From: Paolo Abeni <pabeni@redhat.com>
To: Jakub Kicinski <kuba@kernel.org>,
Jiayuan Chen <jiayuan.chen@linux.dev>,
Josef Bacik <josef@toxicpanda.com>
Cc: netdev@vger.kernel.org, Jiayuan Chen <jiayuan.chen@shopee.com>,
syzbot+afbcf622635e98bf40d2@syzkaller.appspotmail.com,
"David S. Miller" <davem@davemloft.net>,
David Ahern <dsahern@kernel.org>,
Eric Dumazet <edumazet@google.com>,
Simon Horman <horms@kernel.org>, Taehee Yoo <ap420073@gmail.com>,
linux-kernel@vger.kernel.org, nbd@other.debian.org
Subject: Re: [PATCH net v1] net/ipv6: mcast: fix circular locking dependency in __ipv6_dev_mc_inc()
Date: Thu, 19 Mar 2026 13:44:00 +0100 [thread overview]
Message-ID: <258f99ac-bd34-4d14-8271-1266b9aba6f8@redhat.com> (raw)
In-Reply-To: <20260318202649.004d33fd@kernel.org>
Adding Josef.
On 3/19/26 4:26 AM, Jakub Kicinski wrote:
> On Thu, 19 Mar 2026 11:04:24 +0800 Jiayuan Chen wrote:
>>>> Split mca_alloc() into mca_alloc() + mca_init(): mca_alloc() does the
>>>> GFP_KERNEL allocation before mc_lock, mca_init() initializes under
>>>> mc_lock. If the address already exists, the pre-allocated memory is
>>>> simply freed. Also move inet6_ifmcaddr_notify() outside mc_lock since
>>>> it also does GFP_KERNEL allocation.
>>> Moving the allocation seems fine, but also having to move the
>>> notification, potentially letting the notification go out of order
>>> makes me wonder if we aren't better off adding helpers for taking this
>>> lock which also call memalloc_noio_{save,restore} ?
>> Yeah, using memalloc_noio helpers is simpler. I checked and there
>> are about 18 places taking mc_lock, so having a common mc_lock()/mc_unlock()
>> wrapper that does the noio save/restore covers them all (if necessary).
>>
>> The only thing that feels a bit odd is using memalloc_noio in the networking
>> subsystem. It makes sense in block/fs to protect itself from recursion.
>
> Totally agree that it feels a bit odd that we have to worry about IO,
> but unless we can figure out a way to prevent nbd sockets from getting
> here all our solutions are dealing with noio in networking code :(
> IMHO it's better to acknowledge this with the explicit memalloc_noio
> so future developers don't break things again with a mis-placed
> allocation.
I think a problem here is that the nbd socket is still exposed to
user-space, while in use by the block device. I fear that the more
syzkaller will learn new tricks, the more we will have to had strange
noio all around the networking code.
I *think* we could prevent this kind of races with something alike the
following:
- nbd sets a DOIO sk flag on the sockets it uses.
- the socket layer prevents socketopts()/ioctl() entirely on DOIO sk
I'm not sure if that could break nbd users, but allowing the user-space
to mess with the socket used for backing a block device looks very
dangerous.
/P
next prev parent reply other threads:[~2026-03-19 12:44 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-17 11:12 [PATCH net v1] net/ipv6: mcast: fix circular locking dependency in __ipv6_dev_mc_inc() Jiayuan Chen
2026-03-19 1:15 ` Jakub Kicinski
2026-03-19 3:04 ` Jiayuan Chen
2026-03-19 3:26 ` Jakub Kicinski
2026-03-19 4:12 ` Jiayuan Chen
2026-03-19 12:44 ` Paolo Abeni [this message]
2026-03-19 15:36 ` Wouter Verhelst
2026-03-23 6:54 ` Kuniyuki Iwashima
2026-03-19 12:33 ` [net,v1] " Paolo Abeni
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=258f99ac-bd34-4d14-8271-1266b9aba6f8@redhat.com \
--to=pabeni@redhat.com \
--cc=ap420073@gmail.com \
--cc=davem@davemloft.net \
--cc=dsahern@kernel.org \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=jiayuan.chen@linux.dev \
--cc=jiayuan.chen@shopee.com \
--cc=josef@toxicpanda.com \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=nbd@other.debian.org \
--cc=netdev@vger.kernel.org \
--cc=syzbot+afbcf622635e98bf40d2@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox