Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1752063AbcJJDO6 (ORCPT ); Sun, 9 Oct 2016 23:14:58 -0400 Received: from zeniv.linux.org.uk ([195.92.253.2]:34534 "EHLO ZenIV.linux.org.uk" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1751368AbcJJDO4 (ORCPT ); Sun, 9 Oct 2016 23:14:56 -0400 Date: Mon, 10 Oct 2016 04:14:51 +0100 From: Al Viro To: Dmitry Vyukov Cc: David Miller , Hannes Frederic Sowa , Eric Dumazet , netdev , LKML , syzkaller Subject: Re: net: BUG still has locks held in unix_stream_splice_read Message-ID: <20161010031450.GW19539@ZenIV.linux.org.uk> References: <20161010024607.GV19539@ZenIV.linux.org.uk> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <20161010024607.GV19539@ZenIV.linux.org.uk> User-Agent: Mutt/1.7.0 (2016-08-17) Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Content-Length: 1673 Lines: 34 On Mon, Oct 10, 2016 at 03:46:07AM +0100, Al Viro wrote: > On Sun, Oct 09, 2016 at 12:06:14PM +0200, Dmitry Vyukov wrote: > > I suspect this is: > > > > commit 25869262ef7af24ccde988867ac3eb1c3d4b88d4 > > Author: Al Viro > > Date: Sat Sep 17 21:02:10 2016 -0400 > > skb_splice_bits(): get rid of callback > > since pipe_lock is the outermost now, we don't need to drop/regain > > socket locks around the call of splice_to_pipe() from skb_splice_bits(), > > which kills the need to have a socket-specific callback; we can just > > call splice_to_pipe() and be done with that. > > Unlikely, since that particular commit removes unlocking/relocking ->iolock > around the call of splice_to_pipe(). Original would've retaken the same > lock on the way out; it's not as if we could leave the syscall there. > > It might be splice-related, but I don't believe that you've got the right > commit here. It's not that commit, all right - it's "can't call unix_stream_read_generic() with any locks held" stepped onto a couple of commits prior by "splice: lift pipe_lock out of splice_to_pipe()". Could somebody explain what is that about? E.g what will happen if some code does a read on AF_UNIX socket with some local mutex held? AFAICS, there are exactly two callers of freezable_schedule_timeout() - this one and one in XFS; the latter is in a kernel thread where we do have good warranties about the locking environment, but here it's in the bleeding ->recvmsg/->splice_read and for those assumption that caller doesn't hold any locks is pretty strong, especially since it's not documented anywhere. What's going on there?