From: Fernando Fernandez Mancera <fmancera@suse.de>
To: netdev@vger.kernel.org
Cc: rds-devel@oss.oracle.com, linux-rdma@vger.kernel.org,
gerd.rausch@oracle.com, horms@kernel.org, pabeni@redhat.com,
kuba@kernel.org, edumazet@google.com, davem@davemloft.net,
allison.henderson@oracle.com,
Fernando Fernandez Mancera <fmancera@suse.de>,
syzbot+5efae91f60932839f0a5@syzkaller.appspotmail.com
Subject: [PATCH net v2] net/rds: fix recursive lock in rds_tcp_conn_slots_available
Date: Tue, 17 Feb 2026 23:38:02 +0100 [thread overview]
Message-ID: <20260217223802.21659-1-fmancera@suse.de> (raw)
syzbot reported a recursive lock warning in rds_tcp_get_peer_sport() as
it calls inet6_getname() which acquires the socket lock that was already
held by __release_sock().
kworker/u8:6/2985 is trying to acquire lock:
ffff88807a07aa20 (k-sk_lock-AF_INET6){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1709 [inline]
ffff88807a07aa20 (k-sk_lock-AF_INET6){+.+.}-{0:0}, at: inet6_getname+0x15d/0x650 net/ipv6/af_inet6.c:533
but task is already holding lock:
ffff88807a07aa20 (k-sk_lock-AF_INET6){+.+.}-{0:0}, at: lock_sock include/net/sock.h:1709 [inline]
ffff88807a07aa20 (k-sk_lock-AF_INET6){+.+.}-{0:0}, at: tcp_sock_set_cork+0x2c/0x2e0 net/ipv4/tcp.c:3694
lock_sock_nested+0x48/0x100 net/core/sock.c:3780
lock_sock include/net/sock.h:1709 [inline]
inet6_getname+0x15d/0x650 net/ipv6/af_inet6.c:533
rds_tcp_get_peer_sport net/rds/tcp_listen.c:70 [inline]
rds_tcp_conn_slots_available+0x288/0x470 net/rds/tcp_listen.c:149
rds_recv_hs_exthdrs+0x60f/0x7c0 net/rds/recv.c:265
rds_recv_incoming+0x9f6/0x12d0 net/rds/recv.c:389
rds_tcp_data_recv+0x7f1/0xa40 net/rds/tcp_recv.c:243
__tcp_read_sock+0x196/0x970 net/ipv4/tcp.c:1702
rds_tcp_read_sock net/rds/tcp_recv.c:277 [inline]
rds_tcp_data_ready+0x369/0x950 net/rds/tcp_recv.c:331
tcp_rcv_established+0x19e9/0x2670 net/ipv4/tcp_input.c:6675
tcp_v6_do_rcv+0x8eb/0x1ba0 net/ipv6/tcp_ipv6.c:1609
sk_backlog_rcv include/net/sock.h:1185 [inline]
__release_sock+0x1b8/0x3a0 net/core/sock.c:3213
Reading from the socket struct directly is safe from both possible
paths. For rds_tcp_accept_one(), the socket was just accepted and no
concurrent access is possible yet. For rds_tcp_conn_slots_available()
the lock is already held because we are in the receiving path.
Note that it is also safe to call rds_tcp_conn_slots_available() from
rds_conn_shutdown() because the fan-out is disabled.
Fixes: 9d27a0fb122f ("net/rds: Trigger rds_send_ping() more than once")
Reported-by: syzbot+5efae91f60932839f0a5@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=5efae91f60932839f0a5
Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
---
v2: clarified commit message and add a comment around
rds_conn_shutdown() path
---
net/rds/connection.c | 3 +++
net/rds/tcp_listen.c | 28 +++++-----------------------
2 files changed, 8 insertions(+), 23 deletions(-)
diff --git a/net/rds/connection.c b/net/rds/connection.c
index 185f73b01694..a542f94c0214 100644
--- a/net/rds/connection.c
+++ b/net/rds/connection.c
@@ -455,6 +455,9 @@ void rds_conn_shutdown(struct rds_conn_path *cp)
rcu_read_unlock();
}
+ /* we do not hold the socket lock here but it is safe because
+ * fan-out is disabled when calling conn_slots_available()
+ */
if (conn->c_trans->conn_slots_available)
conn->c_trans->conn_slots_available(conn, false);
}
diff --git a/net/rds/tcp_listen.c b/net/rds/tcp_listen.c
index 6fb5c928b8fd..a36e5dfd6c66 100644
--- a/net/rds/tcp_listen.c
+++ b/net/rds/tcp_listen.c
@@ -59,30 +59,12 @@ void rds_tcp_keepalive(struct socket *sock)
static int
rds_tcp_get_peer_sport(struct socket *sock)
{
- union {
- struct sockaddr_storage storage;
- struct sockaddr addr;
- struct sockaddr_in sin;
- struct sockaddr_in6 sin6;
- } saddr;
- int sport;
-
- if (kernel_getpeername(sock, &saddr.addr) >= 0) {
- switch (saddr.addr.sa_family) {
- case AF_INET:
- sport = ntohs(saddr.sin.sin_port);
- break;
- case AF_INET6:
- sport = ntohs(saddr.sin6.sin6_port);
- break;
- default:
- sport = -1;
- }
- } else {
- sport = -1;
- }
+ struct sock *sk = sock->sk;
+
+ if (!sk)
+ return -1;
- return sport;
+ return ntohs(inet_sk(sk)->inet_dport);
}
/* rds_tcp_accept_one_path(): if accepting on cp_index > 0, make sure the
--
2.53.0
next reply other threads:[~2026-02-17 22:38 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-17 22:38 Fernando Fernandez Mancera [this message]
2026-02-17 22:47 ` [PATCH net v2] net/rds: fix recursive lock in rds_tcp_conn_slots_available Gerd Rausch
2026-02-18 10:02 ` [net,v2] " Simon Horman
2026-02-18 17:13 ` Fernando Fernandez Mancera
2026-02-18 20:08 ` Allison Henderson
2026-02-19 8:44 ` Simon Horman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260217223802.21659-1-fmancera@suse.de \
--to=fmancera@suse.de \
--cc=allison.henderson@oracle.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=gerd.rausch@oracle.com \
--cc=horms@kernel.org \
--cc=kuba@kernel.org \
--cc=linux-rdma@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=rds-devel@oss.oracle.com \
--cc=syzbot+5efae91f60932839f0a5@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox