Received: by 2002:a25:d7c1:0:0:0:0:0 with SMTP id o184csp5365655ybg;
        Tue, 22 Oct 2019 02:02:34 -0700 (PDT)
X-Google-Smtp-Source: APXvYqy0RgWxThHl1UzmrxdeES8UdA1N5I94+UftS4KLn54z2FJRhBI0ne6Y3eb4wtCshREIQV0X
X-Received: by 2002:a05:6402:8cf:: with SMTP id d15mr29082623edz.225.1571734954529;
        Tue, 22 Oct 2019 02:02:34 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1571734954; cv=none;
        d=google.com; s=arc-20160816;
        b=kQU7WcEyr0hH/Mhxg797tQGWBuxGaaWEz3BrQiAD2/+p5gt/PL6P6GkcF8XWiPGrxF
         OIyLpaWVMl2RzATKP172v3+exSz7EwrAf7erwBD+bCLvgVX1tdQGEzssJldt7NPtYete
         WKiKPi8Jh0Dj0oYqNxpSYBo9BVOGgCJ/kM6tL2cO6yNCKVrl7Ia0KcauK2x8DQcXD6JU
         XAr+0rUaQ+jcJbWKIMcrYFcV36J5Op+lJflQPeba0kcfBweTxL+IRyZFyhnCYvGHa4PC
         0IMYxs5fSoscYWPHzjzdDCIdP1Ylsi8Nu7y3/W7zgcnVkxo1IBTKtZa0TdNgxPA0kvuQ
         iB6Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:in-reply-to
         :mime-version:user-agent:date:message-id:from:references:to:subject
         :dkim-signature;
        bh=vmxqbKFdbAsB2xDI6xrGHn1DS1Pl2hjh1JTq6d0++zQ=;
        b=CsHLXzx2zvpidF4uYxLVrGY3NU1OVXiRQOHNM7IT3cbikV9+D1CwSjpk4ZdAxy7Sri
         3aD7Dt2HD/Ow83ebeWCknxJXya/DiroBi4FOy2HfdHImdsoc2w9Ge7Itbwqm5fqzJ2+j
         z0gi3J+LnKLIR8u7mtgqktI1DTgGYjld6swUMGRRzaZ7Pv0K6fkPpAYh9viurWBWvJF5
         i+gYUaP+4iVRNkVOLnVK0M4ofuxnNIug0PRc7WdSzvbZq/c6STDm1igldYrSAeAQR8VX
         n31eNix5zGZAw7JcIa1jxcKOMwbVc4+pkkYIvrTjtItk+Nwgg/240r5TRpSQbLUlpJBB
         wvXA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@jv-coder.de header.s=dkim header.b="WaY/fLxd";
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id c31si11800171edb.309.2019.10.22.02.02.06;
        Tue, 22 Oct 2019 02:02:34 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@jv-coder.de header.s=dkim header.b="WaY/fLxd";
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1731332AbfJVI6s (ORCPT <rfc822;linux.lists.archive@gmail.com>
        + 99 others); Tue, 22 Oct 2019 04:58:48 -0400
Received: from mail.jv-coder.de ([5.9.79.73]:52360 "EHLO mail.jv-coder.de"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726978AbfJVI6s (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 22 Oct 2019 04:58:48 -0400
Received: from [10.61.40.7] (unknown [37.156.92.209])
        by mail.jv-coder.de (Postfix) with ESMTPSA id 0B15E9FA2B;
        Tue, 22 Oct 2019 08:58:45 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=jv-coder.de; s=dkim;
        t=1571734725; bh=vmxqbKFdbAsB2xDI6xrGHn1DS1Pl2hjh1JTq6d0++zQ=;
        h=Subject:To:From:Message-ID:Date:MIME-Version;
        b=WaY/fLxdqDRfcENriUsOVoPh73icYTpF1VgO6o5bxJNM01aauwiOzp9lCRKS9B3vK
         5KoM41PObQR9ArA1fz1xpvcODULVcq0k2kO+dCgfhyg/tn/I6z8j42wYJXewMet+GD
         O7u97x0Mvf0rZp/wHmFI3R5isw3GgWdM860/tAx8=
Subject: Re: [PATCH] xfrm : lock input tasklet skb queue
To:     Tom Rix <trix@redhat.com>, steffen.klassert@secunet.com,
        herbert@gondor.apana.org.au, davem@davemloft.net,
        netdev@vger.kernel.org, linux-kernel@vger.kernel.org
References: <CACVy4SVuw0Qbjiv6PLRn1symoxGzyBMZx2F5O23+jGZG6WHuYA@mail.gmail.com>
From:   Joerg Vehlow <lkml@jv-coder.de>
Message-ID: <ac5f327b-d693-31cb-089f-b0880a4e298b@jv-coder.de>
Date:   Tue, 22 Oct 2019 10:58:44 +0200
User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:68.0) Gecko/20100101
 Thunderbird/68.1.2
MIME-Version: 1.0
In-Reply-To: <CACVy4SVuw0Qbjiv6PLRn1symoxGzyBMZx2F5O23+jGZG6WHuYA@mail.gmail.com>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=1.1 required=5.0 tests=DKIM_SIGNED,DKIM_VALID,
        DKIM_VALID_AU,DKIM_VALID_EF,HELO_MISC_IP,RDNS_NONE autolearn=no
        autolearn_force=no version=3.4.2
X-Spam-Level: *
X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on mail.jv-coder.de
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Hi,

