda7d90 #0
> ...
> Call Trace:
> <TASK>
> __refcount_add_not_zero include/linux/refcount.h:163 [inline]
> __refcount_inc_not_zero include/linux/refcount.h:227 [inline]
> refcount_inc_not_zero include/linux/refcount.h:245 [inline]
> sk_psock_get+0x3bc/0x410 include/linux/skmsg.h:439
> tls_data_ready+0x6d/0x1b0 net/tls/tls_sw.c:2091
> tcp_data_ready+0x106/0x520 net/ipv4/tcp_input.c:4983
> tcp_data_queue+0x25f2/0x4c90 net/ipv4/tcp_input.c:5057
> tcp_rcv_state_process+0x1774/0x4e80 net/ipv4/tcp_input.c:6659
> tcp_v4_do_rcv+0x339/0x980 net/ipv4/tcp_ipv4.c:1682
> sk_backlog_rcv include/net/sock.h:1061 [inline]
> __release_sock+0x134/0x3b0 net/core/sock.c:2849
> release_sock+0x54/0x1b0 net/core/sock.c:3404
> inet_shutdown+0x1e0/0x430 net/ipv4/af_inet.c:909
> __sys_shutdown_sock net/socket.c:2331 [inline]
> __sys_shutdown_sock net/socket.c:2325 [inline]
> __sys_shutdown+0xf1/0x1b0 net/socket.c:2343
> __do_sys_shutdown net/socket.c:2351 [inline]
> __se_sys_shutdown net/socket.c:2349 [inline]
> __x64_sys_shutdown+0x50/0x70 net/socket.c:2349
> do_syscall_x64 arch/x86/entry/common.c:50 [inline]
> do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
> entry_SYSCALL_64_after_hwframe+0x46/0xb0
> </TASK>
>
> During SMC fallback process in connect syscall, kernel will
> replaces TCP with SMC. In order to forward wakeup
> smc socket waitqueue after fallback, kernel will sets
> clcsk->sk_user_data to origin smc socket in
> smc_fback_replace_callbacks().
>
> Later, in shutdown syscall, kernel will calls
> sk_psock_get(), which treats the clcsk->sk_user_data
> as sk_psock type, triggering the refcnt warning.
>
> So, the root cause is that smc and psock, both will use
> sk_user_data field. So they will mismatch this field
> easily.
>
> This patch solves it by using another bit(defined as
> SK_USER_DATA_NOTPSOCK) in PTRMASK, to mark whether
> sk_user_data points to a sk_psock object or not.
> This patch depends on a PTRMASK introduced in commit f1ff5ce2cd5e
> ("net, sk_msg: Clear sk_user_data pointer on clone if tagged").
>
> Fixes: 341adeec9ada ("net/smc: Forward wakeup to smc socket waitqueue after fallback")
> Fixes: a60a2b1e0af1 ("net/smc: reduce active tcp_listen workers")
> Reported-and-tested-by: syzbot+5f26f85569bd179c18ce@syzkaller.appspotmail.com
> Suggested-by: Jakub Kicinski <kuba@kernel.org>
> Acked-by: Wen Gu <guwen@linux.alibaba.com>
> Signed-off-by: Hawkins Jiawei <yin31149@gmail.com>
> ---
Since using psock is not the common case, I'm wondering if it makes more
sense to have an inverse flag - SK_USER_DATA_PSOCK. Flag would be set by
the psock code on assignment to sk_user_data.
This way we would also avoid some confusion. With the change below, the
SK_USER_DATA_NOTPSOCK is not *always* set when sk_user_data holds a
non-psock pointer. Only when SMC sets it.
If we go with the current approach, the rest of sites, execpt for psock,
that assign to sk_user_data should be updated to set
SK_USER_DATA_NOTPSOCK as well, IMO.
That is why I'd do it the other way.
[...]
WARNING: multiple messages have this Message-ID (diff)
From: Jakub Sitnicki via Linux-kernel-mentees <linux-kernel-mentees@lists.linuxfoundation.org>
To: Hawkins Jiawei <yin31149@gmail.com>
Cc: songliubraving@fb.com, guvenc@linux.ibm.com, ast@kernel.org,
edumazet@google.com, linux-s390@vger.kernel.org,
daniel@iogearbox.net, davem@davemloft.net, borisp@nvidia.com,
paskripkin@gmail.com, john.fastabend@gmail.com,
andrii@kernel.org, kuba@kernel.org, pabeni@redhat.com,
linux-kernel-mentees@lists.linuxfoundation.org,
syzbot+5f26f85569bd179c18ce@syzkaller.appspotmail.com,
syzkaller-bugs@googlegroups.com, ubraun@linux.ibm.com,
kpsingh@kernel.org, wenjia@linux.ibm.com, yhs@fb.com,
netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
kgraul@linux.ibm.com, guwen@linux.alibaba.com,
bpf@vger.kernel.org, kafai@fb.com
Subject: Re: [PATCH v2] net/smc: fix refcount bug in sk_psock_get (2)
Date: Mon, 01 Aug 2022 11:09:23 +0200 [thread overview]
Message-ID: <87wnbsjpdb.fsf@cloudflare.com> (raw)
In-Reply-To: <20220730085654.2598-1-yin31149@gmail.com>
Hi,
On Sat, Jul 30, 2022 at 04:56 PM +08, Hawkins Jiawei wrote:
> Syzkaller reports refcount bug as follows:
> ------------[ cut here ]------------
> refcount_t: saturated; leaking memory.
