From: Boqun Feng <boqun.feng@gmail.com>
To: Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>
Cc: Peter Zijlstra <peterz@infradead.org>,
Ingo Molnar <mingo@redhat.com>, Will Deacon <will@kernel.org>,
Waiman Long <longman@redhat.com>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
netdev@vger.kernel.org,
syzbot <syzbot+94cc2a66fc228b23f360@syzkaller.appspotmail.com>,
syzkaller-bugs@googlegroups.com
Subject: Re: WARNING: locking bug in inet_autobind
Date: Sun, 18 Sep 2022 11:25:28 -0700 [thread overview]
Message-ID: <YydimPlesKO+4QKG@boqun-archlinux> (raw)
In-Reply-To: <693b572a-6436-14e6-442c-c8f2f361ed94@I-love.SAKURA.ne.jp>
On Mon, Sep 19, 2022 at 12:52:45AM +0900, Tetsuo Handa wrote:
> syzbot is reporting locking bug in inet_autobind(), for
> commit 37159ef2c1ae1e69 ("l2tp: fix a lockdep splat") started
> calling
>
> lockdep_set_class_and_name(&sk->sk_lock.slock, &l2tp_socket_class, "l2tp_sock")
>
> in l2tp_tunnel_create() (which is currently in l2tp_tunnel_register()).
> How can we fix this problem?
>
Just a theory, it seems that we have a memory corruption happened for
lockdep_set_class_and_name(), in l2tp_tunnel_register(), the "sk" gets
published before lockdep_set_class_and_name():
tunnel->sock = sk;
...
lockdep_set_class_and_name(&sk->sk_lock.slock,...);
And what could happen is that sock_lock_init() races with the
l2tp_tunnel_register(), which results into two
lockdep_set_class_and_name()s race with each other.
Anyway, "sk" should not be published until its lock gets properly
initialized, could you try the following (untested)? Looks to me all
other code around the lockdep_set_class_and_name() should be moved
upwards, but I don't want to pretend I'm an expert ;-)
Regards,
Boqun
diff --git a/net/l2tp/l2tp_core.c b/net/l2tp/l2tp_core.c
index 7499c51b1850..1a01d23abc53 100644
--- a/net/l2tp/l2tp_core.c
+++ b/net/l2tp/l2tp_core.c
@@ -1480,7 +1480,9 @@ int l2tp_tunnel_register(struct l2tp_tunnel *tunnel, struct net *net,
sk = sock->sk;
sock_hold(sk);
- tunnel->sock = sk;
+ lockdep_set_class_and_name(&sk->sk_lock.slock, &l2tp_socket_class,
+ "l2tp_sock");
+ smp_store_release(&tunnel->sock, sk);
spin_lock_bh(&pn->l2tp_tunnel_list_lock);
list_for_each_entry(tunnel_walk, &pn->l2tp_tunnel_list, list) {
@@ -1509,8 +1511,6 @@ int l2tp_tunnel_register(struct l2tp_tunnel *tunnel, struct net *net,
tunnel->old_sk_destruct = sk->sk_destruct;
sk->sk_destruct = &l2tp_tunnel_destruct;
- lockdep_set_class_and_name(&sk->sk_lock.slock, &l2tp_socket_class,
- "l2tp_sock");
sk->sk_allocation = GFP_ATOMIC;
trace_register_tunnel(tunnel);
> ------------[ cut here ]------------
> class->name=slock-AF_INET6 lock->name=l2tp_sock lock->key=l2tp_socket_class
> WARNING: CPU: 2 PID: 9237 at kernel/locking/lockdep.c:940 look_up_lock_class+0xcc/0x140
> Modules linked in:
> CPU: 2 PID: 9237 Comm: a.out Not tainted 6.0.0-rc5-00094-ga335366bad13-dirty #860
> Hardware name: innotek GmbH VirtualBox/VirtualBox, BIOS VirtualBox 12/01/2006
> RIP: 0010:look_up_lock_class+0xcc/0x140
>
> On 2019/05/16 14:46, syzbot wrote:
> > HEAD commit: 35c99ffa Merge tag 'for_linus' of git://git.kernel.org/pub..
> > git tree: net-next
> > console output: https://syzkaller.appspot.com/x/log.txt?x=10e970f4a00000
> > kernel config: https://syzkaller.appspot.com/x/.config?x=82f0809e8f0a8c87
> > dashboard link: https://syzkaller.appspot.com/bug?extid=94cc2a66fc228b23f360
> > compiler: gcc (GCC) 9.0.0 20181231 (experimental)
>
> C reproducer is available at
> https://syzkaller.appspot.com/text?tag=ReproC&x=15062310080000 .
>
next prev parent reply other threads:[~2022-09-18 18:29 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-05-16 5:46 WARNING: locking bug in inet_autobind syzbot
2019-05-21 8:31 ` syzbot
2019-05-22 3:16 ` syzbot
2022-09-18 15:52 ` Tetsuo Handa
2022-09-18 18:25 ` Boqun Feng [this message]
2022-09-19 5:02 ` Tetsuo Handa
2022-09-27 13:00 ` Tetsuo Handa
2022-11-22 18:02 ` Jakub Sitnicki
2022-12-29 6:26 ` [syzbot] " syzbot
2023-01-03 15:39 ` Felix Kuehling
2023-01-03 16:05 ` Waiman Long
2023-01-03 16:20 ` Felix Kuehling
2023-01-03 22:07 ` Tetsuo Handa
2023-01-03 22:12 ` Eric Dumazet
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YydimPlesKO+4QKG@boqun-archlinux \
--to=boqun.feng@gmail.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=longman@redhat.com \
--cc=mingo@redhat.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=penguin-kernel@i-love.sakura.ne.jp \
--cc=peterz@infradead.org \
--cc=syzbot+94cc2a66fc228b23f360@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=will@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).