From: Wen Gu <guwen@linux.alibaba.com>
To: Alexandra Winter <wintera@linux.ibm.com>,
wenjia@linux.ibm.com, jaka@linux.ibm.com, davem@davemloft.net,
edumazet@google.com, kuba@kernel.org, pabeni@redhat.com
Cc: alibuda@linux.alibaba.com, tonylu@linux.alibaba.com,
horms@kernel.org, linux-rdma@vger.kernel.org,
linux-s390@vger.kernel.org, netdev@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: [PATCH net 2/2] net/smc: fix LGR and link use-after-free issue
Date: Wed, 27 Nov 2024 15:03:44 +0800 [thread overview]
Message-ID: <dfe1ba19-a1fe-4d29-b7f5-40d7b62ce144@linux.alibaba.com> (raw)
In-Reply-To: <0d62917a-f64e-4be1-95c9-649f1a24d676@linux.ibm.com>
On 2024/11/25 21:02, Alexandra Winter wrote:
>
>
> On 25.11.24 11:00, Wen Gu wrote:
>>> I wonder if this can deadlock, when you take lock_sock so far down in the callchain.
>>> example:
>>> smc_connect will first take lock_sock(sk) and then mutex_lock(&smc_server_lgr_pending); (e.g. in smc_connect_ism())
>>> wheras
>>> smc_listen_work() will take mutex_lock(&smc_server_lgr_pending); and then lock_sock(sk) (in your __smc_conn_abort(,,false))
>>>
>>> I am not sure whether this can be called on the same socket, but it looks suspicious to me.
>>>
>>
>> IMHO this two paths can not occur on the same sk.
>>
>>>
>>> All callers of smc_conn_abort() without socklock seem to originate from smc_listen_work().
>>> That makes me think whether smc_listen_work() should do lock_sock(sk) on a higher level.
>>>
>>
>> Yes, I also think about this question, I guess it is because the new smc sock will be
>> accepted by userspace only after smc_listen_work() is completed. Before that, no userspace
>> operation occurs synchronously with it, so it is not protected by sock lock. But I am not
>> sure if there are other reasons, so I did not aggressively protect the entire smc_listen_work
>> with sock lock, but chose a conservative approach.
>>
>>> Do you have an example which function could collide with smc_listen_work()?
>>> i.e. have you found a way to reproduce this?
>>>
>>
>> We discovered this during our fault injection testing where the rdma driver was rmmod/insmod
>> sporadically during the nginx/wrk 1K connections test.
>>
>> e.g.
>>
>> __smc_lgr_terminate | smc_listen_decline
>> (caused by rmmod mlx5_ib) | (caused by e.g. reg mr fail)
>> --------------------------------------------------------------
>> lock_sock |
>> smc_conn_kill | smc_conn_abort
>> \- smc_conn_free | \- smc_conn_free
>> release_sock |
>
>
> Thank you for the explanations. So the most suspicious scenario is
> smc_listen_work() colliding with
> __smc_lgr_terminate() -> smc_conn_kill() of the conn and smc socket that is just under
> construction by smc_listen_work() (without socklock).
>
> I am wondering, if other parts of smc_listen_work() are allowed to run in parallel
> with smc_conn_kill() of this smc socket??
>
Ideally, smc_listen_work should be all covered by new_smc's sock lock, mutually
exclusive with other conn operations.
But I need to look deeper into the smc_listen_work() implementation to see if
all-covered by sock lock is feasible. At least some of the places already protected
by new_smc's sock lock need to be excluded or handled.
e.g.
smc_listen_work()
\- smc_listen_out_xxx()
\- smc_listen_out()
\- smc_close_non_accepted() -> take the new_smc's sock lock.
> My impression would be that the whole smc_listen_work() should be protected against
> smc_conn_kill(), not only smc_conn_free.
>
Thanks!
prev parent reply other threads:[~2024-11-27 7:03 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-11-22 7:16 [PATCH net 0/2] two fixes for SMC Wen Gu
2024-11-22 7:16 ` [PATCH net 1/2] net/smc: initialize close_work early to avoid warning Wen Gu
2024-11-22 15:56 ` Wenjia Zhang
2024-11-22 16:17 ` Alexandra Winter
2024-11-22 7:16 ` [PATCH net 2/2] net/smc: fix LGR and link use-after-free issue Wen Gu
2024-11-22 15:56 ` Wenjia Zhang
2024-11-25 6:46 ` Wen Gu
2024-11-26 12:12 ` Wenjia Zhang
2024-11-26 12:19 ` Wenjia Zhang
2024-11-22 16:03 ` Alexandra Winter
2024-11-22 16:11 ` Alexandra Winter
2024-11-25 10:00 ` Wen Gu
2024-11-25 13:02 ` Alexandra Winter
2024-11-27 7:03 ` Wen Gu [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=dfe1ba19-a1fe-4d29-b7f5-40d7b62ce144@linux.alibaba.com \
--to=guwen@linux.alibaba.com \
--cc=alibuda@linux.alibaba.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=jaka@linux.ibm.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-rdma@vger.kernel.org \
--cc=linux-s390@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=tonylu@linux.alibaba.com \
--cc=wenjia@linux.ibm.com \
--cc=wintera@linux.ibm.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox