* [PATCH net] phonet/pep: disable BH around forwarded sk_receive_skb()
@ 2026-05-19 17:26 Zijing Yin
2026-05-20 11:53 ` Rémi Denis-Courmont
0 siblings, 1 reply; 2+ messages in thread
From: Zijing Yin @ 2026-05-19 17:26 UTC (permalink / raw)
To: Remi Denis-Courmont
Cc: Zijing Yin, David S. Miller, Eric Dumazet, Jakub Kicinski,
Paolo Abeni, Simon Horman, netdev, linux-kernel, stable
The networking receive path is usually run from softirq context, but
protocols that take the socket lock may have packets stored in the
backlog and processed later from process context. In that case
release_sock() -> __release_sock() drops the slock with spin_unlock_bh()
and then calls sk->sk_backlog_rcv() with bottom halves enabled.
Typical sk_backlog_rcv handlers process the socket whose backlog is
being drained, so the BH state at entry is irrelevant for the slocks
they touch. pep_do_rcv() is different: when the inbound skb targets an
existing PEP pipe, it forwards the skb to a different *child* socket
via sk_receive_skb(). That helper takes the child slock with
bh_lock_sock_nested(), which is just spin_lock_nested() and assumes BH
is already off. The same child slock therefore ends up acquired with
BH on (process path) and with BH off (softirq path):
process context softirq context
--------------- ---------------
release_sock(listener) __netif_receive_skb()
__release_sock() phonet_rcv()
spin_unlock_bh() __sk_receive_skb(listener)
[BH now ENABLED] [BH already disabled]
sk_backlog_rcv: sk_backlog_rcv:
pep_do_rcv() pep_do_rcv()
sk_receive_skb(child) sk_receive_skb(child)
bh_lock_sock_nested(child) bh_lock_sock_nested(child)
=> SOFTIRQ-ON-W => IN-SOFTIRQ-W
Lockdep flags this as inconsistent lock state, and it can become a real
self-deadlock if a softirq on the same CPU tries to receive to the same
child socket while its slock is held in the BH-enabled path:
WARNING: inconsistent lock state
inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage.
(slock-AF_PHONET/1){+.?.}-{3:3}, at: __sk_receive_skb+0x1cf/0x900
__sk_receive_skb net/core/sock.c:563
sk_receive_skb include/net/sock.h:2022 [inline]
pep_do_rcv net/phonet/pep.c:675
sk_backlog_rcv include/net/sock.h:1190
__release_sock net/core/sock.c:3216
release_sock net/core/sock.c:3815
pep_sock_accept net/phonet/pep.c:879
Wrap the forwarded sk_receive_skb() in local_bh_disable() /
local_bh_enable() so the child slock is always acquired with BH off.
local_bh_disable() nests safely on the softirq path.
Discovered via in-house syzkaller fuzzing; the same root cause also
on the linux-6.1.y syzbot dashboard as extid 44f0626dd6284f02663c.
Reproduced under KASAN + LOCKDEP + PROVE_LOCKING, reproducer:
https://pastebin.com/A3t8xzCR
Fixes: 9641458d3ec4 ("Phonet: Pipe End Point for Phonet Pipes protocol")
Link: https://syzkaller.appspot.com/bug?extid=44f0626dd6284f02663c
Cc: stable@vger.kernel.org
Signed-off-by: Zijing Yin <yzjaurora@gmail.com>
---
net/phonet/pep.c | 19 +++++++++++++++++--
1 file changed, 17 insertions(+), 2 deletions(-)
diff --git a/net/phonet/pep.c b/net/phonet/pep.c
index 4dbf0914df7d..cc6226cc4343 100644
--- a/net/phonet/pep.c
+++ b/net/phonet/pep.c
@@ -671,8 +671,23 @@ static int pep_do_rcv(struct sock *sk, struct sk_buff *skb)
/* Look for an existing pipe handle */
sknode = pep_find_pipe(&pn->hlist, &dst, pipe_handle);
- if (sknode)
- return sk_receive_skb(sknode, skb, 1);
+ if (sknode) {
+ int rc;
+
+ /*
+ * pep_do_rcv() runs from two contexts: from softirq via
+ * phonet_rcv() -> __sk_receive_skb() with BH disabled, and from
+ * process context via release_sock() -> __release_sock(), which
+ * drops the listener slock with spin_unlock_bh() before draining
+ * the backlog. The child pipe slock is taken below via
+ * bh_lock_sock_nested(), which does not itself disable BH, so
+ * disable BH here to keep both acquire contexts consistent.
