Received: by 2002:a25:ab43:0:0:0:0:0 with SMTP id u61csp3086837ybi; Mon, 10 Jun 2019 04:13:54 -0700 (PDT) X-Google-Smtp-Source: APXvYqyV4NA3O4/gbqHwsHV+K1jiHIFy4I7k/1q7s9pG41nMvAjdto2+ogovaP+Qjs06yeMii+ye X-Received: by 2002:a63:d652:: with SMTP id d18mr15927598pgj.112.1560165233572; Mon, 10 Jun 2019 04:13:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1560165233; cv=none; d=google.com; s=arc-20160816; b=gA8Kk/Ik0Fh9UeRwoTvaplSmpsAh7OXYiwFWIfjMeoP3nLJhmhLYXGM22eKdl+joV7 5GAinVNDLHbcj6nWaM9U3BT2oCeQZuYvE5bpvK2xSW6XENF0iqsXK+f9Z/U9zOFYuHaa ZfrM1SIQt9Bf7oDSmYT2xyOYByuHjUfVU369Qujxjc8n32BH7JpoxsOHR4ZPSCr/UXpl cQdzopOqElBuFwShEN8zZwhdXjG8Fj73f7BW/D6Kppnby71MOGnphXkJnNrUKSjdmT3I CuDTf94AySe6Sm1pbugBJv8nUz9hWl0baGZ3RMj35+devWbXEKGy1JVrOeeQw11RngRB 6J4A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date; bh=ZM83JanL4Sf+ZtANbz/tXpVr+J7xTB+rAh6ZaBiNYJA=; b=MmOgaOMzfoz3BFdk/THqOXo5B14xYg8XHfkt3QPpmBsIq0Hq5OoSMvK5jwThBR6VHZ q2rKRo9wVmdlyXZ9MeoHEo6k6oeBf3E9uYDY3n/sbgVCBz2fNclUraB4UECYRFVL4mTQ bu5mygpDqEKZtDBabKnP8JWRQH7g/O318oNo32ch+yqSpqwwNQVvwwD0hKruJSbd+Gi8 yNfrQ5guei+fSY+lyAyM7/CDEwTAKe8C2y4L+4xa9ulgy7YjG43xEY9dR7FcN3w+fYsU 5IvIZLuXC9XYVINVckGM1KJHQiwYZYlPaNzsszHtXLAi4T3zr0ow/kIiF1sM5AWKyHXv Ixiw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id e25si9703077pfn.211.2019.06.10.04.13.38; Mon, 10 Jun 2019 04:13:53 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2389562AbfFJLMZ (ORCPT + 99 others); Mon, 10 Jun 2019 07:12:25 -0400 Received: from charlotte.tuxdriver.com ([70.61.120.58]:41454 "EHLO smtp.tuxdriver.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2388848AbfFJLMY (ORCPT ); Mon, 10 Jun 2019 07:12:24 -0400 Received: from [107.15.85.130] (helo=localhost) by smtp.tuxdriver.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.63) (envelope-from ) id 1haIDn-0007I6-C9; Mon, 10 Jun 2019 07:12:17 -0400 Date: Mon, 10 Jun 2019 07:12:09 -0400 From: Neil Horman To: Su Yanjun Cc: vyasevich@gmail.com, marcelo.leitner@gmail.com, davem@davemloft.net, linux-sctp@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] sctp: Add rcu lock to protect dst entry in sctp_transport_route Message-ID: <20190610111209.GA15599@hmswarspite.think-freely.org> References: <1560136800-17961-1-git-send-email-suyj.fnst@cn.fujitsu.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1560136800-17961-1-git-send-email-suyj.fnst@cn.fujitsu.com> User-Agent: Mutt/1.11.3 (2019-02-01) X-Spam-Score: -2.9 (--) X-Spam-Status: No Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Jun 10, 2019 at 11:20:00AM +0800, Su Yanjun wrote: > syzbot found a crash in rt_cache_valid. Problem is that when more > threads release dst in sctp_transport_route, the route cache can > be freed. > > As follows, > p1: > sctp_transport_route > dst_release > get_dst > > p2: > sctp_transport_route > dst_release > get_dst > ... > > If enough threads calling dst_release will cause dst->refcnt==0 > then rcu softirq will reclaim the dst entry,get_dst then use > the freed memory. > > This patch adds rcu lock to protect the dst_entry here. > > Fixes: 6e91b578bf3f("sctp: re-use sctp_transport_pmtu in sctp_transport_route") > Signed-off-by: Su Yanjun > Reported-by: syzbot+a9e23ea2aa21044c2798@syzkaller.appspotmail.com > --- > net/sctp/transport.c | 5 +++++ > 1 file changed, 5 insertions(+) > > diff --git a/net/sctp/transport.c b/net/sctp/transport.c > index ad158d3..5ad7e20 100644 > --- a/net/sctp/transport.c > +++ b/net/sctp/transport.c > @@ -308,8 +308,13 @@ void sctp_transport_route(struct sctp_transport *transport, > struct sctp_association *asoc = transport->asoc; > struct sctp_af *af = transport->af_specific; > > + /* When dst entry is being released, route cache may be referred > + * again. Add rcu lock here to protect dst entry. > + */ > + rcu_read_lock(); > sctp_transport_dst_release(transport); > af->get_dst(transport, saddr, &transport->fl, sctp_opt2sk(opt)); > + rcu_read_unlock(); > What is the exact error that syzbot reported? This doesn't seem like it fixes anything. Based on what you've said above, we have multiple processes looking up and releasing routes in parallel (which IIRC should never happen, as only one process should traverse the sctp state machine for a given association at any one time). Protecting the lookup/release operations with a read side rcu lock won't fix that. Neil > if (saddr) > memcpy(&transport->saddr, saddr, sizeof(union sctp_addr)); > -- > 2.7.4 > > > >