I already send a patch on 2019-09-09 to this mailing list with a similar 
issue[1].
Sadly no replies, although this is a huge bug in the rt kernel.
I fixed it a bit differently, using smaller locked regions.
You have also propably a bug in your patch, because trans->queue.lock is
no initialized by __skb_queue_head_init (in xfrm_input_init)

Jörg

[1] https://lkml.org/lkml/2019/9/9/111

Am 20.10.2019 um 17:46 schrieb Tom Rix:
> On PREEMPT_RT_FULL while running netperf, a corruption
> of the skb queue causes an oops.
>
> This appears to be caused by a race condition here
>          __skb_queue_tail(&trans->queue, skb);
>          tasklet_schedule(&trans->tasklet);
> Where the queue is changed before the tasklet is locked by
> tasklet_schedule.
>
> The fix is to use the skb queue lock.
>
> Signed-off-by: Tom Rix <trix@redhat.com>
> ---
>   net/xfrm/xfrm_input.c | 11 ++++++++++-
>   1 file changed, 10 insertions(+), 1 deletion(-)
>
> diff --git a/net/xfrm/xfrm_input.c b/net/xfrm/xfrm_input.c
> index 9b599ed66d97..226dead86828 100644
> --- a/net/xfrm/xfrm_input.c
> +++ b/net/xfrm/xfrm_input.c
> @@ -758,12 +758,16 @@ static void xfrm_trans_reinject(unsigned long data)
>       struct xfrm_trans_tasklet *trans = (void *)data;
>       struct sk_buff_head queue;
>       struct sk_buff *skb;
> +    unsigned long flags;
>
>       __skb_queue_head_init(&queue);
> +    spin_lock_irqsave(&trans->queue.lock, flags);
>       skb_queue_splice_init(&trans->queue, &queue);
>
>       while ((skb = __skb_dequeue(&queue)))
>           XFRM_TRANS_SKB_CB(skb)->finish(dev_net(skb->dev), NULL, skb);
> +
> +    spin_unlock_irqrestore(&trans->queue.lock, flags);
>   }
>
>   int xfrm_trans_queue(struct sk_buff *skb,
> @@ -771,15 +775,20 @@ int xfrm_trans_queue(struct sk_buff *skb,
>                      struct sk_buff *))
>   {
>       struct xfrm_trans_tasklet *trans;
> +    unsigned long flags;
>
>       trans = this_cpu_ptr(&xfrm_trans_tasklet);
> +    spin_lock_irqsave(&trans->queue.lock, flags);
>
> -    if (skb_queue_len(&trans->queue) >= netdev_max_backlog)
> +    if (skb_queue_len(&trans->queue) >= netdev_max_backlog) {
> +        spin_unlock_irqrestore(&trans->queue.lock, flags);
>           return -ENOBUFS;
> +    }
>
>       XFRM_TRANS_SKB_CB(skb)->finish = finish;
>       __skb_queue_tail(&trans->queue, skb);
>       tasklet_schedule(&trans->tasklet);
> +    spin_unlock_irqrestore(&trans->queue.lock, flags);
>       return 0;
>   }
>   EXPORT_SYMBOL(xfrm_trans_queue);