+ */
+ local_bh_disable();
+ rc = sk_receive_skb(sknode, skb, 1);
+ local_bh_enable();
+ return rc;
+ }
switch (hdr->message_id) {
case PNS_PEP_CONNECT_REQ:
base-commit: edc502717be153674b0b3eefb8b40734c747c138
--
2.43.0
^ permalink raw reply related [flat|nested] 2+ messages in thread
* Re: [PATCH net] phonet/pep: disable BH around forwarded sk_receive_skb()
2026-05-19 17:26 [PATCH net] phonet/pep: disable BH around forwarded sk_receive_skb() Zijing Yin
@ 2026-05-20 11:53 ` Rémi Denis-Courmont
0 siblings, 0 replies; 2+ messages in thread
From: Rémi Denis-Courmont @ 2026-05-20 11:53 UTC (permalink / raw)
To: Zijing Yin, Remi Denis-Courmont
Cc: David S. Miller, Eric Dumazet, Jakub Kicinski, Paolo Abeni,
Simon Horman, netdev, linux-kernel, stable
Le 19 mai 2026 20:26:33 GMT+03:00, Zijing Yin <yzjaurora@gmail.com> a écrit :
>The networking receive path is usually run from softirq context, but
>protocols that take the socket lock may have packets stored in the
>backlog and processed later from process context. In that case
>release_sock() -> __release_sock() drops the slock with spin_unlock_bh()
>and then calls sk->sk_backlog_rcv() with bottom halves enabled.
>
>Typical sk_backlog_rcv handlers process the socket whose backlog is
>being drained, so the BH state at entry is irrelevant for the slocks
>they touch. pep_do_rcv() is different: when the inbound skb targets an
>existing PEP pipe, it forwards the skb to a different *child* socket
>via sk_receive_skb(). That helper takes the child slock with
>bh_lock_sock_nested(), which is just spin_lock_nested() and assumes BH
>is already off. The same child slock therefore ends up acquired with
>BH on (process path) and with BH off (softirq path):
>
> process context softirq context
> --------------- ---------------
> release_sock(listener) __netif_receive_skb()
> __release_sock() phonet_rcv()
> spin_unlock_bh() __sk_receive_skb(listener)
> [BH now ENABLED] [BH already disabled]
> sk_backlog_rcv: sk_backlog_rcv:
> pep_do_rcv() pep_do_rcv()
> sk_receive_skb(child) sk_receive_skb(child)
> bh_lock_sock_nested(child) bh_lock_sock_nested(child)
> => SOFTIRQ-ON-W => IN-SOFTIRQ-W
>
>Lockdep flags this as inconsistent lock state, and it can become a real
>self-deadlock if a softirq on the same CPU tries to receive to the same
>child socket while its slock is held in the BH-enabled path:
>
> WARNING: inconsistent lock state
> inconsistent {SOFTIRQ-ON-W} -> {IN-SOFTIRQ-W} usage.
> (slock-AF_PHONET/1){+.?.}-{3:3}, at: __sk_receive_skb+0x1cf/0x900
> __sk_receive_skb net/core/sock.c:563
> sk_receive_skb include/net/sock.h:2022 [inline]
> pep_do_rcv net/phonet/pep.c:675
> sk_backlog_rcv include/net/sock.h:1190
> __release_sock net/core/sock.c:3216
> release_sock net/core/sock.c:3815
> pep_sock_accept net/phonet/pep.c:879
>
>Wrap the forwarded sk_receive_skb() in local_bh_disable() /
>local_bh_enable() so the child slock is always acquired with BH off.
>local_bh_disable() nests safely on the softirq path.
>
>Discovered via in-house syzkaller fuzzing; the same root cause also
>on the linux-6.1.y syzbot dashboard as extid 44f0626dd6284f02663c.
>Reproduced under KASAN + LOCKDEP + PROVE_LOCKING, reproducer:
>https://pastebin.com/A3t8xzCR
>
>Fixes: 9641458d3ec4 ("Phonet: Pipe End Point for Phonet Pipes protocol")
>Link: https://syzkaller.appspot.com/bug?extid=44f0626dd6284f02663c
>Cc: stable@vger.kernel.org
>Signed-off-by: Zijing Yin <yzjaurora@gmail.com>
Acked-by: Rémi Denis-Courmont <remi@remlab.net>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-05-20 12:03 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-19 17:26 [PATCH net] phonet/pep: disable BH around forwarded sk_receive_skb() Zijing Yin
2026-05-20 11:53 ` Rémi Denis-Courmont
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox