From: Gerd Rausch <gerd.rausch@oracle.com>
To: Fernando Fernandez Mancera <fmancera@suse.de>,
Eric Dumazet <edumazet@google.com>,
syzbot <syzbot+5efae91f60932839f0a5@syzkaller.appspotmail.com>
Cc: davem@davemloft.net, dsahern@kernel.org, horms@kernel.org,
kuba@kernel.org, linux-kernel@vger.kernel.org,
netdev@vger.kernel.org, pabeni@redhat.com,
syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [net?] possible deadlock in inet6_getname
Date: Tue, 17 Feb 2026 08:59:33 -0800 [thread overview]
Message-ID: <db06aa20-ca31-4b66-9a53-e4305974d1f5@oracle.com> (raw)
In-Reply-To: <c57f2565-a6b2-45dd-8307-871a02ae1a7a@suse.de>
Hi,
On 2026-02-14 10:25, Fernando Fernandez Mancera wrote:
> --- a/net/rds/tcp_listen.c
> +++ b/net/rds/tcp_listen.c
> @@ -59,30 +59,12 @@ void rds_tcp_keepalive(struct socket *sock)
> static int
> rds_tcp_get_peer_sport(struct socket *sock)
> {
> - union {
[...]
> - } else {
> - sport = -1;
> - }
> + struct sock *sk = sock->sk;
> +
> + if (!sk)
> + return -1;
>
> - return sport;
> + return ntohs(inet_sk(sk)->inet_dport);
> }
>
> It would be safe from rds_tcp_accept_one() path as the new_sock has a reference count of 1 and no other component should be to release it.
>
> In rds_tcp_conn_slots_available() path, fan-out can be only performed from receive path, AFAIU if data is being processed from the socket we should always be holding a lock.
>
> If these premises are not correct, we can always make this conditional. But getting rid of the kernel_getpeername() call is performance-wise too.
>
rds_tcp_conn_slots_available() can also be called from rds_conn_shutdown(),
where no "rds_tcp.ko" backend specific lock is held.
This is very solvable though.
Worst case, we can distinguish between the paths where a lock_sock()
is already held from those that don't.
> I am testing this against the syzbot report/reproducer.
>
Thanks,
Gerd
next prev parent reply other threads:[~2026-02-17 16:59 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-13 12:15 [syzbot] [net?] possible deadlock in inet6_getname syzbot
2026-02-13 17:26 ` Eric Dumazet
2026-02-13 18:51 ` Gerd Rausch
2026-02-14 18:25 ` Fernando Fernandez Mancera
2026-02-17 16:59 ` Gerd Rausch [this message]
2026-02-17 17:03 ` Fernando Fernandez Mancera
2026-02-17 17:13 ` Gerd Rausch
2026-02-17 17:19 ` Fernando Fernandez Mancera
2026-02-17 17:28 ` Gerd Rausch
2026-02-17 18:58 ` Gerd Rausch
2026-02-17 20:26 ` Fernando Fernandez Mancera
2026-02-17 21:57 ` Allison Henderson
2026-02-16 11:32 ` Fernando Fernandez Mancera
2026-02-16 11:45 ` syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=db06aa20-ca31-4b66-9a53-e4305974d1f5@oracle.com \
--to=gerd.rausch@oracle.com \
--cc=davem@davemloft.net \
--cc=dsahern@kernel.org \
--cc=edumazet@google.com \
--cc=fmancera@suse.de \
--cc=horms@kernel.org \
--cc=kuba@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=syzbot+5efae91f60932839f0a5@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox