Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp6742657ybi; Mon, 8 Jul 2019 07:57:18 -0700 (PDT) X-Google-Smtp-Source: APXvYqwBLp5ec78IRdZeaBv3t/6TNgRytiELdbjFRt0yLEkmd4heTSWe5/ezXNUWEhwtXVWeiu+t X-Received: by 2002:a63:455c:: with SMTP id u28mr25068462pgk.416.1562597837831; Mon, 08 Jul 2019 07:57:17 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1562597837; cv=none; d=google.com; s=arc-20160816; b=KR05fR/P/RgxaGp/h7fRrnhJ5WL0QaHkx6lc+N/ObSBxvWhqYw+8n8Mu3Pvz1o4GxO nnLb/hWl5XYvJs4pCTd2IhJT/xj3zO4r/Mz4FMC7gZEBPLtIWvGgVGySJ01dk9fU0UkZ HYTwOYw8Hha+ODZ4b2/QxFEFE6vy7i5EvCfReBMG/+eRkUoUM7BD9o0PDPvUcslpnwoi 9RXcEbgp+rDe2si3CdE2g/iWlf1G2JZ2+oQdv6vtvnsQcf+fqSVgJi7Hii+K7vjdYyuI +vtnK35ryxfHpXLxTI+cgwM2/5qUiG5VEWUXxWwXsca1NnPwoV/WyyUg5RrTtYxmYE7H 9cGA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:references:cms-type:message-id:date :subject:cc:to:from:dkim-signature:dkim-filter; bh=iJ/vgkwgHEVtdCA4ebVEDI6nMvu1XOQWTINwB5UZ21Y=; b=OSHKZtLB27BE9BSKK3KeLcwJ3hmiQA7RhF0P5Jgp7RQJteFxuZiEdCMlSahlAqfrwf 2kzHHR6nSuL30rqhTyp7cEly7Xh/i6yU0HoF5gOEjDi6zrWyiZVd7yn7kbPdW9GYaK1H 19igcAsVLWnb9ndjpspckQ+7q/BjEOwg+XNskoKclHtpHnOEYoSt3SZCcxhYHfC5t3pF zYGIqkERWfJ/MGTWVAGFYgsNQ+MBVhj7RcEvKMSAuOyPVxriD6CPuHPFfAL2NQ2ULwFz 5x8gHepJGaRwUV2qxVs3czDndudgCJSY92z1gvQcfCWv4U6KXOFTiaiqwKouMW1tCY/Q 2tRg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@samsung.com header.s=mail20170921 header.b="p/W7OiNK"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=samsung.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id u27si19751895pgn.231.2019.07.08.07.57.03; Mon, 08 Jul 2019 07:57:17 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@samsung.com header.s=mail20170921 header.b="p/W7OiNK"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=samsung.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730324AbfGHLDz (ORCPT + 99 others); Mon, 8 Jul 2019 07:03:55 -0400 Received: from mailout1.w1.samsung.com ([210.118.77.11]:46221 "EHLO mailout1.w1.samsung.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727517AbfGHLDy (ORCPT ); Mon, 8 Jul 2019 07:03:54 -0400 Received: from eucas1p2.samsung.com (unknown [182.198.249.207]) by mailout1.w1.samsung.com (KnoxPortal) with ESMTP id 20190708110352euoutp019187cd4457af386fa8fb5bd5a7f843cf~vabdfoRXA1228012280euoutp01T for ; Mon, 8 Jul 2019 11:03:52 +0000 (GMT) DKIM-Filter: OpenDKIM Filter v2.11.0 mailout1.w1.samsung.com 20190708110352euoutp019187cd4457af386fa8fb5bd5a7f843cf~vabdfoRXA1228012280euoutp01T DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=samsung.com; s=mail20170921; t=1562583832; bh=iJ/vgkwgHEVtdCA4ebVEDI6nMvu1XOQWTINwB5UZ21Y=; h=From:To:Cc:Subject:Date:References:From; b=p/W7OiNKgo0dmURd6p3j4pnJKCJsvGTOwhQY8qjyQTcAWqk0b4GYIMy8PEIB5pUdz WSrGIapQc4oCR3H8UtrTg4S034/QGWszC5Shvp8EAAf0vqQM0n+0nnpRBFDI1UcWIO u8UG9Ij9UTM2Ng6ULrFC9zTL3MkLLyFhsuutBRNs= Received: from eusmges1new.samsung.com (unknown [203.254.199.242]) by eucas1p2.samsung.com (KnoxPortal) with ESMTP id 20190708110351eucas1p2bde3ebc38e8c48b9413055c03c7ab96c~vabcvLjwd2083220832eucas1p2j; Mon, 8 Jul 2019 11:03:51 +0000 (GMT) Received: from eucas1p2.samsung.com ( [182.198.249.207]) by eusmges1new.samsung.com (EUCPMTA) with SMTP id F2.FD.04298.613232D5; Mon, 8 Jul 2019 12:03:50 +0100 (BST) Received: from eusmtrp2.samsung.com (unknown [182.198.249.139]) by eucas1p1.samsung.com (KnoxPortal) with ESMTPA id 20190708110350eucas1p16357da1f812ff8309b1edc98d4cdacc1~vabbxYcUy2519125191eucas1p1L; Mon, 8 Jul 2019 11:03:50 +0000 (GMT) Received: from eusmgms2.samsung.com (unknown [182.198.249.180]) by eusmtrp2.samsung.com (KnoxPortal) with ESMTP id 20190708110349eusmtrp2de94694ed18e2b6000e2c0fca30ad84f~vabbjN_S43170831708eusmtrp2M; Mon, 8 Jul 2019 11:03:49 +0000 (GMT) X-AuditID: cbfec7f2-f2dff700000010ca-7b-5d232316b880 Received: from eusmtip2.samsung.com ( [203.254.199.222]) by eusmgms2.samsung.com (EUCPMTA) with SMTP id 84.EA.04140.513232D5; Mon, 8 Jul 2019 12:03:49 +0100 (BST) Received: from imaximets.rnd.samsung.ru (unknown [106.109.129.180]) by eusmtip2.samsung.com (KnoxPortal) with ESMTPA id 20190708110349eusmtip2f28b183397c1dd08fb6127d5326a04e9~vaba1exG-1263912639eusmtip2c; Mon, 8 Jul 2019 11:03:49 +0000 (GMT) From: Ilya Maximets To: netdev@vger.kernel.org Cc: linux-kernel@vger.kernel.org, bpf@vger.kernel.org, xdp-newbies@vger.kernel.org, "David S. Miller" , =?UTF-8?q?Bj=C3=B6rn=20T=C3=B6pel?= , Magnus Karlsson , Jonathan Lemon , Jakub Kicinski , Alexei Starovoitov , Daniel Borkmann , Ilya Maximets Subject: [PATCH bpf] xdp: fix potential deadlock on socket mutex Date: Mon, 8 Jul 2019 14:03:44 +0300 Message-Id: <20190708110344.23278-1-i.maximets@samsung.com> X-Mailer: git-send-email 2.17.1 X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFprKKsWRmVeSWpSXmKPExsWy7djP87piysqxBo9mWVh8+Xmb3eJP2wZG i89HjrNZLF74jdlizvkWFosr7T/ZLY69aGGz2LVuJrPF5V1z2CxWHDoBFFsgZrG9fx+jA4/H lpU3mTx2zrrL7rF4z0smj64bl5g9Nq3qZPOY3v2Q2aNvyypGj8+b5AI4orhsUlJzMstSi/Tt Ergy1q3TKngjXrF/p0wDY69wFyMnh4SAicTLPRvYuxi5OIQEVjBKTGlZywjhfGGUeNk3Ecr5 zCgx/98mJpiWWzNfQLUsZ5TobX8OVfWDUeL5wivsIFVsAjoSp1YfYQSxRQSkJD7u2A7WwSxw gFli9/F5zCAJYQEHiZeT/rOA2CwCqhJP286zgti8AtYSi6btYoNYJy+xesMBZpBmCYFudokp X+4xQiRcJF7/3AxVJCzx6vgWdghbRuL/zvlQt9ZL3G95yQjR3MEoMf3QP6iEvcSW1+eAGjiA TtKUWL9LHyLsKHGo8QkrSFhCgE/ixltBkDAzkDlp23RmiDCvREebEES1isTvg8uZIWwpiZvv PkNd4CExf+MBsEVCArES02ZvY5/AKDcLYdcCRsZVjOKppcW56anFhnmp5XrFibnFpXnpesn5 uZsYgYnl9L/jn3Ywfr2UdIhRgINRiYd3g7RSrBBrYllxZe4hRgkOZiUR3sQg+Vgh3pTEyqrU ovz4otKc1OJDjNIcLErivNUMD6KFBNITS1KzU1MLUotgskwcnFINjInnIpoEld5b//7503yH pV+93+oTq0/lVi26bBPzT43zl7us9PVsv8DLhpJn+A0e7u9XLtuus3/hosLcS2fvWZ05ciPo fJqbQdVc/X/pPrmO3WonW2sruA0XuF52W3TLNr2U+6jJPaNyvWxOuQ9JCn9tDSpXnzxkxeI+ aZNpG6OH30pWRgkNJZbijERDLeai4kQAvrZObygDAAA= X-Brightmail-Tracker: H4sIAAAAAAAAA+NgFnrNLMWRmVeSWpSXmKPExsVy+t/xe7qiysqxBps3m1t8+Xmb3eJP2wZG i89HjrNZLF74jdlizvkWFosr7T/ZLY69aGGz2LVuJrPF5V1z2CxWHDoBFFsgZrG9fx+jA4/H lpU3mTx2zrrL7rF4z0smj64bl5g9Nq3qZPOY3v2Q2aNvyypGj8+b5AI4ovRsivJLS1IVMvKL S2yVog0tjPQMLS30jEws9QyNzWOtjEyV9O1sUlJzMstSi/TtEvQy1q3TKngjXrF/p0wDY69w FyMnh4SAicStmS/Yuxi5OIQEljJKLP31kx0iISXx49cFVghbWOLPtS42iKJvjBKt3VcYQRJs AjoSp1YfAbNFgBo+7tgONolZ4ASzxPdZn5lAEsICDhIvJ/1nAbFZBFQlnradB5vKK2AtsWja LjaIDfISqzccYJ7AyLOAkWEVo0hqaXFuem6xkV5xYm5xaV66XnJ+7iZGYEBvO/Zzyw7GrnfB hxgFOBiVeHg55JRihVgTy4orcw8xSnAwK4nwJgbJxwrxpiRWVqUW5ccXleakFh9iNAVaPpFZ SjQ5HxhteSXxhqaG5haWhubG5sZmFkrivB0CB2OEBNITS1KzU1MLUotg+pg4OKUaGLUmScpt 2lh39vP3c40aJ7nn3+CPY/r9JfjmsatT10h2zWf0TknOdJ2+Yu3lN6W/fbV+ndi5oMU9n9dz p80O1jnHhfX/L45gun9l+9UL/QwNilGHoxL3TX5vbap48Qz/hxCHJ4Fvq+/rl/5hqn54s88j vOZv+8mE6QtqEzoUlqV9PzXf26j3m4sSS3FGoqEWc1FxIgDpDUB/fgIAAA== X-CMS-MailID: 20190708110350eucas1p16357da1f812ff8309b1edc98d4cdacc1 X-Msg-Generator: CA Content-Type: text/plain; charset="utf-8" X-RootMTR: 20190708110350eucas1p16357da1f812ff8309b1edc98d4cdacc1 X-EPHeader: CA CMS-TYPE: 201P X-CMS-RootMailID: 20190708110350eucas1p16357da1f812ff8309b1edc98d4cdacc1 References: Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org There are 2 call chains: a) xsk_bind --> xdp_umem_assign_dev b) unregister_netdevice_queue --> xsk_notifier with the following locking order: a) xs->mutex --> rtnl_lock b) rtnl_lock --> xdp.lock --> xs->mutex Different order of taking 'xs->mutex' and 'rtnl_lock' could produce a deadlock here. Fix that by moving the 'rtnl_lock' before 'xs->lock' in the bind call chain (a). Reported-by: syzbot+bf64ec93de836d7f4c2c@syzkaller.appspotmail.com Fixes: 455302d1c9ae ("xdp: fix hang while unregistering device bound to xdp socket") Signed-off-by: Ilya Maximets --- This patch is a fix for patch that is not yet in mainline, but already in 'net' tree. I'm not sure what is the correct process for applying such fixes. net/xdp/xdp_umem.c | 16 ++++++---------- net/xdp/xsk.c | 2 ++ 2 files changed, 8 insertions(+), 10 deletions(-) diff --git a/net/xdp/xdp_umem.c b/net/xdp/xdp_umem.c index 20c91f02d3d8..83de74ca729a 100644 --- a/net/xdp/xdp_umem.c +++ b/net/xdp/xdp_umem.c @@ -87,21 +87,20 @@ int xdp_umem_assign_dev(struct xdp_umem *umem, struct net_device *dev, struct netdev_bpf bpf; int err = 0; + ASSERT_RTNL(); + force_zc = flags & XDP_ZEROCOPY; force_copy = flags & XDP_COPY; if (force_zc && force_copy) return -EINVAL; - rtnl_lock(); - if (xdp_get_umem_from_qid(dev, queue_id)) { - err = -EBUSY; - goto out_rtnl_unlock; - } + if (xdp_get_umem_from_qid(dev, queue_id)) + return -EBUSY; err = xdp_reg_umem_at_qid(dev, umem, queue_id); if (err) - goto out_rtnl_unlock; + return err; umem->dev = dev; umem->queue_id = queue_id; @@ -110,7 +109,7 @@ int xdp_umem_assign_dev(struct xdp_umem *umem, struct net_device *dev, if (force_copy) /* For copy-mode, we are done. */ - goto out_rtnl_unlock; + return 0; if (!dev->netdev_ops->ndo_bpf || !dev->netdev_ops->ndo_xsk_async_xmit) { @@ -125,7 +124,6 @@ int xdp_umem_assign_dev(struct xdp_umem *umem, struct net_device *dev, err = dev->netdev_ops->ndo_bpf(dev, &bpf); if (err) goto err_unreg_umem; - rtnl_unlock(); umem->zc = true; return 0; @@ -135,8 +133,6 @@ int xdp_umem_assign_dev(struct xdp_umem *umem, struct net_device *dev, err = 0; /* fallback to copy mode */ if (err) xdp_clear_umem_at_qid(dev, queue_id); -out_rtnl_unlock: - rtnl_unlock(); return err; } diff --git a/net/xdp/xsk.c b/net/xdp/xsk.c index 703cf5ea448b..2aa6072a3e55 100644 --- a/net/xdp/xsk.c +++ b/net/xdp/xsk.c @@ -416,6 +416,7 @@ static int xsk_bind(struct socket *sock, struct sockaddr *addr, int addr_len) if (flags & ~(XDP_SHARED_UMEM | XDP_COPY | XDP_ZEROCOPY)) return -EINVAL; + rtnl_lock(); mutex_lock(&xs->mutex); if (xs->state != XSK_READY) { err = -EBUSY; @@ -501,6 +502,7 @@ static int xsk_bind(struct socket *sock, struct sockaddr *addr, int addr_len) xs->state = XSK_BOUND; out_release: mutex_unlock(&xs->mutex); + rtnl_unlock(); return err; } -- 2.17.1