Received: by 2002:a5d:9c59:0:0:0:0:0 with SMTP id 25csp1352742iof; Tue, 7 Jun 2022 04:03:14 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxzq3U6bm470ZlPQlO6jkAGqiLGdZHH7TG9I3srVXmFslE+JHz6mbL9kwPtTucUNJw14+1D X-Received: by 2002:a62:b802:0:b0:51b:f4d2:65be with SMTP id p2-20020a62b802000000b0051bf4d265bemr17195306pfe.79.1654599794396; Tue, 07 Jun 2022 04:03:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1654599794; cv=none; d=google.com; s=arc-20160816; b=AzRrKTZF+qjEgTmKPmlw8yy6aFrYhswi8ilkxwsyGNmRnhNMxgxzqv+Eq90JJR17do T27wo/AqYbyC59ej9b6DM4sSE8vLxXCxThR3pUqItGOsJ+GqdzJ8vGUCQiyX7lq8bnvU I1mWpTte0Kiwv8rQdJZjNx/UoRJ3WtUxf5BLM0AiKp5MDhFIkVBnPBHKs4c5SAN1HcuG 3PwslFhaF/UCbjFdSYce3y041fnliG11YHorQSwU3WQNtKBTeZ16yNaSGMDhXuT44rml WF1gDGxypz1hZRgn+wdeDhbegYWONrk+7keY1pymVuRnlx1T8PkmMaBxNTsCFJvu0IE2 PVYw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:to:references:message-id :content-transfer-encoding:cc:date:in-reply-to:from:subject :mime-version; bh=Me9Fh2BlHNAI4IkU52DdyoDHB7o/LY+XG1q6D9I/fRI=; b=QH50xakOjgJwPfwg25spRDwdjDz38/CRg3kx5e4jHC5j5IckWzdmxrqfx8FyiNl/4F /7CKYoQO784BgAZIRW/dCL8gm7Yr4duZhzWIs3WCPcEhX25ukwYvbYlL5bIXKf16ztW2 q2vqjGLqee45NAzhozGbeNwA9JfRjuXVap4woRQEzuQYJ2G1UVT3aSTcqM/MUTrAnWtu NB8q/cyIoqXdP//yFP//fsxlduklJ6OjR/CEID+UCbdWZCn5O/s5ymm1pbYLAtPhKhlE MZQsTkR6gtDVFl51Iws2y7KCx7d8zhCh6CLiXrCSSldJpj/JRj9MJm8ja8Vd0jihiXgm JLNQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id b13-20020a6541cd000000b003c67d44fe78si22035242pgq.437.2022.06.07.04.02.59; Tue, 07 Jun 2022 04:03:14 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S239313AbiFGJXu convert rfc822-to-8bit (ORCPT + 99 others); Tue, 7 Jun 2022 05:23:50 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:59814 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S239008AbiFGJXp (ORCPT ); Tue, 7 Jun 2022 05:23:45 -0400 X-Greylist: delayed 519 seconds by postgrey-1.37 at lindbergh.monkeyblade.net; Tue, 07 Jun 2022 02:23:43 PDT Received: from einhorn-mail-out.in-berlin.de (einhorn.in-berlin.de [192.109.42.8]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 331BE37BE7 for ; Tue, 7 Jun 2022 02:23:42 -0700 (PDT) X-Envelope-From: thomas@osterried.de Received: from x-berg.in-berlin.de (x-change.in-berlin.de [217.197.86.40]) by einhorn.in-berlin.de with ESMTPS id 2579Eat51498908 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NOT); Tue, 7 Jun 2022 11:14:36 +0200 Received: from x-berg.in-berlin.de ([217.197.86.42] helo=smtpclient.apple) by x-berg.in-berlin.de with esmtpa (Exim 4.94.2) (envelope-from ) id 1nyVIJ-0001s8-OQ; Tue, 07 Jun 2022 11:14:35 +0200 Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 16.0 \(3696.100.31\)) Subject: Re: [PATCH net-next] ax25: Fix deadlock caused by skb_recv_datagram in ax25_recvmsg From: Thomas Osterried In-Reply-To: Date: Tue, 7 Jun 2022 11:14:34 +0200 Cc: Duoming Zhou , LKML , jreuter@yaina.de, =?utf-8?Q?Ralf_B=C3=A4chle_DL5RB?= , David Miller , Jakub Kicinski , Paolo Abeni , netdev , linux-hams@vger.kernel.org Content-Transfer-Encoding: 8BIT Message-Id: References: <20220606162138.81505-1-duoming@zju.edu.cn> To: Eric Dumazet X-Mailer: Apple Mail (2.3696.100.31) X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_LOW, RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,SPF_NONE, T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org > Am 06.06.2022 um 19:31 schrieb Eric Dumazet : > > On Mon, Jun 6, 2022 at 9:21 AM Duoming Zhou wrote: >> >> The skb_recv_datagram() in ax25_recvmsg() will hold lock_sock >> and block until it receives a packet from the remote. If the client >> doesn`t connect to server and calls read() directly, it will not >> receive any packets forever. As a result, the deadlock will happen. >> >> The fail log caused by deadlock is shown below: >> >> [ 861.122612] INFO: task ax25_deadlock:148 blocked for more than 737 seconds. >> [ 861.124543] "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. >> [ 861.127764] Call Trace: >> [ 861.129688] >> [ 861.130743] __schedule+0x2f9/0xb20 >> [ 861.131526] schedule+0x49/0xb0 >> [ 861.131640] __lock_sock+0x92/0x100 >> [ 861.131640] ? destroy_sched_domains_rcu+0x20/0x20 >> [ 861.131640] lock_sock_nested+0x6e/0x70 >> [ 861.131640] ax25_sendmsg+0x46/0x420 >> [ 861.134383] ? ax25_recvmsg+0x1e0/0x1e0 >> [ 861.135658] sock_sendmsg+0x59/0x60 >> [ 861.136791] __sys_sendto+0xe9/0x150 >> [ 