> WARNING: CPU: 1 PID: 3605 at lib/refcount.c:19 refcount_warn_saturate+0xf4/0x1e0 lib/refcount.c:19
> Modules linked in:
> CPU: 1 PID: 3605 Comm: syz-executor208 Not tainted 5.18.0-syzkaller-03023-g7e062cda7d90 #0
> ...
> Call Trace:
> <TASK>
> __refcount_add_not_zero include/linux/refcount.h:163 [inline]
> __refcount_inc_not_zero include/linux/refcount.h:227 [inline]
> refcount_inc_not_zero include/linux/refcount.h:245 [inline]
> sk_psock_get+0x3bc/0x410 include/linux/skmsg.h:439
> tls_data_ready+0x6d/0x1b0 net/tls/tls_sw.c:2091
> tcp_data_ready+0x106/0x520 net/ipv4/tcp_input.c:4983
> tcp_data_queue+0x25f2/0x4c90 net/ipv4/tcp_input.c:5057
> tcp_rcv_state_process+0x1774/0x4e80 net/ipv4/tcp_input.c:6659
> tcp_v4_do_rcv+0x339/0x980 net/ipv4/tcp_ipv4.c:1682
> sk_backlog_rcv include/net/sock.h:1061 [inline]
> __release_sock+0x134/0x3b0 net/core/sock.c:2849
> release_sock+0x54/0x1b0 net/core/sock.c:3404
> inet_shutdown+0x1e0/0x430 net/ipv4/af_inet.c:909
> __sys_shutdown_sock net/socket.c:2331 [inline]
> __sys_shutdown_sock net/socket.c:2325 [inline]
> __sys_shutdown+0xf1/0x1b0 net/socket.c:2343
> __do_sys_shutdown net/socket.c:2351 [inline]
> __se_sys_shutdown net/socket.c:2349 [inline]
> __x64_sys_shutdown+0x50/0x70 net/socket.c:2349
> do_syscall_x64 arch/x86/entry/common.c:50 [inline]
> do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80
> entry_SYSCALL_64_after_hwframe+0x46/0xb0
> </TASK>
>
> During SMC fallback process in connect syscall, kernel will
> replaces TCP with SMC. In order to forward wakeup
> smc socket waitqueue after fallback, kernel will sets
> clcsk->sk_user_data to origin smc socket in
> smc_fback_replace_callbacks().
>
> Later, in shutdown syscall, kernel will calls
> sk_psock_get(), which treats the clcsk->sk_user_data
> as sk_psock type, triggering the refcnt warning.
>
> So, the root cause is that smc and psock, both will use
> sk_user_data field. So they will mismatch this field
> easily.
>
> This patch solves it by using another bit(defined as
> SK_USER_DATA_NOTPSOCK) in PTRMASK, to mark whether
> sk_user_data points to a sk_psock object or not.
> This patch depends on a PTRMASK introduced in commit f1ff5ce2cd5e
> ("net, sk_msg: Clear sk_user_data pointer on clone if tagged").
>
> Fixes: 341adeec9ada ("net/smc: Forward wakeup to smc socket waitqueue after fallback")
> Fixes: a60a2b1e0af1 ("net/smc: reduce active tcp_listen workers")
> Reported-and-tested-by: syzbot+5f26f85569bd179c18ce@syzkaller.appspotmail.com
> Suggested-by: Jakub Kicinski <kuba@kernel.org>
> Acked-by: Wen Gu <guwen@linux.alibaba.com>
> Signed-off-by: Hawkins Jiawei <yin31149@gmail.com>
> ---
Since using psock is not the common case, I'm wondering if it makes more
sense to have an inverse flag - SK_USER_DATA_PSOCK. Flag would be set by
the psock code on assignment to sk_user_data.
This way we would also avoid some confusion. With the change below, the
SK_USER_DATA_NOTPSOCK is not *always* set when sk_user_data holds a
non-psock pointer. Only when SMC sets it.
If we go with the current approach, the rest of sites, execpt for psock,
that assign to sk_user_data should be updated to set
SK_USER_DATA_NOTPSOCK as well, IMO.
That is why I'd do it the other way.
[...]
