Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp3936848pxj; Mon, 21 Jun 2021 09:44:59 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwUYVd5BLjpcGx4BZ4Fjm1M7uel05m/8yJUDyXyX2erXECw81bHiP1QSZ0ccuSLfYlUuAux X-Received: by 2002:aa7:dccb:: with SMTP id w11mr22215153edu.96.1624293898956; Mon, 21 Jun 2021 09:44:58 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1624293898; cv=none; d=google.com; s=arc-20160816; b=Rbi13+QYR3NKL8Hmowd7MKu23gM+KMhIEwsRHI4dZkODXjcyq/GFZYUI4Q4er1Wha0 XBhFNhRAJdzqFL0/tW+AFJBw12LmKdbaq8C3wGcRh7g5HXxlamnLa5UdGBWT0jQyPXOr Cwom6uEjkMf7KarGGTovXWm4yqZx4Yi0yT7cG8dlJswvBrFxPsTGYttb3BtYn5KGbRlZ z4rfdQOhtPFLRRWYI1IkMtz0nnat4ZBoBk6wAh29r9oSQZcVfn8z97kSlEmu2BbaUG9a XeJmcL+1xkxigfZQcWXRXuxrKGkBX62ZZrHKRCLxez0rbkEpSseEmHIKPkiYp4NJx/tV Th2Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=ktM9VrWTX4bTCcEJ94iSQDiUiucL1ZbQKogldvJItDM=; b=L0Qduqtiv2MGfnZKr7Im7+zP/zq6sP5aK0N/MlbhJyV8f2syFfDpAp8cVa+wd9Rbrd uiiYRX92Ds5Xwy7+0+4jKya0PdzZklNUc6aCgqWmGF0JuU7+bscN8Lir6/zWisL8l5n6 WH06fH7GOrS02DG/7GcZR23hCUqkdTQxl5az04UU7Ut1LiVgYqGxk0L8RnMMF8NE9+6X sfl4dfcZNyEY4IFTUVDOF+u8jQYWBKoNY+s5ZAmOUdN7/CP048o5X52jD1FXpaFygEt2 08MtYYT0NuDqPTAVacuhuWbXfL5awj2Wq5w68tAUqMa7GjT2dRJF99n8ICxKeg01oCQD HEJg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=gskOt12J; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id w20si17043692edd.408.2021.06.21.09.44.36; Mon, 21 Jun 2021 09:44:58 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=gskOt12J; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230329AbhFUQma (ORCPT + 99 others); Mon, 21 Jun 2021 12:42:30 -0400 Received: from mail.kernel.org ([198.145.29.99]:33480 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232964AbhFUQi1 (ORCPT ); Mon, 21 Jun 2021 12:38:27 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id E2D9B61433; Mon, 21 Jun 2021 16:29:19 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1624292960; bh=Dz7WSDe0jRWE2G+mOrLFRhOYZbpinR8MxnAo0w2yotQ=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=gskOt12JTV2fCGxzd/fDDJ6K4hiGzRZnatP2Vvsmpyng3Q/aL7WulGyjhie4RNO4d RqB4tLthm/dSeibS5nRTAc1CMEvPeeNURyzzxKcY+jO3m9RxR5fF6DgW7r5ASeD3+o LhCm0rSW2mhxIhMv52yBPNAXQiJVQZuAhXZMhr2Q= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Maxim Galaganov , Paolo Abeni , Mat Martineau , "David S. Miller" , Sasha Levin Subject: [PATCH 5.12 048/178] mptcp: fix soft lookup in subflow_error_report() Date: Mon, 21 Jun 2021 18:14:22 +0200 Message-Id: <20210621154923.973814556@linuxfoundation.org> X-Mailer: git-send-email 2.32.0 In-Reply-To: <20210621154921.212599475@linuxfoundation.org> References: <20210621154921.212599475@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Paolo Abeni [ Upstream commit 499ada5073361c631f2a3c4a8aed44d53b6f82ec ] Maxim reported a soft lookup in subflow_error_report(): watchdog: BUG: soft lockup - CPU#0 stuck for 22s! [swapper/0:0] RIP: 0010:native_queued_spin_lock_slowpath RSP: 0018:ffffa859c0003bc0 EFLAGS: 00000202 RAX: 0000000000000101 RBX: 0000000000000001 RCX: 0000000000000000 RDX: ffff9195c2772d88 RSI: 0000000000000000 RDI: ffff9195c2772d88 RBP: ffff9195c2772d00 R08: 00000000000067b0 R09: c6e31da9eb1e44f4 R10: ffff9195ef379700 R11: ffff9195edb50710 R12: ffff9195c2772d88 R13: ffff9195f500e3d0 R14: ffff9195ef379700 R15: ffff9195ef379700 FS: 0000000000000000(0000) GS:ffff91961f400000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 000000c000407000 CR3: 0000000002988000 CR4: 00000000000006f0 Call Trace: _raw_spin_lock_bh subflow_error_report mptcp_subflow_data_available __mptcp_move_skbs_from_subflow mptcp_data_ready tcp_data_queue tcp_rcv_established tcp_v4_do_rcv tcp_v4_rcv ip_protocol_deliver_rcu ip_local_deliver_finish __netif_receive_skb_one_core netif_receive_skb rtl8139_poll 8139too __napi_poll net_rx_action __do_softirq __irq_exit_rcu common_interrupt The calling function - mptcp_subflow_data_available() - can be invoked from different contexts: - plain ssk socket lock - ssk socket lock + mptcp_data_lock - ssk socket lock + mptcp_data_lock + msk socket lock. Since subflow_error_report() tries to acquire the mptcp_data_lock, the latter two call chains will cause soft lookup. This change addresses the issue moving the error reporting call to outer functions, where the held locks list is known and the we