861.137212] ? __schedule+0x301/0xb20 >> [ 861.137710] ? __do_softirq+0x4a2/0x4fd >> [ 861.139153] __x64_sys_sendto+0x20/0x30 >> [ 861.140330] do_syscall_64+0x3b/0x90 >> [ 861.140731] entry_SYSCALL_64_after_hwframe+0x46/0xb0 >> [ 861.141249] RIP: 0033:0x7fdf05ee4f64 >> [ 861.141249] RSP: 002b:00007ffe95772fc0 EFLAGS: 00000246 ORIG_RAX: 000000000000002c >> [ 861.141249] RAX: ffffffffffffffda RBX: 0000565303a013f0 RCX: 00007fdf05ee4f64 >> [ 861.141249] RDX: 0000000000000005 RSI: 0000565303a01678 RDI: 0000000000000005 >> [ 861.141249] RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 >> [ 861.141249] R10: 0000000000000000 R11: 0000000000000246 R12: 0000565303a00cf0 >> [ 861.141249] R13: 00007ffe957730e0 R14: 0000000000000000 R15: 0000000000000000 >> >> This patch moves the skb_recv_datagram() before lock_sock() in order >> that other functions that need lock_sock could be executed. >> > > > Why is this targeting net-next tree ? Off-topic question for better understanding: when patches go to netdev, when to net-next tree? Ah, found explanation it here (mentioning it for our readers at linux-hams@): https://www.kernel.org/doc/Documentation/networking/netdev-FAQ.txt > 1) A fix should target net tree > 2) It should include a Fixes: tag tnx for info. "Fix" in subject is not enough? > Also: > - this patch bypasses tests in ax25_recvmsg() > - This might break applications depending on blocking read() operations. We have discussed and verified it. We had a deadlock problem (during concurrent read/write), found by Thomas Habets, in https://marc.info/?l=linux-hams&m=159319049624305&w=2 Duoming found a second problem with current ax.25 implementation, that causes deadlock not only for the userspace program Thomas had, but also in the kernel. Thomas' patch did not made it to the git kernel net, because the testing bot complained that there was no "goto out:" left, for label "out:". Furhermore, before the test if (sk->sk_type == SOCK_SEQPACKET && sk->sk_state != TCP_ESTABLISHED) { it's useful to do lock_sock(sk); After reading through the documentation in the code above the skb_recv_datagram() function, it should be safe to use this function without locking. That's why we moved it to the top of ax25_recvmsg(). > I feel a real fix is going to be slightly more difficult than that. It's interesting to see how other kernel drivers use skb_recv_datagram(). Many have copied the code of others. But in the end, there are various variants: af_x25.c (for X.25) does it this way: lock_sock(sk); if (x25->neighbour == NULL) goto out; .. if (sk->sk_state != TCP_ESTABLISHED) goto out; .. release_sock(sk); skb = skb_recv_datagram(sk, flags & ~MSG_DONTWAIT, flags & MSG_DONTWAIT, &rc); lock_sock(sk); -> They lock for sk->sk_state tests, and then release lock for skb_recv_datagram() unix.c does it with a local lock in the unix socket struct: mutex_lock(&u->iolock); skb = skb_recv_datagram(sk, 0, 1, &err); mutex_unlock(&u->iolock); if (!skb) return err; netrom/af_netrom.c: It may have the same "deadlog hang" like af_ax25.c that Thomas observed. -> may also be needed to fix. rose/af_rose.c: does not use any locks (!) vy 73, - Thomas dl9sau > > > Thank you > >> Reported-by: Thomas Habets >> Signed-off-by: Duoming Zhou >> --- >> net/ax25/af_ax25.c | 11 ++++++----- >> 1 file changed, 6 insertions(+), 5 deletions(-) >> >> diff --git a/net/ax25/af_ax25.c b/net/ax25/af_ax25.c >> index 95393bb2760..02cd6087512 100644 >> --- a/net/ax25/af_ax25.c >> +++ b/net/ax25/af_ax25.c >> @@ -1665,6 +1665,11 @@ static int ax25_recvmsg(struct socket *sock, struct msghdr *msg, size_t size, >> int copied; >> int err = 0; >> >> + /* Now we can treat all alike */ >> + skb = skb_recv_datagram(sk, flags, &err); >> + if (!skb) >> + goto done; >> + >> lock_sock(sk); >> /* >> * This works for seqpacket too. The receiver has ordered the >> @@ -1675,11 +1680,6 @@ static int ax25_recvmsg(struct socket *sock, struct msghdr *msg, size_t size, >> goto out; >> } >> >> - /* Now we can treat all alike */ >> - skb = skb_recv_datagram(sk, flags, &err); >> - if (skb == NULL) >> - goto out; >> - >> if (!sk_to_ax25(sk)->pidincl) >> skb_pull(skb, 1); /* Remove PID */ >> >> @@ -1725,6 +1725,7 @@ static int ax25_recvmsg(struct socket *sock, struct msghdr *msg, size_t size, >> out: >> release_sock(sk); >> >> +done: >> return err; >> } >> >> -- >> 2.17.1 >> >