Received: by 2002:a05:6a10:a852:0:0:0:0 with SMTP id d18csp114700pxy; Thu, 6 May 2021 22:16:09 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxqY7C+ujoDCDlsvy7tkybM5voMuHoE9DOLy+Dzbvg8vyDkTv2YXOq7r6j+u377gSfHe1NP X-Received: by 2002:a17:906:694f:: with SMTP id c15mr8192812ejs.72.1620364569726; Thu, 06 May 2021 22:16:09 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1620364569; cv=none; d=google.com; s=arc-20160816; b=Gu3vOgzPOFvg9fkV9YSWHt2B8GITu60lQ2EhL3IdLc7VY/dS7uQ6pGbxdgFRMiCQuW 0ZcXI8siUWbQ4hC8lExjsoD9skVFXUy4lpNKg9FxVAi94er8OylXYuG8FP9KIKZ8aa/R vBt5rjOD9ziD7gPGPQIFPqL+9w1YRvQGA36nYJb4GtA/zkdH91AVITB1LLfWKBZFXGE3 e5ywBwp931UXfj7cf86lIJ7rRXnYp8FyiYxRzJWwPP7TP/cLpFzj2IIju575aVlMhZCx uFL7RsX78dljJthp4a3Vk1vOIVQpiy4ahKzIBBk7tD/jRfXDNGiT8Q28BtJHkiHUR5es sskw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=Y+6aCk5HTju9cPmZgMXn1TZ8gh0W3uhsXC9LAK6Kp7A=; b=Tt40uzl2bzkVm40VgRjlZr5rIeuB7K32eegT+IJszKcYSLwKmpa/jSvbJukeQfCIZE dey9HJqObIB6Gep61RVeO1cARR8f7ODMUUL+ngZNXdg9V9IAQ+WiJ5IUqHwwbYZuuVVY OTVS8C5GzK1FUizaqd6Lb3eKupssCq+XccAFb1TyhyOeOoZH5N0RzBp7q3En6/I84CT1 /1RThpZIMOvvj78hKjsh4PISDpwMrS6D602VgpoWE5yv7dAsvNvUlOZErO7OpQ5j5Pv5 RElqfnqoz21RnORVw9F1YSod1i6T9oWAWnBbzD0vKzwW7fm7fAuR0VIfzBl4RDVLejxi EvBA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=owv7fsRK; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id w5si4773819edv.271.2021.05.06.22.15.43; Thu, 06 May 2021 22:16:09 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=owv7fsRK; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233763AbhEGAll (ORCPT + 99 others); Thu, 6 May 2021 20:41:41 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42474 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229769AbhEGAlk (ORCPT ); Thu, 6 May 2021 20:41:40 -0400 Received: from mail-pf1-x432.google.com (mail-pf1-x432.google.com [IPv6:2607:f8b0:4864:20::432]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id DF19BC061574; Thu, 6 May 2021 17:40:41 -0700 (PDT) Received: by mail-pf1-x432.google.com with SMTP id k19so6426375pfu.5; Thu, 06 May 2021 17:40:41 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Y+6aCk5HTju9cPmZgMXn1TZ8gh0W3uhsXC9LAK6Kp7A=; b=owv7fsRKClwXIjkpRj88urdJdXTVrES++rIXjWgWg76GtHdJ+/PZNnLDmYpVV4pp5a HVVWi6UBRem5+I8n5i0chKSGXksst7baqneIMAdnO1QGat9kbqXP17kFBXx8iYbqgUqk ojo9mOaptutjkYGRJZPZoGxigZy7bgrsiP6OVj7pzSD5+5kVNHRbQd9F69mhnbXqqMsf WhaehLCYZ8FXqLrEgx0uxw1lWHWo+e9QmAiFlgg0YzY+rQZC/htX4JRdj1T8FWY77ahx iAnvA5qYTMptr1l5IAkLJLMp8hhCi/hyG2zeS+0EleJLf//E69FppbKgH8WGMNBywOxL AAtw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Y+6aCk5HTju9cPmZgMXn1TZ8gh0W3uhsXC9LAK6Kp7A=; b=U3KRAirMr3zBl+KX0msTa4pJ5LohGsRPeNcqqnSgb3hUszr3cVw+kNR/p/OX1jHxjp HlCTeiTX6K5QH+B/FzkuXj6bwUyxrerADulmS5AP1875JPOMPyqSx1o++L8fOpnEUATg 8TYAycpIocD+fjbfNesCHzfhWNI8jDNeQQY3ovsFd4c+oHPG/herVmab3UsDkIwshHpK LtJ8fE7AGCE2jhwa4xCTxwgqTwumWbDd9pjIoXRnzB88gVOMGPsH37Oqn1LgAf0zXOQh OPj5zakXP2MOFp/gUhce6QxPGr2hLJl3wKT2sQXQPIWPCm6qUh51uP9T5klflppSUzHl fTpw== X-Gm-Message-State: AOAM530Yw/+t15+uG6LXKItKzwPdar2lO7EpCur5YoDQNZIPBjRAOFvw YJmpJI89oYlYN7348ArqyxPvUKpwMG4OJSTlg8A= X-Received: by 2002:a65:45c3:: with SMTP id m3mr6909587pgr.179.1620348041346; Thu, 06 May 2021 17:40:41 -0700 (PDT) MIME-Version: 1.0 References: <20210505200242.31d58452@gmail.com> In-Reply-To: <20210505200242.31d58452@gmail.com> From: Cong Wang Date: Thu, 6 May 2021 17:40:30 -0700 Message-ID: Subject: Re: GPF in net sybsystem To: Pavel Skripkin Cc: Ralf Baechle , David Miller , Jakub Kicinski , Linux Kernel Network Developers , LKML Content-Type: text/plain; charset="UTF-8" Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, May 5, 2021 at 10:36 AM Pavel Skripkin wrote: > > Hi, netdev developers! > > I've spent some time debugging this bug > https://syzkaller.appspot.com/bug?id=c670fb9da2ce08f7b5101baa9426083b39ee9f90 > and, I believe, I found the root case: > > static int nr_accept(struct socket *sock, struct socket *newsock, int flags, > bool kern) > { > .... > for (;;) { > prepare_to_wait(sk_sleep(sk), &wait, TASK_INTERRUPTIBLE); > ... > if (!signal_pending(current)) { > release_sock(sk); > schedule(); > lock_sock(sk); > continue; > } > ... > } > ... > } > > When calling process will be scheduled, another proccess can release > this socket and set sk->sk_wq to NULL. (In this case nr_release() > will call sock_orphan(sk)). In this case GPF will happen in > prepare_to_wait(). Are you sure? How could another process release this socket when its fd is still refcnt'ed? That is, accept() still does not return yet at the point of schedule(). Also, the above pattern is pretty common in networking subsystem, see sk_wait_event(), so how come it is only problematic for netrom? Thanks.