_______________________________________________
Linux-kernel-mentees mailing list
Linux-kernel-mentees@lists.linuxfoundation.org
https://lists.linuxfoundation.org/mailman/listinfo/linux-kernel-mentees
next prev parent reply other threads:[~2022-08-01 9:16 UTC|newest]
Thread overview: 57+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-06-03 15:34 [syzbot] WARNING: refcount bug in sk_psock_get (2) syzbot
2022-07-09 2:46 ` [PATCH] smc: fix " Hawkins Jiawei
2022-07-09 2:46 ` Hawkins Jiawei
2022-07-09 3:06 ` Jakub Kicinski
2022-07-09 3:06 ` Jakub Kicinski
2022-07-09 8:36 ` Hawkins Jiawei
2022-07-09 8:36 ` Hawkins Jiawei
2022-07-11 7:21 ` Wen Gu
2022-07-11 7:21 ` Wen Gu
2022-07-13 3:10 ` Hawkins Jiawei
2022-07-13 3:10 ` Hawkins Jiawei
2022-07-13 3:33 ` Jakub Kicinski
2022-07-13 3:33 ` Jakub Kicinski
2022-07-13 3:53 ` Hawkins Jiawei
2022-07-13 3:53 ` Hawkins Jiawei
2022-07-12 9:47 ` Dan Carpenter
2022-07-12 9:47 ` Dan Carpenter
2022-07-13 3:35 ` Hawkins Jiawei
2022-07-13 3:35 ` Hawkins Jiawei
2022-07-30 8:56 ` [PATCH v2] net/smc: " Hawkins Jiawei
2022-07-30 8:56 ` Hawkins Jiawei
2022-08-01 9:09 ` Jakub Sitnicki [this message]
2022-08-01 9:09 ` Jakub Sitnicki via Linux-kernel-mentees
2022-08-02 14:32 ` Hawkins Jiawei
2022-08-02 14:32 ` Hawkins Jiawei
2022-08-03 8:03 ` [PATCH v3] " Hawkins Jiawei
2022-08-03 8:03 ` Hawkins Jiawei
2022-08-03 11:27 ` Wen Gu
2022-08-03 11:27 ` Wen Gu
2022-08-03 12:07 ` Hawkins Jiawei
2022-08-03 12:07 ` Hawkins Jiawei
2022-08-03 12:41 ` [PATCH v4] net: " Hawkins Jiawei
2022-08-03 12:41 ` Hawkins Jiawei
2022-08-03 15:14 ` Jakub Kicinski
2022-08-03 15:14 ` Jakub Kicinski
2022-08-03 15:37 ` Martin KaFai Lau
2022-08-03 15:37 ` Martin KaFai Lau via Linux-kernel-mentees
2022-08-04 3:05 ` Hawkins Jiawei
2022-08-04 3:05 ` Hawkins Jiawei
2022-08-04 15:29 ` Jakub Kicinski
2022-08-04 15:29 ` Jakub Kicinski
2022-08-05 6:28 ` Hawkins Jiawei
2022-08-05 6:28 ` Hawkins Jiawei
2022-08-05 7:36 ` [PATCH net v5 0/2] net: enhancements to sk_user_data field Hawkins Jiawei
2022-08-05 7:36 ` Hawkins Jiawei
2022-08-05 7:48 ` [PATCH net v5 1/2] net: fix refcount bug in sk_psock_get (2) Hawkins Jiawei
2022-08-05 7:48 ` Hawkins Jiawei
2022-08-05 7:48 ` [PATCH net v5 2/2] net: refactor bpf_sk_reuseport_detach() Hawkins Jiawei
2022-08-05 7:48 ` Hawkins Jiawei
2022-08-15 18:24 ` Martin KaFai Lau
2022-08-15 18:24 ` Martin KaFai Lau via Linux-kernel-mentees
2022-08-05 10:29 ` [PATCH net v5 0/2] net: enhancements to sk_user_data field Jakub Sitnicki
2022-08-05 10:29 ` Jakub Sitnicki via Linux-kernel-mentees
2022-08-05 15:36 ` Hawkins Jiawei
2022-08-05 15:36 ` Hawkins Jiawei
2022-08-11 5:30 ` patchwork-bot+netdevbpf
2022-08-11 5:30 ` patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87wnbsjpdb.fsf@cloudflare.com \
--to=jakub@cloudflare.com \
--cc=18801353760@163.com \
--cc=andrii@kernel.org \
--cc=ast@kernel.org \
--cc=borisp@nvidia.com \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=guvenc@linux.ibm.com \
--cc=guwen@linux.alibaba.com \
--cc=john.fastabend@gmail.com \
--cc=kafai@fb.com \
--cc=kgraul@linux.ibm.com \
--cc=kpsingh@kernel.org \
--cc=kuba@kernel.org \
--cc=linux-kernel-mentees@lists.linuxfoundation.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-s390@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=paskripkin@gmail.com \
--cc=skhan@linuxfoundation.org \
--cc=songliubraving@fb.com \
--cc=syzbot+5f26f85569bd179c18ce@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=ubraun@linux.ibm.com \
--cc=wenjia@linux.ibm.com \
--cc=yhs@fb.com \
--cc=yin31149@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.