can acquire only the needed one. Reported-by: Maxim Galaganov Fixes: 15cc10453398 ("mptcp: deliver ssk errors to msk") Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/199 Signed-off-by: Paolo Abeni Signed-off-by: Mat Martineau Signed-off-by: David S. Miller Signed-off-by: Sasha Levin --- net/mptcp/protocol.c | 9 ++++++ net/mptcp/subflow.c | 75 +++++++++++++++++++++++--------------------- 2 files changed, 48 insertions(+), 36 deletions(-) diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c index 78152b0820ce..d8187ac06539 100644 --- a/net/mptcp/protocol.c +++ b/net/mptcp/protocol.c @@ -699,6 +699,12 @@ static bool move_skbs_to_msk(struct mptcp_sock *msk, struct sock *ssk) __mptcp_move_skbs_from_subflow(msk, ssk, &moved); __mptcp_ofo_queue(msk); + if (unlikely(ssk->sk_err)) { + if (!sock_owned_by_user(sk)) + __mptcp_error_report(sk); + else + set_bit(MPTCP_ERROR_REPORT, &msk->flags); + } /* If the moves have caught up with the DATA_FIN sequence number * it's time to ack the DATA_FIN and change socket state, but @@ -1932,6 +1938,9 @@ static bool __mptcp_move_skbs(struct mptcp_sock *msk) done = __mptcp_move_skbs_from_subflow(msk, ssk, &moved); mptcp_data_unlock(sk); tcp_cleanup_rbuf(ssk, moved); + + if (unlikely(ssk->sk_err)) + __mptcp_error_report(sk); unlock_sock_fast(ssk, slowpath); } while (!done); diff --git a/net/mptcp/subflow.c b/net/mptcp/subflow.c index 98a5a68ec15d..d6d8ad4f918e 100644 --- a/net/mptcp/subflow.c +++ b/net/mptcp/subflow.c @@ -1033,7 +1033,6 @@ fallback: * subflow_error_report() will introduce the appropriate barriers */ ssk->sk_err = EBADMSG; - ssk->sk_error_report(ssk); tcp_set_state(ssk, TCP_CLOSE); tcp_send_active_reset(ssk, GFP_ATOMIC); WRITE_ONCE(subflow->data_avail, 0); @@ -1086,41 +1085,6 @@ void mptcp_space(const struct sock *ssk, int *space, int *full_space) *full_space = tcp_full_space(sk); } -static void subflow_data_ready(struct sock *sk) -{ - struct mptcp_subflow_context *subflow = mptcp_subflow_ctx(sk); - u16 state = 1 << inet_sk_state_load(sk); - struct sock *parent = subflow->conn; - struct mptcp_sock *msk; - - msk = mptcp_sk(parent); - if (state & TCPF_LISTEN) { - /* MPJ subflow are removed from accept queue before reaching here, - * avoid stray wakeups - */ - if (reqsk_queue_empty(&inet_csk(sk)->icsk_accept_queue)) - return; - - set_bit(MPTCP_DATA_READY, &msk->flags); - parent->sk_data_ready(parent); - return; - } - - WARN_ON_ONCE(!__mptcp_check_fallback(msk) && !subflow->mp_capable && - !subflow->mp_join && !(state & TCPF_CLOSE)); - - if (mptcp_subflow_data_available(sk)) - mptcp_data_ready(parent, sk); -} - -static void subflow_write_space(struct sock *ssk) -{ - struct sock *sk = mptcp_subflow_ctx(ssk)->conn; - - mptcp_propagate_sndbuf(sk, ssk); - mptcp_write_space(sk); -} - void __mptcp_error_report(struct sock *sk) { struct mptcp_subflow_context *subflow; @@ -1161,6 +1125,43 @@ static void subflow_error_report(struct sock *ssk) mptcp_data_unlock(sk); } +static void subflow_data_ready(struct sock *sk) +{ + struct mptcp_subflow_context *subflow = mptcp_subflow_ctx(sk); + u16 state = 1 << inet_sk_state_load(sk); + struct sock *parent = subflow->conn; + struct mptcp_sock *msk; + + msk = mptcp_sk(parent); + if (state & TCPF_LISTEN) { + /* MPJ subflow are removed from accept queue before reaching here, + * avoid stray wakeups + */ + if (reqsk_queue_empty(&inet_csk(sk)->icsk_accept_queue)) + return; + + set_bit(MPTCP_DATA_READY, &msk->flags); + parent->sk_data_ready(parent); + return; + } + + WARN_ON_ONCE(!__mptcp_check_fallback(msk) && !subflow->mp_capable && + !subflow->mp_join && !(state & TCPF_CLOSE)); + + if (mptcp_subflow_data_available(sk)) + mptcp_data_ready(parent, sk); + else if (unlikely(sk->sk_err)) + subflow_error_report(sk); +} + +static void subflow_write_space(struct sock *ssk) +{ + struct sock *sk = mptcp_subflow_ctx(ssk)->conn; + + mptcp_propagate_sndbuf(sk, ssk); + mptcp_write_space(sk); +} + static struct inet_connection_sock_af_ops * subflow_default_af_ops(struct sock *sk) { @@ -1469,6 +1470,8 @@ static void subflow_state_change(struct sock *sk) */ if (mptcp_subflow_data_available(sk)) mptcp_data_ready(parent, sk); + else if (unlikely(sk->sk_err)) + subflow_error_report(sk); subflow_sched_work_if_closed(mptcp_sk(parent), sk); -- 2.30.2